Skip to content
Sairaph Mail

Privacy Policy

Effective date: 25 June 2026 Last updated: 25 June 2026

This Privacy Policy explains how we collect, use, share, and protect personal data when you use Sairaph Mail (the "Service") at mail.sairaph.com. It is written to meet the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Polish *Ustawa o ochronie danych osobowych*.

---

1. Data Controller

1.1 The data controller for personal data processed in connection with your use of and relationship with the Service is:

  • Controller: WELLDONE (operating the Sairaph Mail service)
  • Registered address: Aleja Wyzwolenia 11/6, 70-552 Szczecin, Poland
  • Country of establishment: Poland
  • Company/commercial-register number: Polish tax/VAT identification number (NIP) PL8531508847
  • Privacy contact: privacy@sairaph.com
  • Data Protection Officer: WELLDONE has not appointed a Data Protection Officer. A DPO is not mandatory under Article 37(1) GDPR, because our core activities do not consist of large-scale, regular and systematic monitoring of data subjects, nor of large-scale processing of special categories of data (Art. 9) or of criminal-conviction data (Art. 10). All data-protection queries are handled by our privacy contact at privacy@sairaph.com.

1.2 Controller vs processor. We act as a controller for the personal data we collect to run the Service and our relationship with you (account, billing, security, support). Where you use the Service to process personal data of your own end-users, contacts, or recipients (for example, the people you email), we generally act as a processor on your behalf and you are the controller of that data; a Data Processing Agreement under Article 28 GDPR may apply (see Section 9).

---

2. Categories of Personal Data We Process

2.1 Account data — your name, email address, hashed password (we never store your password in plaintext), two-factor authentication settings, account status, and preferences.

2.2 Billing data — billing country, VAT identification number (if provided), and subscription/transaction records. Payments are processed by Stripe; we do not store full payment card numbers. Card data is handled by Stripe as a PCI-DSS compliant processor.

2.3 Customer email content — the email messages, headers, subjects, and attachments that flow through the Service and that we cache to provide functionality. Message bodies are cached for a limited per-tier window (see Section 5); message envelopes (sender, subject, date, snippet, message-id) are retained to power search; the authoritative copy remains in your OVH mailbox. This content may itself contain personal data of third parties, for which you are responsible as controller.

2.4 Domain and DNS data — the domain owner-contact details you provide for OVH registration, and DNS configuration. Note that registrant contact details may be published or processed under ICANN/registry rules.

2.5 Technical and audit metadata — IP address, user-agent, device/login fingerprints, timestamps, API usage, security events, and an audit log of mutating actions on your Account.

2.6 Support data — the content of support tickets and related correspondence.

---

3. Purposes and Lawful Bases

We process personal data for the following purposes, on the indicated lawful bases under Article 6(1) GDPR:

3.1 Providing the Service (creating your account, provisioning mailboxes and domains, sending/receiving and caching mail, API/MCP access) — performance of a contract (Art. 6(1)(b)).

3.2 Billing, invoicing, and taxperformance of a contract and compliance with a legal obligation (Art. 6(1)(b) and (c)), including accounting and tax-retention obligations.

3.3 Security, fraud prevention, abuse detection, deliverability monitoring, audit logginglegitimate interests (Art. 6(1)(f)) in keeping the Service, our customers, and upstream providers secure and reputable; and, where applicable, legal obligation (Art. 6(1)(c)).

3.4 Support and service communications (transactional emails, security notices) — performance of a contract and legitimate interests (Art. 6(1)(b) and (f)).

3.5 Bot protection at signup (Cloudflare Turnstile)legitimate interests in preventing automated abuse (Art. 6(1)(f)); where local law requires consent for any non-essential processing or cookies, that processing is on the basis of consent (Art. 6(1)(a)).

3.6 Legal compliance and enforcement (responding to lawful requests, enforcing our Terms, establishing/defending legal claims) — legal obligation and legitimate interests (Art. 6(1)(c) and (f)).

3.7 Where we rely on legitimate interests, you have the right to object (see Section 7). Where we rely on consent, you may withdraw it at any time without affecting prior processing.

---

4. Sub-Processors and Recipients

4.1 We engage the following sub-processors to deliver the Service. Each processes personal data only on our documented instructions and under a data-processing agreement containing the Article 28 GDPR terms. The current, authoritative list (with legal entity, purpose, region, and transfer mechanism) is maintained in `SUB_PROCESSORS.md` and summarized here. International transfers outside the EEA, where they occur, are protected by appropriate safeguards (see Section 4.2).

  • OVH (OVH SAS / OVH Sp. z o.o.) — mailbox hosting and domain registration. Region: EU. Purpose: hosting your mailboxes (the authoritative mail store) and registering/managing your domains. The mailbox content stays in the EU.
  • Amazon Web Services / Amazon SES (Amazon Web Services EMEA SARL, Luxembourg) — outbound email relay. Region: eu-west-1 (Dublin, Ireland — EU). Purpose: sending your outbound email and processing bounce/complaint notifications. Message processing for sending occurs in the EU; to the extent any data is accessed by AWS's US parent, that transfer is covered by the AWS GDPR Data Processing Addendum (which incorporates the EU SCCs) and Amazon's EU–US Data Privacy Framework certification.
  • Stripe (Stripe Payments Europe, Ltd., Ireland, with Stripe, Inc. in the US) — payment processing and tax calculation (Stripe Tax). Purpose: collecting subscription payments and calculating/applying VAT. Stripe may process certain data in the US; transfers are covered by Stripe's DPA (incorporating the EU SCCs) and Stripe, Inc.'s EU–US Data Privacy Framework certification.
  • Cloudflare (Cloudflare, Inc., US) — bot protection at signup (Cloudflare Turnstile). Purpose: distinguishing humans from bots on the signup form. Transfers to the US are covered by Cloudflare's DPA (incorporating the EU SCCs) and Cloudflare, Inc.'s EU–US Data Privacy Framework certification.
  • OVHcloud (VPS / infrastructure hosting) (OVH SAS, France — EU) — the virtual private server infrastructure that runs the Sairaph Mail application, PostgreSQL database, Redis, and background workers. Region: EU. Purpose: operating the application, database, cache, and workers. This is the same provider group as the mailbox/domain entry above, contracted for compute/storage.

4.2 International transfers. OVH and Amazon SES (eu-west-1) keep the data they process for us in the EU. Where a sub-processor processes personal data outside the EEA (e.g. US-based vendors or US parent-company access), we rely on appropriate safeguards under Chapter V GDPR, namely (a) the European Commission's Standard Contractual Clauses (SCCs) as incorporated into each vendor's data processing agreement, and/or (b) the vendor's certification under the EU–US Data Privacy Framework where the destination is the United States, supported by supplementary measures (including encryption in transit and, for sensitive customer data, encryption at rest) where appropriate. You may request a copy of, or information about, the safeguards in place by contacting privacy@sairaph.com.

4.3 Other recipients. We may disclose personal data to professional advisers, and to competent authorities or courts where required by law (including mandatory reporting of CSAM). We may transfer data as part of a merger, acquisition, or asset sale, subject to this Policy.

---

5. Data Retention

5.1 Account data — retained for the life of your contract and for the period necessary to meet legal obligations (e.g. tax/accounting retention), after which it is deleted or anonymized.

5.2 Email-body cache — retained per subscription tier: Agent 30 days, Entrepreneur 90 days, Swarm 180 days (configurable up to an absolute cap of 365 days), after which cached bodies are evicted from our systems. The full message history remains in your OVH mailbox, which is the authoritative store. Message envelopes are retained to power search until you delete the relevant mail or your Account.

5.3 Audit and security logs — retained for a maximum of 12 months from the date of the logged event, customer-scoped, after which they are deleted or irreversibly anonymized. This period is long enough to investigate security incidents and abuse patterns that often surface months after the fact, while remaining proportionate under the storage-limitation principle (Art. 5(1)(e)).

Legitimate-interests assessment (LIA). We keep these logs on the basis of our legitimate interests (Art. 6(1)(f)). *Purpose:* protecting the security and integrity of the Service and our customers' accounts, detecting and preventing fraud and abuse (including spam, phishing, and unauthorized access), debugging and operational diagnostics, and the establishment, exercise, or defense of legal claims. *Necessity:* there is no less intrusive way to meet these purposes; the records are minimal (action, actor, resource, metadata, IP, user-agent, timestamp), do not include message content, and are not used for profiling, advertising, or automated decision-making affecting you. *Balancing:* the data is limited, access-controlled, retained for a bounded 12-month period, and held in a context where users reasonably expect a service operator to keep security records; this is balanced against your interests and your rights remain fully available (including the right to object under Section 7). On erasure of your Account (Section 5.5), any encrypted metadata in these records becomes permanently unrecoverable, even where rows persist in backups.

5.4 Support data — retained for the period needed to resolve and document support and for a reasonable period thereafter.

5.5 Deletion and crypto-erasure. When you delete your Account, deletion is scheduled with a 7-day grace period (during which credentials and API keys are revoked and you may cancel). At the end of the grace period, your per-customer encryption key is destroyed, which renders all of your encrypted data — in our database and in any backups — permanently undecryptable (crypto-erasure). This mechanism enables erasure to take effect even within backup-retention windows.

