Compliance

GDPR Compliance

E-mailer is committed to protecting data privacy and complying with the EU General Data Protection Regulation. Here's how we do it.

Our GDPR Commitments

Data Processing Agreement

We offer a GDPR-compliant DPA to all customers. It covers our obligations as a data processor, sub-processors, data breach notification procedures, and data deletion commitments.

Encryption & Security

AES-256 encryption at rest, TLS 1.3 in transit. SOC 2 Type II certified infrastructure. Regular penetration testing and security audits by independent third parties.

EU Data Processing

E-mailer offers EU-based data processing through AWS eu-west-1 (Ireland) for customers who require data residency within the European Economic Area.

Sub-Processor Transparency

We maintain a public list of sub-processors and notify customers at least 30 days before adding new ones, giving you the right to object.

Legal Bases for Processing

Contract Performance (Art. 6(1)(b))

Processing necessary to provide the E-mailer service you've signed up for — account management, email sending, analytics.

Legitimate Interests (Art. 6(1)(f))

Product improvement through anonymized usage analytics, security monitoring, and fraud prevention. We conduct balancing tests to ensure our interests don't override your rights.

Consent (Art. 6(1)(a))

Marketing communications, optional analytics cookies, and optional tracking. You can withdraw consent at any time.

Legal Obligation (Art. 6(1)(c))

Tax records, billing data retention, and responding to lawful data requests from authorities.

Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights. We respond to all requests within 30 days.

Right of Access (Art. 15)

Request a copy of all personal data we process about you.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Art. 18)

Request that we limit how we use your data.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right re: Automated Decisions (Art. 22)

Right not to be subject to decisions based solely on automated processing.

International Data Transfers

E-mailer is headquartered in the United States. When data is transferred from the EEA/UK to the US, we rely on the EU-US Data Privacy Framework (DPF) and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission.

For customers who require EU data residency, we offer data processing within AWS eu-west-1 (Ireland) on our Enterprise plan. Contact sales for details.

Sub-Processors

ProviderPurposeLocation
Amazon Web ServicesCloud infrastructure & hostingUS / EU (Ireland)
StripePayment processingUS
PostHogProduct analyticsEU (Germany)
OpenAIAI-powered email personalizationUS
CloudflareCDN, DDoS protection, DNSGlobal
IntercomCustomer support chatUS

Data Breach Response

In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will include the nature of the breach, the data affected, the measures taken to address it, and the steps you should take.

We maintain a dedicated incident response team and conduct annual breach simulation exercises to ensure our response process is effective and timely.

GDPR questions or data subject requests?

Contact our Data Protection Officer at dpo@e-mailer.io or request a copy of our DPA.

Privacy Policy →Terms of Service →Cookie Policy →