Skip to main content
MailHook
Dashboard

Privacy Policy

Last updated

Draft. This policy describes MailHook's current data handling based on the product's architecture. Review with qualified counsel before relying on it for legal compliance.

MailHook ("we", "our", "us") operates mailhook.in and the MailHook service. This Privacy Policy explains what data we collect, how we use it, and the choices you have.

1. Data we collect

Account data. Name, email address, and authentication identifiers you provide through Supabase Auth. Billing identifiers come from Lemon Squeezy when you subscribe.

Inbox and routing data. The inbox addresses you create, routing rules, integration configurations, and friendly names.

Email content. Incoming emails routed through your MailHook address, including headers, sender/recipient addresses, subject, body (text and HTML), and attachments. Raw MIME is stored in Cloudflare R2 and metadata is stored in Supabase Postgres.

Operational data. Delivery logs, retry history, API access logs, and aggregated service metrics.

Contact form submissions. When you submit the contact form on mailhook.in/contact, we store your name, email, message, user-agent, and the country code Cloudflare derives from your IP (CF-IPCountry header). The form is protected by Cloudflare Turnstile, which may collect signals from your browser to score the request.

Usage analytics. We do not load third-party analytics or advertising trackers on our marketing site at this time. Our dashboard loads a session cookie necessary for authentication and a Cloudflare bot-management cookie on domains we serve through Cloudflare.

2. How we use data

  • To operate the inbound email pipeline and deliver messages to the destinations you configure.
  • To bill and administer your subscription.
  • To diagnose delivery failures and support you when you ask for help.
  • To detect abuse, spam, and violations of our Terms.

We do not sell personal data, and we do not use your email content to train machine learning models outside of the explicit transforms you enable (e.g., DeepL translation, OpenAI summarization).

3. Data retention

Retention of email data is tied to your plan's log-retention window, enforced programmatically by the worker:

| Plan | Inboxes | Routings/inbox | Monthly executions | Log retention | |--------|---------|----------------|--------------------|---------------| | Free | 1 | 1 | 500 | 3 days | | Pro | 5 | 10 | 2,500 | 10 days | | Scale | 10 | 50 | 10,000 | 90 days |

  • Raw MIME (R2). Stored at raw.mailhook.in and pruned per the plan's retention window above.
  • Delivery metadata (Supabase). Retained per the plan's retention window above.
  • Contact-form submissions. Retained for 24 months for support follow-up and abuse investigation, then deleted.
  • Account data. Kept while your account exists. You can request deletion at any time.

4. Sub-processors

MailHook relies on the following sub-processors to operate the service. A consolidated table with transfer mechanisms is kept in the Data Processing Addendum.

  • Cloudflare — email routing, Workers, KV, R2, Queues, Send Email, Turnstile (contact-form bot protection).
  • Supabase — Postgres database, authentication.
  • Lemon Squeezy — payments, subscription management, tax compliance (Merchant of Record).
  • Twilio — WhatsApp Business delivery (Scale plan).
  • OneSignal — web and mobile push delivery (if configured).
  • Trello (Atlassian) — task creation (if configured).
  • Notion — notes integration (if configured).
  • DeepL — translation transform (Scale, if enabled).
  • OpenAI — summarization transform (Scale, if enabled).

5. International transfers

MailHook and our sub-processors may process data outside the European Economic Area. Where required, we rely on Standard Contractual Clauses and equivalent safeguards. A Data Processing Addendum is available at /legal/dpa.

6. Your rights

Depending on where you live, you have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. Contact support@mailhook.in to exercise these rights.

7. Security

Integration credentials are encrypted at rest with AES-GCM before being written to the database. Webhooks are signed with HMAC-SHA256 so you can verify authenticity. For more detail see /legal/security.

8. Contact

Questions about this policy? Email support@mailhook.in.