Privacy Policy

Privacy notice

What we collect, why we collect it, how long we keep it, and how to exercise your rights. No dark patterns, no third-party ad networks.

Last updated · 2026-05-26

1. Data we collect

We collect only what is necessary to run the service.

Account — email address, hashed password, name, organization, OAuth identifiers if you sign in with GitHub.
Billing — plan tier, last-four digits of payment method, subscription state. Card numbers are handled by our payment processor; we never see or store them.
Sending metadata — sender, recipient, message ID, send time, bounce / complaint / open / click events.
Message content — only retained transiently for retry on failure. Logs strip the body within 24 hours.
Operational data — IP at signup and sign-in (for fraud + abuse), browser user-agent, request timing.

2. Why we collect it

To provide the service (deliver mail, render the dashboard, bill for usage), to investigate abuse and protect deliverability, to respond to support requests, and to comply with legal obligations. We do not sell personal data. We do not use it to train AI models.

3. Who we share it with

We share data only with the subprocessors listed below, each under a written data-processing agreement and only to the extent needed for them to deliver their service.

ProviderRoleRegion

Amazon Web ServicesApplication hosting + databaseUS

PolarSubscription billingUS / EU

PostmarkOutbound system mail (receipts, alerts)US

VercelStatic site + edge runtimeUS / EU

Google Analytics 4Aggregated traffic measurementUS

We will update this list before adding a new subprocessor and give customers an opportunity to object.

4. Retention

Account — retained while the account is active.
Event logs (bounces, complaints, opens, clicks) — 90 days, then aggregated and deleted.
Message bodies — purged within 24 hours of delivery.
Billing records — retained for the period required by tax law (typically 7 years).
After deletion — account data is hard-deleted 30 days after account closure. Backups are encrypted and rotate out within 90 days.

5. Your rights

You have the right to access, export, correct, and delete the personal data we hold about you, and to object to or restrict processing. EU/UK/EEA residents also have the right to lodge a complaint with their supervisory authority. Exercise these from /dashboard/settings or by emailing privacy@finketech.com. We respond within 30 days.

6. Cookies & analytics

We use essential cookies for sign-in and CSRF protection. We use Google Analytics 4 with Consent Mode v2 set to defaults-denied — only aggregate, cookieless pings are sent until you explicitly grant analytics consent. No ad networks. No cross-site trackers.

7. Security

All traffic is TLS-encrypted in transit. Data at rest is encrypted with provider-managed keys. Passwords are stored as salted bcrypt hashes. Access to production is restricted to a small set of named employees and audit-logged. We disclose security incidents affecting personal data within 72 hours.

8. Contact

Data Protection contact: privacy@finketech.com. For GDPR-specific requests, see our GDPR page. For security disclosures, see /contact.

SESMetric is a product of Finke Technologies, Inc.