EuroMail ("we", "us", "our") Effective Date: 2026-02-18 Last Updated: 2026-02-18
This Privacy Policy describes how EuroMail collects, uses, and protects personal data when you use our transactional email service. We are committed to GDPR compliance and EU data residency.
1. Data Controller
EuroMail acts as the data controller for account and billing data, and as the data processor for email content sent through the service on behalf of our customers.
Contact:
- Email: [email protected]
- Address: [Company address, Finland]
2. Data We Collect
2.1 Account Data (Controller)
When you create an account, we collect:
- Email address - for authentication and service communications
- Password - stored as an argon2 hash (we never store plaintext passwords)
- Billing email - for invoicing (if different from account email)
- Stripe customer ID - to manage your subscription
2.2 API Usage Data (Controller)
When you use our API, we collect:
- API key prefix - for authentication (full keys are hashed with argon2)
- Request metadata - IP address, timestamp, endpoint, response code
- Audit logs - account changes, domain additions, API key creation/revocation
2.3 Email Data (Processor)
When you send emails through EuroMail, we process on your behalf:
- Sender and recipient addresses
- Email subject and body content
- Attachments (temporarily, for delivery)
- Template data (variables used for template rendering)
- Delivery events - queued, delivered, bounced, complained, opened, clicked
We act as a data processor for this data under Article 28 of the GDPR. See our Data Processing Agreement for full terms.
2.4 Automatically Collected Data
- Server logs - IP addresses, request timestamps, user agent
- Performance metrics - anonymized, aggregated service metrics
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) | Data |
|---|---|---|
| Provide the service | Contract performance (Art. 6(1)(b)) | Account data, email data |
| Process payments | Contract performance (Art. 6(1)(b)) | Billing email, Stripe customer ID |
| Prevent abuse | Legitimate interest (Art. 6(1)(f)) | IP addresses, rate limit data |
| Service communications | Contract performance (Art. 6(1)(b)) | Account email |
| Security monitoring | Legitimate interest (Art. 6(1)(f)) | Audit logs, server logs |
We do not:
- Sell your data to third parties
- Use email content for advertising or profiling
- Train AI/ML models on your email content
- Transfer data outside the EU/EEA (see Section 5)
4. Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Email body content | 30 days (configurable) | Delivery verification and troubleshooting |
| Email metadata | 6 months (configurable) | Delivery reporting and analytics |
| Bounce/suppression records | Duration of account | Deliverability management |
| Audit logs | 12 months | Security and compliance |
| Account data | Duration of account + 30 days | Service provision |
| Server logs | 90 days | Security monitoring |
| Billing records | 7 years | Finnish accounting law (Kirjanpitolaki) |
Email body content is automatically deleted after 30 days. Email metadata is retained for 6 months.
5. Data Residency and Transfers
All data is stored and processed within the European Union, specifically in Finland (UpCloud fi-hel1 datacenter in Helsinki).
We do not transfer personal data outside the EU/EEA. Our subprocessors are also EU-based or, where not, covered by EU Standard Contractual Clauses (see Section 8).
6. Your Rights (GDPR Articles 15-22)
As a data subject, you have the right to:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Dashboard settings or GET /v1/account |
| Data portability (Art. 20) | GET /v1/account/export (machine-readable JSON) |
| Rectification (Art. 16) | Dashboard settings or contact us |
| Erasure (Art. 17) | DELETE /v1/account or contact us |
| Restrict processing (Art. 18) | Contact [email protected] |
| Object to processing (Art. 21) | Contact [email protected] |
| Withdraw consent | Contact [email protected] |
| Lodge a complaint | Finnish Data Protection Ombudsman (tietosuoja.fi) |
We respond to all data subject requests within 30 days.
For data export, the GET /v1/account/export endpoint provides all account data in JSON format. This includes account details, domains, templates, webhooks, suppressions, and email metadata (but not email body content, which is subject to retention limits).
7. Security Measures
We implement the following technical and organizational measures:
- Encryption in transit - TLS for all API connections, STARTTLS for SMTP
- Encryption at rest - PostgreSQL with encrypted storage volumes
- Password hashing - argon2 with per-user salts
- API key security - SHA-256 prefix lookup, argon2 full key hashing, constant-time comparison
- Access control - Tenant isolation, per-account data separation
- CSRF protection - Double-submit cookie pattern on dashboard
- Security headers - CSP, HSTS, X-Frame-Options, X-Content-Type-Options
- Webhook signatures - HMAC-SHA256 with timestamp validation
- Audit logging - All account changes logged with timestamps
- Rate limiting - Multi-layer protection against abuse
- Vulnerability management - Automated dependency auditing via
cargo audit
8. Subprocessors
We use the following subprocessors:
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| UpCloud Ltd | Infrastructure hosting (compute, database, Redis) | Finland (Helsinki) | EU company, GDPR compliant |
| Stripe, Inc. | Payment processing | USA | EU SCCs, PCI DSS Level 1 |
| GitHub, Inc. | Source code hosting, CI/CD | USA | EU SCCs |
We notify customers of changes to subprocessors via email to the account address. Customers may object to new subprocessors as described in our DPA.
9. Cookies
The EuroMail dashboard uses the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
session | Session authentication | Browser session | Strictly necessary |
csrf_token | CSRF protection | Browser session | Strictly necessary |
We do not use analytics cookies, tracking cookies, or third-party cookies.
10. Children's Privacy
EuroMail is a B2B service and is not directed at individuals under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify account holders via email at least 30 days before material changes take effect.
12. Contact
For privacy inquiries, data subject requests, or complaints:
- Email: [email protected]
- Supervisory authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi