Privacy Policy
Last updated: February 26, 2026
Summary
Current regulations may raise concerns from organizations about how the Service uses and protects your data - this page attempts to answer some of the most common questions you may have.
- The Privacy & Data Retention section provides an overview of our data center and our data retention policy.
- The GDPR section provides detailed information about how we comply with GDPR.
- The Third Parties section provides a list of our sub-processors under GDPR.
For general inquiries, send a message anytime to privacy@emailconnect.eu.
Privacy and data retention
Your privacy is important to us. It is EmailConnect's policy to respect your privacy regarding any information the system may collect from you across the website, https://emailconnect.eu, and other sites we own and operate.
We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means, with your knowledge and consent. We also let you know why we're collecting it and how it will be used.
Data center
EmailConnect's primary data and servers are hosted at Hetzner in Germany. These servers use hydropower as renewable energy sources, supporting our commitment to environmental sustainability.
Data retention
We only retain collected information for as long as necessary to provide you with your requested service. What data we store, we'll protect within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification.
We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. Email data retention periods are configurable in your EmailConnect settings and default to industry-standard timeframes.
Data Residency Mode
Platform plan users may enable Data Residency Mode, which changes how email content is handled:
- What changes: When enabled, email content (body, attachments, headers) is processed in memory and delivered to your webhook endpoint, but is not stored in our central database. Only routing metadata is retained: message ID, recipient address, subject line, timestamps, delivery status, and an attachment summary (filename, type, size). Sender addresses are not stored.
- Your S3 storage: Data Residency Mode requires a custom S3 connection. Attachments and content are stored in your own S3 bucket under your control and jurisdiction.
- What we retain: Routing metadata needed for delivery tracking, audit logging, and billing. This metadata contains operational identifiers, not email body content.
- Trade-offs: Dashboard payload preview, replay, and manual retry are unavailable when content is not stored.
This feature is designed for organisations that require email content to remain exclusively within infrastructure they control, while still benefiting from EmailConnect's routing, delivery, and spam filtering.
Security of sensitive configuration data
For customers using custom storage configurations (such as custom S3 endpoints), we implement additional security measures:
- Encrypted credential storage: All custom S3 access keys, API tokens, and webhook authentication credentials are encrypted at rest using industry-standard encryption (AES-256)
- Key management: Encryption keys are managed separately from application data and rotated regularly
- Access controls: Only authorized system processes can decrypt credentials, never exposed in logs or error messages
- Secure transmission: All credentials are encrypted during transmission and never stored in plain text
We don't share any personally identifying information publicly or with third-parties, except when required by law.
With your active consent, we store only necessary information to provide email processing and delivery services through our third-party integrations (see Third Parties section). We store this information for the duration that the integration is active and according to your configured retention settings.
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.
You are free to refuse our request for your personal information, with the understanding that we may be unable to provide you with some of your desired services.
Abuse prevention
To protect the integrity of our platform and to prevent our service from being used to facilitate illegal activities such as phishing, spam, or malware distribution, we may process limited email metadata under our legitimate interest (GDPR Article 6(1)(f)).
What we may review
When we have reasonable grounds to suspect a violation of our Acceptable Use Policy, we may conduct a time-limited compliance review of the following metadata categories:
- Subject lines
- Sender and recipient email addresses
- URLs found in emails
- Attachment filenames
- Timestamps and volume patterns
We do not review email body content during compliance reviews.
Retention
Any data captured during a compliance review is automatically deleted 7 days after the review concludes. Audit logs of review actions are retained for our legitimate interest period and may be requested by the account holder.
Your rights
You will be informed after any compliance review concerning your account has concluded (GDPR Article 14). Notification may be delayed during an active investigation to preserve its integrity (Article 14(5)(b)). You may object to this processing under Article 21 by contacting privacy@emailconnect.eu.
For full details, see our Compliance reviews help article.
EU General Data Protection Regulation (GDPR)
What is GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It came into effect on May 25, 2018.
GDPR is also known as AVG (Netherlands), RGPD (France, Spain), and DSGVO (Germany) in their respective countries.
Why is GDPR important?
GDPR adds new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches. For email processing services like EmailConnect, GDPR compliance is particularly crucial as we handle personal communications.
What has EmailConnect done to comply with GDPR?
We work hard to meet our obligations as a processor under Article 28 of GDPR. To this end:
- We process your customer and end user data per your instructions
- We have implemented appropriate technical and organizational measures to protect the data with which you entrust us
- We have provided a comprehensive list of our sub-processors below
- We have instituted a policy informing and obligating our employees to maintain the confidentiality of your information
- We have instituted procedures to assist you in complying with requests for access, amendment or deletion that you may receive from your customers or end users
- We will delete your customer/end user information at the end of our agreement with you, if you request it
- We have appointed a representative as required by Article 27 of GDPR
How do you manage access to my information?
We service Data Subject Rights (DSR) requests such as delete and export manually to ensure accuracy and security. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at privacy@emailconnect.eu.
This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
Working with third parties
Sub-processors and third party services
| Provider | Purpose | Data shared |
|---|---|---|
| Hetzner | Server hosting | Provides the server infrastructure for EmailConnect. Stores our databases (PostgreSQL, Redis), isolated within the VPC (no public access) and application logic. |
| Scaleway Email | Transactional emails | Facilitates sending EmailConnect transactional emails (notifications) to registered and subscribed users. Data: name, email address |
| Scaleway DNS | DNS management | Manages domain name resolution for EmailConnect services. No personal data stored. |
| Scaleway Object Storage | File storage | Stores processed attachments (for the retention period as set by you in your retention settings) and invoices for the duration required by regulation (7 years). |
| Plausible | On-page analytics | Privacy-focused analytics. No identifiable information is exchanged. |
| Mollie | Payment provider | Processes payments and shares a non-identifiable token with EmailConnect for tracking payment statuses. Data: name, email, billing information |
| Webhooktest.eu (optional) | Webhook testing | Allows you to test your webhook endpoints. Data: name, email for OAuth authorization |
| Gravatar.com (optional) | Avatar service | Displays user avatars based on email addresses. Data: email address (hashed) |
Development and operations tools
The following tools are used for service development and operations but do not process customer data:
| Tool | Purpose | Data handling |
|---|---|---|
| GlitchTip | Application monitoring | Self-hosted in The Netherlands. No identifiable information recorded. |
| Beszel | System monitoring | Self-hosted in The Netherlands. No identifiable information recorded. |
| GitHub | Code repository | No customer data stored (US-based) |
| Fider | Feedback management | Self-hosted in The Netherlands. No identifiable information recorded. |
| Fastmail | Business email | Australian hosted with DPA in place |
| Claude Code | Development assistance | No identifiable customer information shared (US-based) |
| Notion | Internal documentation | No customer data stored (US-based) |
For a complete technical overview of EmailConnect's infrastructure, refer to: https://hosting-checker.net/websites/emailconnect.eu
Contact information
For any privacy-related questions, GDPR requests, or data protection concerns, please contact us at:
General privacy inquiries
Email: privacy@emailconnect.eu
Response time: Within 14 days
Data protection officer
Email: dpo@emailconnect.eu
GDPR requests: Data access, deletion, portability