Privacy Policy

This Privacy Policy explains how rootmail (“rootmail,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal data when you visit our website, create an account, or use our email-infrastructure services (collectively, the “Services”). It applies to personal data for which we act as a controller — primarily data about our customers and website visitors.

When you send email through the Services to your own recipients, you act as the controller of that data and we act as your processor; that relationship is governed by our Data Processing Addendum (“DPA”), not this Policy.

1. Information we collect

• Account & identity data — name, email address, organization name, hashed authentication credentials, and multi-factor settings.
• Billing data — plan, subscription status, usage counts, and payment metadata. Card details are collected and stored by our payment processor (Stripe), not by us.
• Customer content — templates, messages, contacts, sub-tenant configuration, and recipient data you submit. We process this on your behalf under the DPA.
• Usage & device data — API requests, delivery and engagement events, log files, IP address, browser/device information, and approximate location derived from IP.
• Cookies — strictly-necessary cookies (e.g. an httpOnly session cookie for the dashboard). We do not use advertising cookies.

2. How and why we use personal data

We use personal data to:

• provide, operate, secure, and improve the Services and their deliverability;
• authenticate users and protect accounts;
• meter usage, process payments, and bill your plan;
• detect, prevent, and investigate fraud, abuse, and security incidents;
• provide support and send service and transactional notices; and
• comply with legal obligations and enforce our agreements.

Where the GDPR or similar laws apply, our legal bases are: performance of a contract (providing the Services), legitimate interests (securing and improving the Services, preventing abuse), consent (where required, e.g. certain communications), and compliance with a legal obligation.

3. How we share personal data

We do not sell personal data and do not share it for cross-context behavioral advertising. We disclose personal data only to:

• Sub-processors that help us run the Services, each under a written contract with confidentiality and security obligations — see Section 4;
• professional advisers (e.g. auditors, lawyers) under confidentiality;
• authorities where required by law, or to protect our rights, users, or the public; and
• a successor entity in connection with a merger, acquisition, or asset sale, subject to this Policy.

4. Sub-processors

We rely on the following sub-processors to deliver the Services:

• Amazon Web Services, Inc. — cloud hosting, storage (S3), and email delivery (SES). United States.
• Stripe, Inc. — payment processing and subscription billing. United States.
• Anthropic, PBC — AI features (template drafting and the assistant), where you use them. United States.

The current list is maintained in our DPA. We notify customers of material changes so they may object as provided there.

5. International transfers

We and our sub-processors may process personal data in the United States and other countries. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

6. Data retention

We retain account and content data for as long as your account is active and as needed to provide the Services. After account closure we delete or anonymize personal data within a reasonable period (generally 90 days), except where longer retention is required for legal, accounting, dispute-resolution, or security purposes. You can export or delete account data at any time (Section 7).

7. Your rights and choices

Depending on your location, you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to processing, and to withdraw consent. California residents may request to know, delete, and correct personal information, and to opt out of “sale”/“sharing” (which we do not do); we will not discriminate for exercising these rights.

• Self-serve: export your account data with GET /v1/account/export and delete your organization from the dashboard or with DELETE /v1/account.
• By request: email privacy@rootmail.io. We respond within the timeframes required by applicable law and may need to verify your identity.

If you are in the EEA/UK, you may also lodge a complaint with your local data-protection authority.

8. Security

We protect personal data with encryption in transit, hashed credentials and API keys, least-privilege and workspace-scoped access, signed and idempotent webhooks, and append-only audit logging. See our security overview. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you of incidents as required by law.

9. Children

The Services are not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.

10. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “last updated” date and, for material changes, provide additional notice (e.g. by email or in-app).

11. Contact us

For privacy questions or to exercise your rights, contact privacy@rootmail.io. For data we process on your behalf, see the DPA.