Privacy Policy

This Policy applies to: (a) visitors to our websites at sendmesh.co and app.sendmesh.co; (b) Customers who create an account; and (c) Recipients of email sent through the Service by our Customers. In the context of Customer email sending, the Customer is the "Controller" and SendMesh is the "Processor" as those terms are defined under the EU General Data Protection Regulation (GDPR) and the UK GDPR. The processing relationship is further governed by our Data Processing Agreement (see Section 11).

From Customers (Account Data)

• Name, business name, and work email address provided at sign-up.
• Phone number and timezone (optional, for support and scheduled sending).
• Billing address, tax ID, and invoice history (payment card details are handled exclusively by Stripe and never transit or store in SendMesh infrastructure).
• Authentication data: bcrypt-hashed password, TOTP secret (encrypted), active session tokens.
• API Keys: secret keys are bcrypt-hashed (12 rounds) at rest; public keys are stored in plaintext.

From Customers (Content)

• Recipient email addresses, names, and any metadata the Customer attaches (tags, custom fields, list membership).
• Email subject lines and body content (HTML, plain-text, and attachments).
• Template content, campaign configurations, automation flows, and webhook endpoint URLs and signing secrets.
• Domain configuration and DNS verification records.

Automatically (Technical / Usage Data)

• IP address, user-agent string, and device fingerprint of API requests and Dashboard sessions (retained 90 days for rate-limiting and abuse detection).
• Request path, HTTP method, response status, latency, and server-assigned Request ID.
• Delivery events: SMTP response codes, bounce reasons, complaint notifications, open events (via tracking pixel), click events (via link rewriting), unsubscribe events.
• Aggregate usage counts: emails sent, API calls, storage footprint, queue depth.

We do NOT collect: racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, sexual orientation, or criminal history. SendMesh is not designed for "special category" data under GDPR Article 9 and Customer should not transmit such data through the Service.

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — Processing necessary to provide the Service, bill Customers, deliver email, and respond to support requests.
• Legitimate interests (Art. 6(1)(f)) — Preventing fraud and abuse, improving Service reliability, securing our infrastructure, and responding to security incidents. Customers and Recipients may object at privacy@sendmesh.co.
• Legal obligation (Art. 6(1)(c)) — Complying with law enforcement requests, tax record-keeping, and retention of suppression-list records.
• Consent (Art. 6(1)(a)) — Optional marketing emails from SendMesh about the Service (opt-in at sign-up; revocable at any time via the unsubscribe link).

• Operate the Service: accept API requests, enqueue messages, send via AWS SES, track delivery, and store logs.
• Authenticate users, enforce per-account rate limits, and detect unusual activity.
• Bill Customers and process refunds or service credits.
• Respond to support tickets and compliance requests (e.g., GDPR subject access).
• Send transactional service notifications (account activity, security alerts, billing, incident communications).
• Aggregate anonymized data to monitor platform health, improve deliverability, and publish platform-level metrics (e.g., blog stats). Anonymized data does not permit identification of any individual.
• Comply with legal and regulatory obligations, defend claims, and enforce our Terms.

We do NOT sell Personal Data. We do NOT use Customer Content to train artificial intelligence, machine learning, or large language models. We do NOT permit third parties to use Customer Content for such purposes.

We implement layered technical and organizational security controls:

• ✓Encryption at rest — Email content, Recipient data, and webhook secrets are encrypted with AES-256-GCM using AWS KMS–managed keys rotated annually.
• ✓Encryption in transit — All external connections require TLS 1.2 or higher. HTTP is rejected; HTTPS is enforced via HSTS (max-age 2 years).
• ✓Credential protection — Passwords are hashed with bcrypt (12 rounds). Secret API keys are stored as bcrypt hashes — even SendMesh staff cannot retrieve the plaintext after creation.
• ✓Access control — Role-based access with least-privilege IAM. Production access requires MFA. All administrative access is logged to an append-only audit log retained two (2) years.
• ✓Network isolation — Production databases sit in private subnets with no public IP. Connections originate only from authorized ECS tasks in the same VPC.
• ✓Vulnerability management — Continuous dependency scanning (npm audit, Dependabot), container image scanning, and an annual penetration test by an independent third party.
• ✓Log sanitization — Automated PII redaction removes email addresses, API keys, and other sensitive fields before logs reach long-term storage.
• ✓Incident response — Documented incident runbook. Customers will be notified without undue delay (and in any event within seventy-two (72) hours where GDPR Article 33 applies) of any confirmed breach affecting their Personal Data.

Compliance status. SendMesh is pursuing SOC 2 Type II attestation covering Security, Availability, and Confidentiality. Current audit progress and most-recent Type I observation report are available to qualified enterprise Customers under NDA by emailing compliance@sendmesh.co. SendMesh maintains an ISMS aligned with ISO/IEC 27001 principles and operates on SOC 2–attested infrastructure (AWS).

Upon account termination, Customer Content is retained for a thirty (30) day grace period during which export is available via the Data Export API. After the grace period, Customer Content is deleted from primary storage within fourteen (14) days, with backup media purged according to the backup retention cycle (maximum ninety (90) days).

