Privacy Policy
Last updated: 2026-06-25
1. Introduction
2. Information We Collect
2.1 Email Data
To provide our filtering and security services, we process incoming email messages that flow through our platform. This includes email headers (sender, recipient, subject, date), message body content, attachments, and metadata. This data is processed in real time to detect spam, phishing, malware, and other threats. We retain email content only as necessary for quarantine, analysis, and audit purposes.
2.2 Account and Contact Information
When you create an account or contact us, we collect your name, email address, company name, and other information you provide. Payment is handled by our processor (Stripe); we do not store card numbers.
2.3 Usage and Log Data
We collect information about how you use our Service, including API requests, admin panel activity, IP addresses, browser type, device information, and timestamps. We use this to improve our Service, detect abuse, and troubleshoot issues.
3. Legal Bases for Processing
We rely on the following GDPR legal bases:
- Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for, including filtering and billing.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, and improve detection, balanced against your rights.
- Consent (Art. 6(1)(a)) — for optional monitoring cookies; you may withdraw it at any time.
- Legal obligation (Art. 6(1)(c)) — where retention or disclosure is required by law.
4. How We Use Your Information
- Provide, operate, and maintain our email filtering and security services
- Detect and block spam, phishing, malware, and other email threats
- Manage quarantine, release requests, and feedback for false positives
- Authenticate users, enforce access control, and process subscriptions
- Improve our detection algorithms and service performance
- Send administrative notices, security alerts, and support communications
- Comply with legal obligations and enforce our Terms
5. Data Retention
6. Data Sharing and Sub-processors
We do not sell your personal information. We share data only with vetted sub-processors who process it on our behalf under GDPR Art. 28 contracts, or where legally required. The current list of sub-processors (hosting, payments, threat intelligence, monitoring) is in our Data Processing Agreement. We may also disclose data to comply with law or in a business transfer.
7. Data Security
8. International Data Transfers
9. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. To exercise these rights, contact privacy@spamless.dev or our data protection contact at dpo@spamless.dev.
You also have the right to lodge a complaint with your local data protection authority. In Hungary this is the National Authority for Data Protection and Freedom of Information (NAIH), 1055 Budapest, Falk Miksa utca 9-11. — see our Imprint.
10. Cookies and Tracking
11. Children's Privacy
12. Changes to This Policy
13. Contact Us
For questions about this Privacy Policy or our data practices:
Email: privacy@spamless.dev
Data Protection: dpo@spamless.dev