Privacy Policy

We collect and process the following categories of personal data:

Each processing activity relies on one of the following bases:

• Contract performance (Art. 6(1)(b)) — operating your account, storing your projects, sending emails on your behalf, providing customer support. Without this we can't deliver the service you signed up for.
• Legal obligation (Art. 6(1)(c)) — retaining billing records for tax law, responding to lawful requests from authorities, maintaining records required by anti-money-laundering or consumer-protection rules.
• Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud and abuse prevention, service improvement, internal analytics. We weigh these interests against your rights and use the minimum data needed.
• Consent (Art. 6(1)(a)) — sending you optional marketing emails about new SmartMailing features. You can withdraw consent at any time by clicking unsubscribe in the relevant email.

We rely on the following third-party processors to deliver the service. Each one is bound by a Data Processing Agreement, and where any data is transferred outside the European Economic Area (EEA), the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures.

We update this list when we add or change processors. Material changes are communicated to platform users in advance where reasonable.

Where personal data is transferred outside the EEA — primarily to the United States via our sub-processors above — we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by technical and organizational measures (TLS in transit, encryption at rest, strict access controls). For more information about a specific transfer, contact [email protected].

We retain personal data only as long as needed for the purpose for which it was collected:

• Account data — for as long as your account is active. Deleted within 30 days of an account deletion request.
• Brand profiles, templates, projects — same as account data; deleted with the account.
• AI chat history — retained until you delete the project or your account.
• Subscriber data uploaded by our customers — retained until the customer deletes the subscriber or their account.
• Email delivery logs (sent, delivered, opened, clicked) — up to 13 months from the send date, then anonymized or deleted.
• Suppression list entries — retained indefinitely after creation, because retaining the address as "do not contact" protects the person who chose to unsubscribe.
• Consent records — retained for the lifetime of the subscriber plus 3 years thereafter, to evidence consent in case of regulatory inquiry.
• Billing and tax records — 7 years, as required by Austrian Bundesabgabenordnung (BAO) §132.
• Technical / security logs — up to 90 days, then deleted or aggregated.

Under the GDPR you have the following rights regarding your personal data. To exercise any of these, contact [email protected]. We respond within one month (extendable by two months for complex requests).

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your account and personal data. Some data may be retained for legal obligations (e.g. billing records).
• Restriction (Art. 18) — request that we pause processing of your data pending a dispute.
• Portability (Art. 20) — request your data in a structured, machine-readable format (JSON).
• Object (Art. 21) — object to processing based on legitimate interest, including profiling.
• Withdraw consent (Art. 7) — where processing is based on consent, withdraw it at any time. This does not affect prior lawful processing.
• Lodge a complaint (Art. 77) — file a complaint with a supervisory authority. The competent authority for SmartMailing is the Austrian Datenschutzbehörde (DSB) — dsb.gv.at, Barichgasse 40-42, 1030 Vienna, Austria. You can also file with the supervisory authority of your habitual residence.

SmartMailing uses AI services (currently OpenAI and Anthropic) to generate email copy from inputs you provide. This is content generation, not automated decision-making about you within the meaning of Article 22 GDPR — no significant legal or similar decisions are made automatically. You remain in control of any content before it is sent.

Inputs you submit to AI features are sent to the provider via API. The providers we use do not train their models on API-submitted data by default. We do not retain your inputs with the AI providers beyond what is needed to complete the request.

SmartMailing uses only essential cookies and browser-storage entries required to operate the service:

• Authentication session — set when you log in, used to keep you signed in. Required for the service to function.
• CSRF / security tokens — set to protect against cross-site request forgery.

We do not currently use third-party analytics, advertising cookies, or trackers that would require a consent banner under the ePrivacy Directive. If this changes, we will deploy a compliant cookie consent banner before any such cookies are set.

Emails sent through SmartMailing may include tracking pixels and rewritten links that allow our customers to measure open and click rates. This is configured by each customer and disclosed in their own privacy policy and email footers (every email contains a one-click unsubscribe link).

When you (the customer) upload subscriber data to SmartMailing — through the API, hosted subscribe forms, manual add, or CSV import — you are the data controller for those subscribers, and SmartMailing acts as your data processor.

We process subscriber data only on your documented instructions: storing it, segmenting it, sending the emails you compose, recording consent and delivery events. We do not use subscriber data for our own purposes, do not sell it, and do not contact subscribers ourselves (except for transactional emails you trigger, such as the double-opt-in confirmation).

The terms of this processor relationship are set out in our Data Processing Agreement, available at smartmailing.io/legal/dpa. By using the platform you accept the DPA. Subscribers who want to exercise their rights should contact you (the controller); we will assist you in responding.

We use industry-standard technical and organizational measures to protect personal data: TLS 1.2+ for all network traffic, encryption at rest for stored data, role-based access controls, row-level security in our database to enforce strict isolation between customers, signed and authenticated webhooks, regular security review of our code, and timely patching for known vulnerabilities in our dependencies.

In the event of a personal-data breach affecting your data, we will notify the relevant supervisory authority within 72 hours and inform affected users where required by Articles 33–34 GDPR.

SmartMailing is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us and we will delete it.

We may update this policy from time to time to reflect changes in processing, processors, or applicable law. Material changes will be communicated to platform users via email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

For any privacy-related question or to exercise any of the rights listed in Section 6, contact us at [email protected]. We aim to respond within five business days and within one month for formal data-protection requests.

If you are not satisfied with our response, you may lodge a complaint with your local data protection authority. The competent authority for SmartMailing is the Austrian Datenschutzbehörde (DSB) — dsb.gv.at.