Privacy Policy
Last updated: March 28, 2026
Straight to Inbox ("we", "us", or "our") operates the Straight to Inbox email marketing platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
We collect information you provide directly to us, such as:
- Account information: name, email address, password, and billing details when you register.
- Profile information: organization name, website, and sending domain preferences.
- Subscriber data: email addresses and attributes of your subscribers that you upload or collect via our forms.
- Usage data: campaign content, templates, automations, and funnels you create.
- Communications: support tickets, feedback, and correspondence with our team.
We also collect information automatically:
- Log data: IP address, browser type, pages visited, and timestamps.
- Device data: hardware model, operating system, and unique device identifiers.
- Cookies and tracking: as described in our Cookie Policy.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Straight to Inbox platform.
- Process transactions and send related billing communications.
- Send transactional emails such as password resets and account notifications.
- Respond to comments, questions, and support requests.
- Monitor usage patterns to detect and prevent abuse, fraud, and spam.
- Send product updates, marketing communications, and newsletters (you may opt out at any time).
- Comply with legal obligations and enforce our Terms of Service.
3. How We Share Your Information
We do not sell your personal information. We may share it in limited circumstances:
- Service providers: trusted third parties who assist us in operating the platform (e.g., payment processors, hosting providers, email delivery infrastructure). They are bound by confidentiality obligations.
- Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred as a business asset.
- Legal requirements: we may disclose information if required by law, court order, or government authority.
- Protection of rights: to enforce our Terms of Service or protect the rights, property, or safety of us, our users, or the public.
4. Cookies
We use cookies and similar tracking technologies to improve your experience. Please refer to our Cookie Policy for full details on the cookies we use, their purpose, and how to manage them.
5. Data Processing Roles
When you use Straight to Inbox to collect and email your subscribers:
- You are the data controller — you determine why and how subscriber personal data is processed.
- We are the data processor — we process subscriber data solely on your instructions to provide the Service.
For your own account data (login credentials, billing information, usage analytics), we act as the data controller.
A Data Processing Agreement (DPA) is available on request. Email [email protected] to receive a signed copy.
6. Regional Data Residency & GDPR Compliance
Straight to Inbox uses regional database sharding to guarantee that subscriber data stays in the region you select. When you create an organization, you choose a data region. This choice is permanent and determines where all subscriber data, campaigns, templates, automations, and analytics are stored and processed.
- Europe (EU) — all subscriber data is stored and processed exclusively within EU/EEA infrastructure. No subscriber data leaves the European Economic Area. This region is designed for full GDPR compliance.
- United States (US) — subscriber data is stored and processed within US infrastructure.
- Asia Pacific (AP) — subscriber data is stored and processed within Asia Pacific infrastructure.
Central account data (your login, billing, and organization settings) is stored separately from subscriber data. If you select the EU region, your subscriber data never transits through or is replicated to non-EU infrastructure.
7. Data Retention
We apply the following retention periods:
- Active account data: retained for the duration of your subscription.
- Subscriber data: retained until you delete it from the platform, or until your account is deleted, whichever comes first. We will not delete subscriber data on your behalf — as the data controller, this is your responsibility.
- Post-cancellation: account data is retained for 30 days after cancellation to allow reactivation and data export. After 30 days, data is permanently deleted.
- Inactive accounts: accounts with no active subscription for 180 consecutive days are marked for deletion with a 90-day grace period (see our Terms of Service for full details).
- Invoicing and billing records: retained for 7 years from the calendar year following the invoice date, as required by applicable tax and accounting laws.
- Support communications: retained for the duration of the commercial relationship plus 2 years.
8. Data Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
9. Sub-processors
We use carefully selected third-party sub-processors to provide the Service, including for email delivery, payment processing, DNS management, and infrastructure hosting. We ensure appropriate contractual safeguards (including Standard Contractual Clauses where applicable) are in place with all sub-processors. We will notify you of material changes to our sub-processors via email at least 30 days before the change takes effect.
10. Your Rights (GDPR & Privacy Laws)
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of your personal data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Restriction: ask us to limit processing of your data.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: withdraw any consent previously given.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
11. International Transfers
If you select the EU data region, your subscriber data remains within the EU/EEA and is not transferred internationally. Central account data may be processed in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
12. Children's Privacy
Our service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and, where appropriate, by email at least 15 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
- Email: [email protected]
- Address: Straight to Inbox, Inc.