Who We Are
Mail Craft AI✨ ("we", "our", "us") is an AI-powered email campaign platform operated by an independent developer.
Data We Collect
2.1 Account Data (via Google OAuth)
- Your Google account ID
- Your email address
- Your display name
- OAuth access token and refresh token
We never receive or store your Google account password.
2.2 Campaign & Email Content Data
- Campaign names, subjects, email body text
- AI-generated HTML email templates
- Tone and visual style preferences
- Call-to-action links you specify
2.3 Recipient Data (Your Uploaded Files)
- Recipient email addresses
- Any additional columns you include
- File metadata (filename, row count, upload timestamp)
You are responsible for ensuring your recipient lists comply with applicable anti-spam laws.
2.4 Email Tracking Data
- Email open events (timestamp, IP, user-agent)
- Link click events (timestamp, destination URL, IP)
- Delivery status (sent, failed, bounced)
2.5 Payment Data
Premium subscriptions processed by Dodo Payments. We store only subscription ID, status, and dates. We do not store card data.
2.6 Usage & Technical Data
- Email send counts and monthly usage statistics
- LLM API call logs
- AI image generation counts
- Server-side session identifiers
- Standard server access logs
2.7 AI-Generated Asset Data
- Image generation prompts you enter
- Generated image URLs (hosted on Cloudinary CDN)
- AI provider and model used
How We Use Your Data
Authentication
Verify your identity and maintain secure login sessions via Google OAuth.
Email Sending
Route your campaigns via Gmail (free) or Brevo SMTP (premium) on your behalf.
AI Services
Pass your campaign brief to Google Gemini / OpenAI to generate HTML email templates.
Analytics
Track open rates and click-through rates so you can measure campaign performance.
Billing
Manage premium subscriptions and enforce quota limits based on your tier.
Security & Abuse Prevention
Detect and prevent spam, abuse, and fraudulent use of the platform.
We do not use your data for advertising, sell it to third parties, or use it to train our own AI models.
Legal Basis for Processing (GDPR Article 6)
| Data Category | Legal Basis |
|---|---|
| Account data from Google OAuth | Contract performance (Art. 6(1)(b)) |
| Campaign and template content | Contract performance (Art. 6(1)(b)) |
| Recipient email data you upload | Contract performance (Art. 6(1)(b)) — you are data controller |
| Email tracking (opens/clicks) | Legitimate interests (Art. 6(1)(f)) |
| Payment and subscription data | Contract performance and legal obligation (Art. 6(1)(b)(c)) |
| Server logs and security data | Legitimate interests (Art. 6(1)(f)) |
Data Processor vs. Controller: For recipient data you upload, Mail Craft AI✨ acts as a data processor. You remain the data controller.
Data Sharing with Third Parties
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google OAuth 2.0 | Authentication, Gmail sending | Account ID, email, OAuth tokens | policies.google.com |
| Google Gemini API | AI template generation | Campaign subject & body text | ai.google.dev |
| OpenAI API | Fallback AI generation | Campaign subject & body text | openai.com |
| Brevo (Sendinblue) | Email delivery (premium) | Recipient emails, content | brevo.com |
| Dodo Payments | Payment processing | Email, subscription details | dodopayments.com |
| Cloudinary | Image hosting and CDN | Generated image files | cloudinary.com |
| Pollinations AI | AI image generation | Image generation prompts | pollinations.ai |
| Render / Hosting | Application hosting | All data transits through servers | render.com |
We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.
Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Campaign data & templates: Retained until you delete them or your account.
- Recipient data: Retained until you delete the campaign or your account.
- Email logs (tracking): Retained for 90 days, then automatically purged.
- Payment records: Retained for 7 years as required by applicable regulations.
- Server access logs: Retained for up to 30 days for security monitoring.
- LLM generation logs: Retained for 30 days for debugging and quota tracking.
Your Rights
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data.
Right to Restriction
Ask us to restrict processing in certain circumstances.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Contact us via GitHub or LinkedIn. We respond within 30 days.
EEA/UK users: You have the right to lodge a complaint with your national Data Protection Authority (DPA).
Cookies & Session Storage
Mail Craft AI✨ uses server-side sessions (Flask-Session). We set one session cookie that:
- Contains only a session identifier (no personal data stored client-side)
- Is marked
HttpOnlyandSecure(HTTPS only) - Expires when you log out or your session times out
We do not use advertising cookies, cross-site tracking cookies, Google Analytics, Facebook Pixel, or similar tracking scripts.
Security Measures
- HTTPS/TLS: All data encrypted in transit.
- OAuth 2.0: We never handle your Google password. Authentication tokens stored encrypted.
- Rate Limiting: All API endpoints rate-limited (Flask-Limiter).
- Input Validation: All file uploads and inputs validated server-side.
- HMAC Verification: Payment webhooks verified using HMAC-SHA256 signatures.
- Parameterised Queries: All database access uses SQLAlchemy ORM.
- Session Security: Session tokens invalidated on logout and suspicious activity.
Children's Privacy
Mail Craft AI✨ is not directed to children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe your child has provided us with personal information, please contact us immediately.
International Data Transfers
When you use our service, your data may be processed in countries outside your own. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, and third-party providers' Data Processing Agreements (DPAs).
California Residents — CCPA Rights
- Know: The categories and specific pieces of personal data we collect.
- Delete: Request deletion of your personal data.
- Opt-Out of Sale: We do not sell your personal data. No action needed.
- Non-Discrimination: We will not discriminate against you for exercising CCPA rights.
- Correct: Request correction of inaccurate personal information.
To submit a CCPA request, contact us via GitHub or LinkedIn. Response within 45 days.
Indian Users — Information Technology Act
This Privacy Policy is published in accordance with the Information Technology Act, 2000, IT (SPDI) Rules 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA) to the extent applicable. You have the right to review and correct information provided to us. Grievances may be addressed by contacting the developer via GitHub or LinkedIn.
Changes to This Policy & Contact Us
We may update this Privacy Policy periodically. Material changes will be communicated via a notice within the application. Continued use after changes constitutes acceptance of the revised policy.
We aim to respond to all privacy-related queries within 30 calendar days.