Privacy Policy

This Privacy Policy describes how MailFellow ("we," "us," or "our") collects, uses, stores, and protects information when you use our email collaboration platform at mailfellow.com and any related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you register, we collect:

• Your name and email address
• Password (stored as a salted, one-way hash; we never store plaintext passwords)
• Profile picture URL (if provided via OAuth)
• Billing and subscription details

1.2 Email Data

When you connect an email account (Gmail, Microsoft Outlook, or IMAP/SMTP), we access and store:

• Email metadata: sender name, sender email address, recipient addresses, subject lines, timestamps, message identifiers, and thread identifiers
• Email body content (plain text and HTML) for forwarding, preview, and platform delivery
• Email snippets and conversation threads
• Attachment metadata and file content uploaded through the Service

1.3 OAuth and Access Tokens

We store OAuth access tokens and refresh tokens to maintain connectivity with your email provider (Google, Microsoft) and messaging platforms (Slack, Discord). All tokens are encrypted at rest using AES-256-GCM with PBKDF2-derived keys.

1.4 Platform Integration Data

When you connect a messaging platform, we store:

• Slack: Bot token, team ID, team name, channel ID, workspace ID (obtained via per-account OAuth)
• Discord: Guild ID, channel ID, webhook credentials (bot added via OAuth invite flow)
• Telegram: Chat ID, bot interaction data
• WhatsApp: Phone number ID, access token, webhook verification token
• Microsoft Teams: App ID, tenant configuration
• Mattermost: Webhook URL, bot token, channel configuration

1.5 AI Processing Data

If you enable AI features (email categorization, automatic replies, translation), portions of your email content (subject lines and body text) are sent to third-party AI providers for processing. Currently supported providers include OpenAI and Anthropic. Your AI API key, selected provider, and model preferences are stored encrypted. We do not use your email content to train AI models. Third-party AI providers process data under their own data processing agreements and do not retain your data for model training when accessed via their API.

1.6 Automatically Collected Information

• Session data: We use a secure, HTTP-only session cookie (__Host-mailfellow-session) to maintain your login session. This cookie is strictly necessary for the Service to function and cannot be opted out of. Sessions expire after 30 minutes of inactivity.
• Analytics: We use Google Tag Manager to collect anonymized usage data such as page views, page paths, and browser type. No personally identifiable information is sent to analytics services.
• Audit logs: We log security-relevant actions (logins, setting changes, data exports, account deletions) for security and compliance purposes.
• Server logs: Standard web server logs including IP addresses, request timestamps, and user agent strings. These are used for security monitoring and debugging only.

1.7 Third-Party Email Sender Data

The Service processes emails sent to your connected email account by third parties (your customers, contacts, etc.). This means we process their names, email addresses, and message content on your behalf. You are the data controller for this data, and we act as a data processor. You are responsible for ensuring you have the appropriate legal basis to process your contacts' data through our Service.

1.8 CSAT Survey Data

If you enable customer satisfaction (CSAT) surveys, we send survey emails to your email contacts on your behalf. We collect and store CSAT scores (1-5 rating) linked to specific email threads. The survey recipient's email address and response are stored to provide you with customer satisfaction metrics.

2. How We Use Your Information

We use collected information exclusively to:

• Provide the core Service: fetching emails from your provider, forwarding them to your chosen messaging platform, and sending replies on your behalf
• Enable AI-powered features when activated by you: email categorization, automatic replies, language detection, and translation
• Send CSAT surveys and aggregate satisfaction data on your behalf
• Generate automated reports and daily digests as configured by you
• Enforce SLA tracking and send breach/warning notifications to your team
• Maintain account security: session management, brute-force protection (account lockout after failed login attempts), and audit logging
• Send transactional emails: onboarding, password resets, account notifications
• Process billing and manage subscriptions
• Improve and maintain the Service (aggregated, non-personal analytics only)

We do not use your data for advertising, marketing profiling, or selling to third parties.

3. Third-Party Services and Sub-Processors

To deliver the Service, your data may be shared with the following categories of third-party providers. We ensure each sub-processor maintains adequate data protection standards:

We do not sell, rent, or trade your personal information to any third party for any purpose.

4. Data Retention

• Email content: Automatically purged 90 days after receipt. Active email threads in use are retained until the 90-day window expires.
• Audit logs: Retained for a minimum of 365 days for security and compliance purposes. This period may be extended via account settings.
• Email previews: Expired previews are automatically deleted during daily maintenance.
• Password reset tokens: Expired and used tokens are purged daily.
• Orphaned attachments: Files no longer linked to any email are removed during daily cleanup.
• Account data: Retained for the lifetime of your account. Upon account deletion, all associated data is permanently and irreversibly removed (see Section 6).

5. Data Security

• All data in transit is protected by TLS/HTTPS encryption
• Sensitive credentials (OAuth tokens, bot tokens, API keys) are encrypted at rest using AES-256-GCM with PBKDF2 key derivation
• Passwords are stored using industry-standard one-way hashing (bcrypt)
• Session cookies use the __Host- prefix (requiring Secure flag, no Domain attribute), HttpOnly, and SameSite=Lax attributes to prevent session hijacking and CSRF attacks
• CSRF protection is enforced on all state-changing requests
• Account lockout is enforced after repeated failed login attempts
• Rate limiting is applied to prevent abuse
• We conduct regular security reviews of our codebase and infrastructure

6. Your Rights

Depending on your jurisdiction (including under GDPR, CCPA, KVKK, and similar regulations), you have the following rights:

6.1 Right to Access

You can view all data associated with your account through the Service dashboard at any time.

6.2 Right to Data Portability

You can export all your data in machine-readable JSON format via Settings > Export Data. This includes your account information, emails, contacts, blocks, VIP lists, canned responses, routing rules, automation settings, and audit logs.

6.3 Right to Erasure (Right to Be Forgotten)

You can permanently delete your account and all associated data via Settings > Delete Account. Deletion is immediate, irreversible, and covers: all emails, attachments, account configurations, platform integrations, canned responses, routing rules, VIP contacts, block lists, and audit logs. A tombstone record (containing no personal information) is retained solely to document that a deletion occurred.

6.4 Right to Rectification

You can update your account information (name, email, password) through the Service at any time.

6.5 Right to Restrict Processing

You may disconnect your email provider or messaging platform at any time to stop data processing while retaining your account.

6.6 Right to Object

You may object to any processing activity by contacting us. We will cease processing unless we have compelling legitimate grounds.

6.7 Consent Tracking

We record when you consent to this Privacy Policy and which version you consented to. You may withdraw consent at any time by deleting your account.

7. International Data Transfers

Your data may be processed in countries outside your jurisdiction. When this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms as required by applicable law.

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information promptly.

9. Data Controller and Processor Roles

Your account data: MailFellow is the data controller for your account registration data, billing information, and Service usage data.

Email content: You are the data controller for the email content processed through the Service (emails from your customers/contacts). MailFellow acts as a data processor, processing this data solely on your instructions to deliver the Service. If you require a formal Data Processing Agreement (DPA), please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will also notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related inquiries, data protection requests, or to exercise any of your rights:

• Email: privacy@mailfellow.com
• For general support: support@mailfellow.com

We will respond to all data protection requests within 30 days.