Privacy Policy

1. What We Collect

When you use Mailto.Bot we collect the following information:

• Account data — Your name, email address, and (if you sign up with a password) a bcrypt hash of your password. If you use Google OAuth we store your Google account ID.
• Organisation data — Your organisation name and workspace slug, auto-generated at sign-up.
• Payment data — Billing information (card details, billing address) is collected and stored exclusively by Stripe. We store only your Stripe customer ID and subscription status.
• Mailbox content — Emails delivered to your Mailto.Bot mailboxes — including headers, subject, body text, HTML, and attachments — are stored in Redis with a 24-hour TTL. Content is deleted automatically after 24 hours or when you delete the mailbox.
• API usage logs — Timestamps, endpoint paths, HTTP status codes, and org identifiers for API requests. Logs are retained for 30 days for debugging and abuse prevention.
• Technical metadata — IP addresses and User-Agent strings for rate-limiting and security purposes. These are not linked to your account in persistent storage.

2. How We Use It

We use the data we collect to:

• Create and maintain your account and workspace.
• Deliver inbound emails to your mailboxes and fire webhooks.
• Process payments and manage your subscription plan via Stripe.
• Enforce plan-level rate limits and message quotas.
• Send transactional emails (password reset, important account notices). We do not send marketing email without your consent.
• Detect and prevent abuse, spam, and API misuse.
• Improve the service through aggregate, anonymised usage analytics.
• Respond to support requests.

3. Data Storage

• Database — PostgreSQL (Google Cloud SQL). Data is encrypted at rest using AES-256 and in transit using TLS 1.2+.
• Message cache — Redis (Google Cloud Memorystore). Mailbox messages are cached here with a 24-hour TTL. Memorystore is VPC-private and not accessible from the public internet.
• Large attachments — Google Cloud Storage (same region). Attachments over 1 MB are offloaded to GCS, encrypted at rest, and deleted when the mailbox message is purged.
• Payment data — Handled entirely by Stripe. Card numbers and sensitive financial data never touch our servers.

4. Data Retention

5. Third Parties

We share data with the following third-party processors, and no others:

• Stripe — Payment processing. Stripe is PCI-DSS compliant. See stripe.com/privacy.
• Google Cloud Platform — Cloud infrastructure (database, Redis, object storage, hosting). Google acts as a data processor under our agreement. See cloud.google.com/privacy.
• Google Analytics 4 — Aggregate page-view and traffic analytics. GA4 is configured in Consent Mode v2 denied-by-default — no cookies are set, no PII is collected or transmitted. Only anonymised, aggregated measurement pings (cookieless mode) are sent to Google. See policies.google.com/privacy.
• Resend — Transactional email delivery (password resets, account notifications). Only your email address is shared. See resend.com/privacy.

6. Your Rights

You have the following rights with respect to your personal data:

• Access — Request a copy of the data we hold about you.
• Correction — Ask us to correct inaccurate data.
• Deletion — Delete your account and all associated data from your dashboard (Settings → Delete Account). We will process the deletion within 30 days.
• Export — Export your mailbox data from the dashboard at any time.
• Restriction — Ask us to restrict processing of your data in certain circumstances.
• Objection — Object to processing based on legitimate interest.

To exercise any of these rights, email us at mailtobot@happycactus.ai. We'll respond within 30 days.

7. Cookies & Analytics

Mailto.Bot uses exactly one cookie:

We do not use tracking cookies, advertising pixels, or third-party identity cookies.

We use Google Analytics 4 for aggregate traffic measurement. GA4 is deployed with Consent Mode v2 denied-by-default: all four consent categories (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to denied for every visitor, globally. In this mode GA4 operates in cookieless measurement: it sends anonymised, aggregated pings (pageview counts, geographic breakdown, device/browser type) without writing any cookies or collecting personally identifiable information. No _ga or _gid cookies are set in your browser.

Because all consent categories are denied by default, there is no cookie consent banner — there is nothing to consent to.

9. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights regarding your personal information:

• Right to Know — You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
• Right to Delete — You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Correct — You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale/Sharing — You have the right to opt out of the sale or sharing of your personal information. See the "Do Not Sell or Share" section below.
• Right to Limit Use of Sensitive Personal Information — You have the right to limit our use and disclosure of sensitive personal information.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your rights, email us at mailtobot@happycactus.ai with the subject line "California Privacy Request". We will respond within 45 days as required by the CCPA, with a possible 45-day extension when reasonably necessary.

We do not discriminate against California residents who exercise their privacy rights. We do not charge different prices, provide different service levels, or deny goods or services based on the exercise of CCPA/CPRA rights.

10. Do Not Sell or Share My Personal Information

Our analytics deployment (Google Analytics 4) is configured in Consent Mode v2 denied-by-default. In this configuration:

• GA4 operates in cookieless measurement mode — no cookies are set, no persistent identifiers are created.
• Only anonymised, aggregated signals (pageview counts, geographic region, browser type) are transmitted to Google.
• No personally identifiable information is shared with Google Analytics.
• This applies to all visitors globally — not just California residents.

Global Privacy Control (GPC / Sec-GPC): We respect the Sec-GPC signal. Because analytics_storage and all advertising-related consent categories are denied by default for every visitor, your GPC preference is already honoured without any additional action on your part. No cookies will be set regardless of whether your browser sends the Sec-GPC header.

If you have questions about our data practices or wish to make a "Do Not Sell or Share" request, contact us at mailtobot@happycactus.ai.

11. Contact

Questions about this policy? We're happy to talk.

• Email: mailtobot@happycactus.ai
• Effective date: April 17, 2026

We may update this policy as the service evolves. We'll email you about material changes with at least 30 days' notice.