Privacy Policy
Effective: May 1, 2026
mailall.us is operated by Hartkraft, Inc. ("we," "us," "our"). This policy describes how we handle your information. It's written to be plain-English first and legally correct second.
1. Information We Collect
- Email address: provided when you create an account, when you're added to a group, or when you contact us. It's the primary identifier for an account and the core of a forwarding service; we can't operate without it.
- Group membership data: which groups you belong to, your role, and your delivery status.
- Usage data: message counts, delivery events (bounces, complaints), and timestamps. We do not read or retain the body of your messages.
- Payment information: if you pay for a plan, Stripe processes the payment. We never see or store credit card numbers. We retain your Stripe customer ID, subscription status, and invoice history.
- Technical data: IP addresses, request logs, and error diagnostics. Used for rate limiting, abuse prevention, and debugging.
- Agreement records: the date, time, IP address, and version of the Terms of Service you accepted at signup. We keep these for as long as your account exists so we can prove what you agreed to if it ever matters.
2. How and Why We Use Your Information
We only process your data for these purposes, each tied to a specific legal basis under GDPR where it applies:
- Deliver the service: forward email, sign you in, confirm memberships, send transactional notices. Legal basis: performance of a contract with you.
- Bill you and manage subscriptions. Legal basis: performance of a contract; compliance with tax and audit obligations.
- Keep the service running and safe: rate limiting, bounce and complaint handling, abuse investigations, error diagnostics. Legal basis: legitimate interests. Operating a reliable, non-abused service is a core need, and the privacy impact of request logs is minimal compared to the risk of running without them.
- Send you marketing email if you have opted in (product updates, new features, offers). Legal basis: consent. You can withdraw consent at any time; see Section 3a.
- Comply with law, respond to valid legal process, and defend against claims. Legal basis: legal obligation and legitimate interests.
We do not profile you, target you with advertising, or make any decisions about you using automation that would significantly affect you.
3. Who We Share Data With
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under California law). We disclose information only in these situations:
- Service providers acting on our behalf under written contract. Currently: Stripe (payments — privacy policy); Amazon Web Services (hosting, email delivery, DNS — privacy policy); Cloudflare (bot protection on the signup page — privacy policy).
- Other group members. When you send email to a group, your From address and the message reach every confirmed member. When you're added to a group, your email address is visible to the group's owner and admins.
- In response to valid legal process, to protect our rights, to protect the safety of others, or where required by law.
- In a business transfer. If Hartkraft, Inc. is ever sold, merged, or reorganized, data may transfer with the business. We'll notify you if this materially affects how your data is used.
3a. Marketing Communications
We send two categories of email:
- Transactional: directly tied to your account or its activity. This includes signup confirmation, magic-link sign-ins, billing receipts, group-membership confirmations, delivery failure notices, security notices, plan changes that affect your current plan, and Terms of Service updates that affect your existing rights. These emails are necessary to operate the service and are not optional while you have an active account.
- Marketing: product updates, new feature announcements, promotional offers, and pitches for plans you are not currently on. We send these only if you explicitly opt in.
Marketing emails are opt-in only. The signup form includes an optional checkbox (separate from the Terms of Service acceptance) for marketing consent. You can change your preference at any time on your account settings page. Opting out of marketing email never affects transactional email or service operation.
Every marketing email includes a one-click unsubscribe link (RFC 8058) that immediately removes you from future marketing email. Transactional email continues regardless.
We do not share email addresses with third-party marketers, sell our subscriber list, or use third-party email-list management services (Mailchimp, Klaviyo, or similar). All marketing email is sent through the same AWS SES infrastructure that powers the rest of the service.
When you unsubscribe from a specific campaign, we record which campaign triggered the unsubscribe. We use that information only for our own message-quality analysis (for example, identifying campaigns that generate high unsubscribe rates). We do not use it for retargeting and we do not share it with anyone.
Marketing-consent state and any unsubscribe attribution data are retained for the life of your account plus the applicable post-deletion window described in Section 5 of this policy (7 years if you were ever a paying subscriber, 2 years if trial-only).
4. Message Content
During normal operation, messages are received, forwarded to group members in real time, and discarded from memory. No message content is written to persistent storage as part of delivery.
Each group has a configurable delivery mode that controls what happens on delivery failure:
- Reliable mode (default): if delivery to a member fails, the system retries. If retries are exhausted, the original message may be held in an encrypted retry queue for up to 24 hours before automatic deletion. This maximizes the chance every member receives the message.
- Private mode: each message is delivered once with no retries. Message content is never written to any queue or persistent storage at the application layer. If delivery fails, the message is permanently lost. Only delivery metadata (sender address, subject line, timestamp) is recorded as a failure notice.
