Privacy Policy
Your data stays yours.
Supromail is designed around customer-owned messaging infrastructure. This policy explains what data is involved, why it is used, and how Supromail reduces exposure wherever the product can.
1. Scope
This Privacy Policy applies to Supromail websites, dashboards, APIs, hosted services, documentation, and related support interactions. It also describes privacy-relevant behavior in self-hosted deployments where the same product features are used on infrastructure you control.
2. Data we process
Depending on how you use Supromail, we may process the following categories of data:
- Account data, such as name, email address, workspace name, role, login events, and support requests.
- Workspace configuration, such as enabled channels, domains, devices, routing rules, suppression lists, API keys, webhook endpoints, and member invitations.
- Message data, such as recipient details, message content, send status, delivery events, bounce or complaint events, timestamps, and troubleshooting logs.
- Device data for SMS sending, such as paired Android device identifiers, online status, carrier metadata you provide, limits, and delivery attempts.
- Technical data, such as IP addresses, user agent information, API request metadata, rate-limit counters, security events, and audit logs.
3. How we use data
We use data to provide and secure Supromail, authenticate users, route messages, maintain delivery logs, process bounces and complaints, deliver signed webhooks, enforce limits, troubleshoot issues, prevent abuse, support customers, and improve the product.
We do not sell customer message data. We do not use your recipient lists or message content to build third-party advertising profiles.
4. Message data and recipients
Supromail processes message content and recipient data so the platform can send email and SMS, show history, handle failures, and deliver webhook events. You decide what message data to submit and are responsible for having the rights and permissions to send it.
For SMS, Supromail is designed to minimize dialable recipient numbers after a message reaches a final status. The product retains a masked number and a non-reversible hash for abuse controls and history, rather than keeping the full number longer than needed for delivery.
Email suppression addresses are stored readable within your workspace because you need to view and manage your do-not-email list. They remain isolated to your workspace.
5. Self-hosted deployments
Supromail can be self-hosted. In self-hosted deployments, your database, logs, secrets, backups, and infrastructure are controlled by you or your operator. You are responsible for configuring access, retention, monitoring, encryption keys, backups, and vendor relationships for that environment.
6. Sharing and subprocessors
We share data only as needed to provide the service, comply with law, prevent abuse, protect rights and security, or operate vendors that support hosting, authentication, email delivery, analytics, support, or infrastructure. Your connected carriers, email relays, DNS providers, hosting providers, and webhook endpoints may also process data as part of your configuration.
7. Security measures
Supromail includes workspace isolation, scoped API keys, encrypted secrets, signed webhooks, rate limits, audit events, SSRF-safe webhook delivery, and passwordless login. More detail is available on the Security page.
8. Retention
We retain data for as long as needed to provide Supromail, meet legal obligations, resolve disputes, enforce agreements, prevent abuse, and maintain security. Workspace owners can delete accounts or workspaces where the product allows. Some logs, audit events, backups, or legal records may remain for a limited period after deletion.
9. Your choices and rights
You can access and manage much of your data directly in the dashboard, including members, devices, domains, API keys, webhooks, suppressions, and account settings. Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data.
To make a privacy request, contact privacy@supromail.com. We may need to verify your identity and workspace authority before acting on a request.
10. Children
Supromail is not intended for children. Do not use Supromail to knowingly collect or process personal data from children unless you have a lawful basis and all required consents.
11. Changes
We may update this Privacy Policy as Supromail evolves. When changes are material, we will take reasonable steps to notify customers through the site, dashboard, email, or another appropriate channel.