Depending on your jurisdiction, you may have the following rights concerning your Personal Data:

• ✓Access (GDPR Art. 15 / CCPA §1798.100) — Receive a copy of the Personal Data we hold about you.
• ✓Rectification (GDPR Art. 16) — Correct inaccurate or incomplete Personal Data.
• ✓Erasure (GDPR Art. 17 / CCPA §1798.105) — Request deletion of your Personal Data, subject to legal retention obligations.
• ✓Restriction (GDPR Art. 18) — Ask us to pause processing of your Personal Data.
• ✓Portability (GDPR Art. 20) — Receive your Personal Data in a structured, machine-readable format (JSON).
• ✓Objection (GDPR Art. 21) — Object to processing based on legitimate interests.
• ✓Withdrawal of consent — Where processing is based on consent, withdraw consent at any time.
• ✓Non-discrimination (CCPA §1798.125) — Exercise your rights without retaliation.
• ✓Lodge a complaint — With a supervisory authority (e.g., your national Data Protection Authority).

To exercise these rights, Customers can use the self-service Compliance API (documented at sendmesh.co/docs/api) or email privacy@sendmesh.co. We will respond within thirty (30) days (extendable by sixty (60) days for complex requests, with notice). We verify identity before releasing or deleting data.

If you are a Recipient of email sent through SendMesh by one of our Customers, your primary point of contact for data subject rights is that Customer (the Controller). We will forward such requests to the Customer or assist the Customer in fulfilling them.

SendMesh uses the following sub-processors to provide the Service. Each is bound by a written data processing agreement requiring security and confidentiality obligations no less protective than those in this Policy.

We will provide thirty (30) days' notice by email to the Customer account administrator before engaging a new sub-processor. Customers may object to a new sub-processor for legitimate data protection reasons; if we cannot accommodate the objection, the Customer may terminate the affected Service without penalty.

Personal Data may be transferred to and processed in countries other than the one in which it was collected, including the United States, where AWS data centers are located, and the European Union. For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs) issued by the European Commission (Decision 2021/914) for EU → US/other transfers.
• UK International Data Transfer Addendum to the EU SCCs for UK transfers.
• Swiss Federal Data Protection and Information Commissioner (FDPIC) recognition of SCCs for Swiss transfers.
• Supplementary technical measures (encryption at rest and in transit, pseudonymization, access logging) and organizational measures (zero-trust access, minimum-necessary processing).

A Transfer Impact Assessment (TIA) is maintained and available under NDA. Customers requiring data residency in the EU may request configuration of their account for EU-only processing; contact compliance@sendmesh.co.

The SendMesh website and Dashboard use only strictly-necessary cookies required for authentication and session management. We do not use advertising cookies, social media pixels, or third-party tracking beacons. Analytics are collected via Plausible, which does not use cookies or collect Personal Data.

Tracking pixels in Customer email. Customers may enable open-tracking and click-tracking on a per-campaign basis. When enabled, a 1×1 pixel and rewritten links may be inserted into outgoing email. This tracking is performed at the Customer's direction; SendMesh is the Processor. Customers are responsible for disclosing such tracking to their Recipients where required by applicable law.

For Customers processing Personal Data of EU, UK, or Swiss data subjects (or where otherwise required), SendMesh provides a Data Processing Agreement that incorporates the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and commitments aligned with GDPR Article 28.

The SendMesh DPA covers: (a) scope and duration of processing; (b) nature and purpose of processing; (c) categories of Personal Data and data subjects; (d) Customer obligations as Controller; (e) SendMesh obligations as Processor including confidentiality, security, sub-processor management, audit rights, breach notification, and data return/deletion; (f) international transfer safeguards; and (g) liability allocation.

Request the DPA: Email compliance@sendmesh.co with subject line "DPA Request" and your account email. We return a countersignable PDF within two (2) business days. Once countersigned by both parties, the DPA is incorporated by reference into our Terms of Service and governs the processing relationship.

The Service is not directed at children under the age of sixteen (16), and we do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to SendMesh, please contact privacy@sendmesh.co for prompt deletion.

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• Right to know the categories and specific pieces of Personal Data collected.
• Right to delete Personal Data, subject to legal exceptions.
• Right to correct inaccurate Personal Data.
• Right to opt out of the "sale" or "sharing" of Personal Data (SendMesh does not sell or share Personal Data as those terms are defined under CCPA).
• Right to limit use of sensitive Personal Data (SendMesh does not process sensitive Personal Data as defined under CPRA).
• Right to non-discrimination for exercising CCPA rights.

To exercise CCPA rights, email privacy@sendmesh.co from the address associated with your account. Authorized agents may submit requests on your behalf with verifiable written permission.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be notified by email to the account administrator at least thirty (30) days before the effective date. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.

For privacy inquiries, data subject rights requests, or to contact our Data Protection Officer, please use the following addresses:

EU/EEA data subjects may also contact their local supervisory authority. A list of authorities is available at edpb.europa.eu.