Legal · Privacy

Privacy policy

Last updated June 6, 2026 GDPR & CCPA aligned
Draft.  This policy is being prepared for Mailement's public V2 launch and should be reviewed by a qualified attorney before relied upon for legal compliance. The shape and clauses below are typical for a SaaS newsletter platform; the specifics may need adjustment for your jurisdiction.
We collect what's needed to deliver your newsletters and nothing more. No ad networks. No resale. No model training. If something here surprises you, please write to us at hello@mail.mailement.com.

01Who we are

Mailement is operated by David Brundige (the "controller" for purposes of GDPR). For privacy questions, write to hello@mail.mailement.com. Postal mail can be addressed to 4428 Young Drive, Montrose, CA 91020, USA.

02What we collect

Two categories of data:

  • Account data — your name, email, hashed password, billing address (if you pay), and the brands you've set up in your workspace.
  • Subscriber data — the contact records you import or capture through your signup forms, plus per-issue engagement (delivered, opened, bounced, complained, unsubscribed).

We also keep server logs (IP address, user agent, request path, timestamp) for up to 30 days for security and abuse prevention. We don't collect browsing history, location traces, or device fingerprints.

03How we use it

To deliver your campaigns, show you analytics, prevent abuse, and provide support when you ask for it. We never use your data, or your subscribers' data, for advertising, list rental, or model training.

04Lawful bases

Under GDPR, the lawful bases we rely on are:

  • Contract — to provide the service you signed up for.
  • Legitimate interests — to keep the service running securely, detect abuse, and improve the product, balanced against your privacy rights.
  • Legal obligation — for tax records, lawful requests from authorities.
  • Consent — for anything outside the above, in which case we ask you first and you can withdraw at any time.

05Subscriber data

Subscribers belong to you. We act as a processor on your behalf — we don't independently market to them, we don't merge their data with anyone else's, and we don't share it with third parties for their own marketing purposes. If a subscriber asks us to remove their data, we'll forward the request to you within seven days and, in parallel, honor any direct deletion request they make under applicable law.

06Who can see it

You and the teammates you invite. Our operator (David) only when you raise a support ticket or when investigating an abuse report, and every administrative read is logged. We do not sell, rent, or share data with advertisers.

07Subprocessors

We use a small set of well-known vendors to run the service. The current list:

  • DreamHost — application and database hosting (United States).
  • Resend — transactional and bulk email delivery (United States, EU regions as configured).
  • Cloudflare — DNS and edge protection (global).

We'll email all customers at least 30 days before adding a new subprocessor.

08International transfers

Mailement is operated from the United States. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data-transfer rules, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (or equivalent safeguards) with our subprocessors where required.

09Retention

Account data is kept while your account is active and for 30 days after you close it, to allow restore. Subscriber data and campaign analytics are kept until you delete them or the account is closed, whichever comes first. Billing records are retained for seven years to satisfy tax law. Server logs are kept for up to 30 days.

10Your rights

Depending on where you live, you may have the right to access, correct, export, restrict the processing of, object to processing of, or delete the personal data we hold about you. You may also have the right to lodge a complaint with a supervisory authority. To exercise any of these rights, write to hello@mail.mailement.com — we acknowledge within three business days and aim to resolve within 30 days.

11Cookies

The app uses one first-party session cookie to keep you signed in and a single localStorage flag for your theme preference. We use no third-party advertising or analytics cookies. The marketing site does not set tracking cookies. Email tracking pixels are first-party and used only to count opens of your own sends; we don't share that data with third parties.

12Children

Mailement is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn that we've collected such data without verifiable parental consent, we will delete it. Parents who believe their child has provided us with personal data may contact us at hello@mail.mailement.com.

13Security

Passwords are stored as bcrypt hashes. Connections to the app are TLS-encrypted. Sessions use HttpOnly, Secure, SameSite=Lax cookies, with CSRF tokens on every state-changing form. We monitor for unusual access patterns and rate-limit signup forms to deter abuse. No system is perfectly secure, but we treat protection of your data as a first-order concern.

14Changes

We may update this policy when our practices, vendors, or applicable law changes. Material changes are announced by email at least 30 days before they take effect, and the "Last updated" date above is always accurate. Continued use of Mailement after a change takes effect constitutes acceptance of the revised policy.

15Contact & complaints

For any privacy question or to exercise a right, email hello@mail.mailement.com. If you are not satisfied with our response, you may file a complaint with your local data-protection authority (for the EU/EEA) or with your state attorney general's office (for the US).

Got a privacy question or request?
Email hello@mail.mailement.com. We aim to reply within three business days.