---

6. Security

6.1 We implement appropriate technical and organizational measures under Article 32 GDPR, including:

  • Encryption at rest of sensitive customer-owned data using per-customer encryption keys (Fernet sub-keys wrapped by a master key family);
  • Password hashing with Argon2id (OWASP-recommended parameters) and a breached-password check at signup/change;
  • Two-factor authentication (TOTP with recovery codes) available to all customers;
  • Encryption in transit via TLS, with strict HTTP security headers;
  • Access controls, rate limiting, account-lockout, and audit logging;
  • Edge protection and security monitoring.

6.2 No system is perfectly secure. In the event of a personal-data breach, we will notify the competent supervisory authority and affected individuals where required by Articles 33–34 GDPR.

---

7. Your Rights

7.1 Subject to the conditions in the GDPR, you have the right to:

  • Access (Art. 15) — obtain confirmation and a copy of your personal data;
  • Rectification (Art. 16) — correct inaccurate or incomplete data;
  • Erasure (Art. 17) — request deletion ("right to be forgotten"), including via the in-product account-deletion flow (Section 5.5);
  • Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format, available through the Service's built-in data export feature, which produces a downloadable archive of your account data and messages;
  • Restriction (Art. 18) — restrict processing in certain circumstances;
  • Objection (Art. 21) — object to processing based on legitimate interests;
  • Withdraw consent (Art. 7(3)) — where processing is based on consent, at any time, without affecting prior processing;
  • Lodge a complaint with a supervisory authority.

7.2 Exercising your rights. Contact privacy@sairaph.com. We will respond within the statutory time limit (generally one month, extendable by up to two further months for complex or numerous requests). We may need to verify your identity before acting. Many requests can be self-served from the dashboard (data export, account deletion, profile edits).

7.3 Supervisory authority. You may lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. As the controller (WELLDONE) is established in Poland, the lead supervisory authority is the Polish data-protection authority, UODO (*Urząd Ochrony Danych Osobowych*), ul. Stawki 2, 00-193 Warszawa, Poland (uodo.gov.pl).

---

8. Cookies and Tracking

8.1 We use minimal client-side storage and a privacy-first analytics tool:

  • an authentication token stored in your browser's localStorage to keep you signed in (strictly necessary for the dashboard to function);
  • Cloudflare Turnstile, which runs on the signup form and may set its own storage/cookies to perform bot detection (strictly necessary security);
  • a consent-decision record that remembers your cookie/privacy choices (strictly necessary so we can honour your preference); and
  • Plausible Analytics (self-hosted by us in the EU) for understanding how the site is used. In its baseline mode Plausible is cookieless — it sets no cookies and writes nothing to your device — and runs on our legitimate interest in measuring and improving the Service. If you turn on analytics, an enriched/attribution layer additionally stores a small amount of measurement data on your device (a sessionStorage attribution token); this enriched layer runs only with your consent.

8.2 We do not use third-party advertising or cross-site tracking cookies, and our baseline analytics is cookieless. The authentication token, the consent-decision record, and Cloudflare Turnstile are strictly necessary and do not require consent. Analytics is provided by self-hosted Plausible (operated by us on EU infrastructure): the baseline cookieless pageview measurement relies on our legitimate interest and sets no device storage; the enriched/attribution layer that does write to your device (`sessionStorage`) runs only after you consent via the cookie/privacy banner. You can change or withdraw your choice at any time through the "Manage cookie preferences" control. Full details of what is stored and why are set out in our Cookie Policy (COOKIE_POLICY.md).

---

9. Where Sairaph Mail Is a Processor (Business Customers)

9.1 When you use the Service to process personal data of your own end-users, contacts, or recipients, you are the controller and Sairaph Mail is a processor under Article 28 GDPR. In that case: we process such data only on your documented instructions; we keep it confidential; we apply Article 32 security measures; we assist you with data-subject requests and breach notification within the limits of our role; we make available information necessary to demonstrate compliance; and we engage sub-processors (Section 4 and SUB_PROCESSORS.md) under equivalent data-protection obligations, with prior general authorization and a mechanism to object to changes. A separate Data Processing Agreement (DPA) governs this relationship: it is provided to Business Customers as a click-through agreement incorporated by reference at checkout, with a signed copy available on request at privacy@sairaph.com. The full text is maintained in DPA.md.

---

10. Children's Data

10.1 The Service is not intended for anyone under 18 years of age, and we do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, contact privacy@sairaph.com and we will take appropriate steps.

---

11. Changes to This Policy

11.1 We may update this Policy. We will post the updated version with a new effective date and, for material changes, notify you by email or in-product notice. Continued use after the effective date constitutes acknowledgment of the updated Policy.

---

Contact: WELLDONE, Aleja Wyzwolenia 11/6, 70-552 Szczecin, Poland (NIP PL8531508847) — privacy: privacy@sairaph.com; DPO: none appointed (not mandatory under Art. 37(1) GDPR).

If you have questions about these terms, contact us at privacy@sairaph.com.

*Sairaph Mail, operated by WELLDONE, Sairaph.com.*