Privacy Policy

Last updated: 2026-06-25

1. Introduction

Spamless.dev, a service of Codius Kft. (“we”, “our”, or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose information when you use our email spam filtering and security platform. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Hungarian data-protection law. For business customers, processing of customer email is further governed by our Data Processing Agreement.

2. Information We Collect

2.1 Email Data

To provide our filtering and security services, we process incoming email messages that flow through our platform. This includes email headers (sender, recipient, subject, date), message body content, attachments, and metadata. This data is processed in real time to detect spam, phishing, malware, and other threats. We retain email content only as necessary for quarantine, analysis, and audit purposes.

2.2 Account and Contact Information

When you create an account or contact us, we collect your name, email address, company name, and other information you provide. Payment is handled by our processor (Stripe); we do not store card numbers.

2.3 Usage and Log Data

We collect information about how you use our Service, including API requests, admin panel activity, IP addresses, browser type, device information, and timestamps. We use this to improve our Service, detect abuse, and troubleshoot issues.

3. Legal Bases for Processing

We rely on the following GDPR legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for, including filtering and billing.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, and improve detection, balanced against your rights.
  • Consent (Art. 6(1)(a)) — for optional monitoring cookies; you may withdraw it at any time.
  • Legal obligation (Art. 6(1)(c)) — where retention or disclosure is required by law.

4. How We Use Your Information

  • Provide, operate, and maintain our email filtering and security services
  • Detect and block spam, phishing, malware, and other email threats
  • Manage quarantine, release requests, and feedback for false positives
  • Authenticate users, enforce access control, and process subscriptions
  • Improve our detection algorithms and service performance
  • Send administrative notices, security alerts, and support communications
  • Comply with legal obligations and enforce our Terms

5. Data Retention

We retain email data according to our retention policies and your plan settings. Quarantined messages are typically stored for a configurable period (e.g., 7–30 days) unless released or deleted earlier. Traffic, delivery, and audit logs may be retained longer for security and compliance. Account and contact information is retained while your account is active and for a reasonable period thereafter to meet legal obligations.

6. Data Sharing and Sub-processors

We do not sell your personal information. We share data only with vetted sub-processors who process it on our behalf under GDPR Art. 28 contracts, or where legally required. The current list of sub-processors (hosting, payments, threat intelligence, monitoring) is in our Data Processing Agreement. We may also disclose data to comply with law or in a business transfer.

7. Data Security

We implement industry-standard measures: encryption in transit (TLS) and at rest, least-privilege access controls, secrets management, audit logging, and regular review. Our primary infrastructure is hosted within the EU (AWS, Ireland). No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

8. International Data Transfers

Primary processing takes place within the EU. Where a sub-processor processes data outside the EEA, we rely on adequacy decisions or the European Commission’s Standard Contractual Clauses (SCCs) with supplementary safeguards.

9. Your Rights

Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. To exercise these rights, contact privacy@spamless.dev or our data protection contact at dpo@spamless.dev.

You also have the right to lodge a complaint with your local data protection authority. In Hungary this is the National Authority for Data Protection and Freedom of Information (NAIH), 1055 Budapest, Falk Miksa utca 9-11. — see our Imprint.

10. Cookies and Tracking

We use strictly necessary storage for authentication and security, and — only with your consent — monitoring technology (Sentry) to detect errors. We do not use advertising or cross-site tracking. You set your preference in the cookie banner and can change it any time. Details are in our Cookie Policy.

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or our data practices:

Email: privacy@spamless.dev
Data Protection: dpo@spamless.dev