Privacy Policy

For information you provide to us directly — for example, your account email address, billing details, support correspondence, and analytics about how you use the Platform — we are the “controller” (in GDPR terms) and the “business” (in CCPA/CPRA terms) of that information.

When you use the Service to receive, forward, or send email for your domains, the content and metadata of those messages may contain personal information about you and about your correspondents. With respect to that “Customer Email”, you are the controller (or business) and we are the “processor” (or service provider). We process Customer Email solely to deliver the Service in accordance with our Terms, our Data Processing Addendum, and your reasonable instructions.

You are responsible for providing any required notices to your correspondents and, where applicable, obtaining their consent, complying with anti-spam laws (CAN-SPAM, CASL, GDPR Article 6/7), and honoring opt-outs. We process Customer Email on your behalf and will not use it for our own purposes.

When you create an account, we collect:

• Your email address (required for login and service notifications).
• A salted, hashed password (we never store, log, or transmit your plaintext password; we use industry-standard adaptive hashing).
• A unique numeric account identifier we assign.
• Optional profile metadata you choose to provide (display name, time zone).
• Multi-factor authentication factors, if you enable them (e.g., a TOTP secret or WebAuthn public key — never your authenticator app device data or private key).

• Domain names you add to your account.
• DNS verification tokens we issue and check, and the DNS records you publish to prove ownership.
• Per-domain DKIM keys we generate and rotate (we hold the private keys; the public keys are published in your DNS).
• Aliases (e.g., hello@yourdomain.com) you create on your domain, the destination address each alias forwards to, and per-alias SMTP credentials you generate for Gmail Send-As.

When the Service routes a message — inbound to your verified domain or outbound via your alias — we receive, briefly hold, transform, and transmit the message. That message may include any of the following: envelope sender and recipient addresses, message headers (Subject, From, To, Cc, Reply-To, Message-ID, timestamps, routing trace), the message body (text/HTML/attachments), and any personal information any party chose to include. We treat all such content as “Customer Email”. See Section 6 for our specific commitments around Customer Email.

Generated by the Service as you use it:

• Message-level metadata: per-message timestamps, byte size, success / failure status, bounce and complaint codes, and the alias and account that owns each message. We do not retain the message body in operational logs.
• Counters: messages received, forwarded, and sent per alias / per account, in rolling windows, used to enforce plan limits.
• Reputation events: hard bounces, soft bounces, spam complaints, DSNs, and the auto-suspension state that follows from them.
• Audit events: account creation, login, password change, domain add/remove, alias change, billing change, suspension, and similar security-relevant actions.

Paid plans are billed through Stripe. We store your Stripe customer identifier, subscription identifier, plan name, billing cycle, and the masked metadata Stripe returns to us (card brand, last four digits, expiration month / year, postal code, country). We do not see, store, or transmit your full card number, CVC, or full bank account number.Stripe handles those directly under its PCI-DSS attestation. Stripe’s own privacy practices govern that data; review them at stripe.com/privacy.

• Server logs of API and dashboard requests: timestamp, request path, response status, request identifier, and the IP address that issued the request. Production logs are kept for a short rolling window (typically 30 days) for incident response and abuse investigation, then deleted.
• Failed-authentication attempts and SMTP submission lockout events, keyed by IP, used to defend the Service from credential stuffing and abuse.
• Web Application Firewall and bot-detection signals supplied by our hosting provider.

On the marketing site we collect aggregate page view and event data via PostHog. PostHog is configured to receive a session identifier (not your name or email), the current page URL, and product events you trigger (e.g., clicking the “Notify me” button). We do not run advertising trackers, behavioral pixels, or cross-site fingerprinting scripts on the marketing site. You may block PostHog at the network level without losing site functionality.

If you email, file a support ticket, or otherwise contact us, we keep the correspondence and any information you choose to include, for so long as is reasonably necessary to handle the matter and to comply with our legal obligations.

• We do not buy, license, scrape, or otherwise acquire personal information from third parties to enrich your profile.
• We do not collect precise geolocation. Approximate location is inferred from your IP only for fraud and abuse prevention.
• We do not collect government identifiers, biometric data, health data, sexual orientation, religious beliefs, political views, or other sensitive categories. Do not send these to us; if you do, we will delete them.
• We do not knowingly collect information from anyone under 16. See Section 14.

Customer Email is transmitted over TLS wherever the recipient supports it (we advertise STARTTLS and prefer modern cipher suites).