If the application itself is unreachable (for example, a regional cloud-provider outage), incoming messages may sit briefly in our upstream queues before being delivered or expired. The queues we operate are encrypted at rest and purge undelivered messages within 24 hours. The mail transport that hands messages to those queues is operated by AWS; its retry and storage behavior during a prolonged outage is governed by AWS's own policies, which we do not control.
5. How Long We Keep Data
| Account data | Until you delete your account. Deletion is a soft-delete; permanent removal happens 60 days later. A minimal audit record is retained beyond that window (see "Account audit record" below). |
| Group and membership data | Until the group is deleted. Soft-delete is hard-deleted after 14 days. |
| Message delivery metadata (sender, subject, timestamp, status) | 30 days. |
| Message content in retry queue (Reliable mode only) | Up to 24 hours, encrypted, then permanently deleted. |
| IP addresses and request logs | 30 days. |
| Account audit record (Stripe customer ID and Terms acceptance evidence: timestamp, version, IP) | 7 years after account deletion if you were ever a paying subscriber; 2 years after account deletion if your account was trial-only and never converted to a paid plan. We keep this minimal record only to honor tax, audit, and contract-enforceability obligations. After this window the record is automatically deleted. Stripe holds its own copy of invoice and payment history under its retention policy; that is separate from our retention. |
| Arbitration opt-out record (if you exercise your Terms §14 opt-out right) | Same window as the account audit record above — 7 years if you were ever a paying subscriber, 2 years otherwise. The record includes the timestamp, the channel (automated email or admin-recorded), the first 8 KiB of your opt-out email (if sent automatically), and the SPF/DKIM authentication results we observed at the time. An administrator may later reverse or reaffirm this status; every change is stored additively — prior records are never removed, only supplemented. |
Backups may retain data briefly past these windows as they rotate. We don't restore from backups to re-populate data that has been deleted.
6. Security
We use reasonable security measures appropriate to the nature of the data, including TLS 1.2+ in transit, AES-256 at rest, per-function least-privilege IAM policies, and two-factor authentication for administrative access. No system is perfectly secure. If we discover a security breach that affects your personal information, we will notify you without undue delay and in accordance with applicable law.
7. Your Rights
Regardless of where you live, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data, subject to the retention requirements above.
- Export your data in a portable format.
- Object to, or restrict, our processing of your data in certain cases.
- Withdraw consent where our processing is based on your consent.
You can exercise most of these from inside the app (delete your account, leave a group, change your email). For anything else, email privacy@mailall.us. We won't retaliate against you for exercising your rights.
If you're in the European Economic Area or UK
You have the right to lodge a complaint with the data protection authority in your country (for example, the ICO in the UK, the CNIL in France, the Datenschutzbehörde in Austria). Section 2 lists our legal basis for each processing activity.
Our service is hosted in the United States. When your data is transferred to the US, we rely on the EU-US Data Privacy Framework (where applicable) and the European Commission's standard contractual clauses with our service providers as the appropriate safeguards.
If you're a California resident
Under the California Consumer Privacy Act and the California Privacy Rights Act, you have the right to know what personal information we collect about you, to delete it, to correct inaccuracies, to limit our use of sensitive personal information (we don't use any sensitive PI for purposes that require a limit), and to opt out of "sale" or "sharing" of your personal information. We do not sell or share your personal information. We will not discriminate against you for exercising these rights.
If you were added to a group but don't have a mailall.us account
You're still covered by this policy. What we process about you is your email address, your group membership status, delivery events for messages sent to you, and (briefly, during delivery) the content of messages being forwarded. You can leave any group at any time by using the unsubscribe link on any forwarded message, by emailing the group's leave address (e.g. team+leave@mailall.us), or by emailing privacy@mailall.us. Your rights under this Section 7 apply to you the same way they apply to account holders.
8. Children
mailall.us is not intended for children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, email privacy@mailall.us and we will delete it.
9. Cookies and Similar Technologies
We use a small number of strictly-necessary cookies:
- Session cookie: a signed token stored in an HttpOnly cookie after you sign in. Without it, the service can't recognize you. It expires when your session ends.
- Turnstile cookies: set by Cloudflare's bot-protection widget on the signup and login pages. Governed by Cloudflare's privacy policy.
We do not use advertising, analytics, or cross-site tracking cookies.
10. "Do Not Track"
Because we don't track users across sites and don't sell or share personal information, "Do Not Track" browser signals have no effect on what we do. We behave the same way regardless.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be announced by email to your registered address at least 30 days before they take effect. Non-material changes take effect on posting, with an updated effective date.
12. Contact
Questions about this policy, or to exercise your rights: privacy@mailall.us.