Inbound messages — mail addressed to a Customer Domain — are written by our receiving infrastructure to encrypted object storage (currently Amazon S3 with server-side encryption) while the routing pipeline reads them. In the normal path, our worker deletes the object within seconds of successful forwarding. As a backstop for objects that are not deleted by the worker (e.g., because of a transient error or an abandoned message), a bucket lifecycle rule transitions objects to cold storage (Amazon S3 Glacier Flexible Retrieval) at thirty (30) days and hard-expires them at ninety (90) days. Ninety days is therefore the absolute ceiling for any individual inbound message body in our infrastructure; the typical lifetime is seconds.

Outbound messages— mail you send from an Alias via Gmail’s “Send mail as” feature, and forwarded inbound mail that we re-send to your destination address — are not persisted in Relay Email-operated storage. Our SMTP submission server is a pass-through proxy to our outbound delivery provider (see Subprocessors). Retention of outbound mail at the delivery provider is governed by their policy.

Bounce DSNs we receive at the bounce-routing subdomain are stored in a separate object bucket alongside a short-lived database cross-reference (currently kept for thirty (30) days to attribute the bounce to the alias that forwarded the original message), with an upper bucket-level ceiling of ninety (90) days.

To route a message, we read its envelope (MAIL FROM, RCPT TO) and the headers necessary for routing, deduplication, and loop prevention (Message-ID, Received, Auto-Submitted, Content-Type). We do not inspect message bodies as part of routine routing. We rewrite the envelope sender for bounce return using a Sender Rewriting Scheme (SRS) and, where appropriate, set Reply-To. The visible From header is preserved as the original sender provided it.

Our operational logs intentionally exclude message bodies, subject lines, and recipient lists. Logs may include the alias, account, message identifier, sizes, and disposition. This is an architectural commitment enforced in code review.

We back up our operational databases (which do not contain message bodies) on a rolling schedule with retention not exceeding thirty-five (35) days. We do not back up Customer Email message bodies; once delivered or dropped, they are gone.

DKIM private keys, SRS secrets, and the salts and pepper used to hash passwords and IPs are stored in our hosting provider’s secret store, accessible only to the service identities that need them. Keys are rotated on a documented schedule.

We use the following subprocessors. Each receives only the information needed to perform its function and is contractually bound to confidentiality and data-protection terms consistent with this Policy. We will post material changes (additions or replacements) to this list on this page in advance, except in urgent security or continuity events.

We also use a limited set of vendors for accounting, transactional email to our own users (e.g., billing receipts), incident-response tooling, and customer support, each under appropriate contracts. We will identify these on request.

We disclose information when we have a good-faith belief that disclosure is required by applicable law, regulation, legal process, or governmental request; necessary to enforce our Terms or this Policy; necessary to detect, prevent, or address fraud, security, or technical issues; or necessary to protect against harm to the rights, property, or safety of Relay Email, our users, or the public. Where lawful, we will attempt to notify the affected user before disclosure so they may seek a protective order.

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of company assets, your information may be disclosed or transferred as part of that transaction. We will require the recipient to honor commitments materially consistent with this Policy and will give you reasonable advance notice and an opportunity to delete your data before any such transfer of personal information becomes effective.

We disclose information to other parties when you direct us to do so, for example by integrating a third-party tool or by sharing your account with a collaborator.

Subject to applicable law, you have the right to (a) access the personal information we hold about you, (b) correct it, (c) ask us to delete it, (d) ask us to restrict or object to certain processing, (e) ask us to export it to you in a portable format, and (f) withdraw consent where processing is based on consent.

In addition to the rights in 10.1, you have the right to lodge a complaint with your local supervisory authority. If you are in the UK, you may contact the Information Commissioner’s Office at ico.org.uk. We are not currently required to appoint an EU representative; if that changes, we will name one here.

We list the categories of personal information we collect and disclose for a business purpose in Section 3. We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA / CPRA. We do not knowingly process the personal information of consumers under sixteen (16). California residents have the right to know, the right to delete, the right to correct, the right to opt out (not applicable, since we do not sell or share for advertising), the right to limit use of sensitive personal information (not applicable, since we do not use it for inferring characteristics), and the right not to be retaliated against for exercising these rights. Authorized agents may submit requests on your behalf with written authorization. To exercise these rights, see Section 10.5.

Residents of Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia (and additional states as comprehensive privacy laws come into effect) have rights substantially similar to those in Section 10.1, exercisable as described in Section 10.5.

Email privacy@relayemail.app from the address associated with your account (or, for marketing-site or waitlist requests, the address you used to sign up). We will verify your request using reasonable means (typically by sending a confirmation to your registered email), respond within the time required by applicable law (generally 30 days, extendable once where permitted), and tell you if we cannot fulfill all or part of your request and why. We do not charge a fee for reasonable requests; we may charge a reasonable fee or decline manifestly unfounded or excessive requests as permitted by law.