Privacy Policy
Last updated: 2026-06-13
This Privacy Policy explains how Mailmundo LLC ("Mailmundo," "we," "us," or "our"), a limited liability company organized in the United States, collects, uses, discloses, and protects personal information in connection with our email-marketing platform and related websites, applications, and services (collectively, the "Service"). It applies to information we process as a business/controller about our account holders, website visitors, and prospective customers, and—separately—describes how we handle the contact data our customers upload and send through the Service, which we process as a service provider/processor on their behalf (see our Data Processing Addendum). This page is provided for general informational purposes only and is not legal advice; it does not create an attorney-client relationship, and you should consult your own counsel regarding your specific obligations. By using the Service, you acknowledge the practices described here.
1. Who We Are and Scope
Mailmundo LLC is a United States limited liability company operating on U.S. soil, billing in U.S. Dollars, and providing email-marketing infrastructure to service businesses. We act as the data controller (and, where applicable, the "business" under U.S. state law) for information we collect about our own customers, leads, and site visitors. When our customers use the Service to send campaigns to their own audiences, those customers are the controllers of the recipient data they import, and Mailmundo acts solely as their processor/service provider, processing such data only on documented instructions as set out in our Data Processing Addendum (DPA), which is incorporated by reference. This Policy covers the former relationship; the DPA governs the latter.
2. Personal Information We Collect
Account and identity data: name, business name, email address, phone number, username, and authentication credentials (passwords are stored only as salted hashes; API keys are stored hashed). Billing data: billing contact, address, and payment-card or bank metadata, which is collected and processed by our payment processor, Stripe; we do not store full card numbers. Usage and technical data: IP address, device and browser identifiers, log data, pages viewed, feature interactions, campaign-performance metadata (sends, opens, clicks, bounces, complaints, unsubscribes), and audit-log records of security-relevant actions. Communications data: support tickets, emails, and survey responses. Contact-list data: the recipient records our customers upload (email addresses, names, custom fields, engagement events) are processed by us only on behalf of the customer and are governed by the DPA. We may also receive data from third-party integrations, analytics providers, and publicly available sources.
3. How We Use Personal Information
We use personal information to: (a) provide, operate, secure, and maintain the Service; (b) create and administer accounts, authenticate users, and store hashed credentials and API keys; (c) process payments in USD and manage billing, invoicing, taxes, and collections through Stripe; (d) deliver email, maintain suppression and one-click-unsubscribe mechanics, manage deliverability through AWS SES, and combat spam and abuse; (e) monitor, log, and audit activity for fraud prevention, security, and compliance, including maintaining our audit log; (f) provide customer support and respond to inquiries; (g) analyze and improve the Service and develop new features; (h) send transactional, administrative, and—where permitted—marketing communications, from which you may opt out; and (i) comply with legal obligations and enforce our agreements. We do not sell personal information for money, and we do not engage in cross-context behavioral advertising that would constitute a "sale" or "share" under applicable U.S. state law; if this ever changes, we will update this Policy and provide the required opt-out.
4. Legal Bases for Processing
Where the EU/UK GDPR or similar laws apply to our processing of your personal information as a controller, we rely on the following legal bases: performance of a contract (to provide the Service you request and administer your account and billing); legitimate interests (to secure the Service, prevent fraud and abuse, maintain audit logs, analyze and improve our offerings, and conduct direct marketing to business contacts, balanced against your rights); consent (where required, such as certain cookies or optional marketing, which you may withdraw at any time); and compliance with legal obligations (tax, accounting, and lawful requests). Where we act as a processor on behalf of a customer, the customer is responsible for establishing the lawful basis for its processing of recipient data.
5. Your U.S. State Privacy Rights (California and Other States)
Depending on your state of residence, you may have rights under comprehensive state privacy laws, including the California Consumer Privacy Act as amended by the CPRA, and the consumer privacy laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states including Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, and Tennessee, as each becomes effective. Subject to verification and statutory exceptions, these rights may include: the right to know/access the categories and specific pieces of personal information we have collected; the right to delete; the right to correct inaccurate information; the right to data portability; the right to opt out of any "sale" or "sharing" of personal information and of "targeted advertising" and certain "profiling"; the right to limit use of sensitive personal information; and the right to non-discrimination for exercising your rights. California residents are also entitled to the "Shine the Light" disclosure regarding sharing for third-party direct marketing. We honor recognized opt-out preference signals (such as Global Privacy Control) where required.
6. How to Exercise Your Rights
To submit a request, contact us at the email address in the "Contact" section below and identify the right you wish to exercise. We will verify your identity using information associated with your account before fulfilling a request and will respond within the timeframes required by applicable law (generally 45 days under most U.S. state laws, extendable as permitted). You may use an authorized agent where the law allows. If we deny a request, you may appeal by replying to our decision; where a state law provides an appeal mechanism, we will inform you of the outcome and, if denied, of your right to contact your state attorney general. We do not charge a fee for most requests unless they are excessive, repetitive, or manifestly unfounded. If you are an end recipient of a customer's campaign, please direct access/deletion requests to that customer (the controller); we will assist them as their processor.
7. International Visitors—GDPR and LGPD
Mailmundo is based in the United States, and your personal information will be processed in the United States and other jurisdictions that may not provide the same level of data protection as your home country. Where the EU/UK GDPR applies to us as a controller, you have rights to access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with a supervisory authority; where we rely on consent, you may withdraw it at any time. Where Brazil's LGPD applies, you have analogous rights to confirmation, access, correction, anonymization, portability, deletion, and information about sharing, and may contact the ANPD. For transfers of personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) where required. International customers are responsible for ensuring they have a lawful basis and any necessary transfer mechanism for recipient data they route through the Service.
8. How We Share Information and Sub-Processors
We share personal information with: (a) service providers and sub-processors that perform functions on our behalf under contractual confidentiality and security obligations, including Amazon Web Services (hosting and AWS SES email delivery), Supabase/PostgreSQL (database hosting with row-level security), and Stripe (payment processing); (b) professional advisors (legal, accounting, audit); (c) authorities and third parties where required by law, to respond to lawful requests, or to protect rights, safety, and the integrity of the Service; and (d) acquirers or successors in connection with a merger, financing, reorganization, or sale of assets, subject to this Policy. We maintain a list of sub-processors used to process customer data and will provide notice of material changes as described in the DPA. We do not sell personal information for monetary consideration.
9. Data Retention
We retain personal information for as long as your account is active and as needed to provide the Service, and thereafter only as necessary to comply with legal, tax, accounting, and audit obligations, resolve disputes, prevent fraud and abuse, enforce our agreements, and maintain the integrity of our audit and suppression records. Suppression-list and unsubscribe data are retained as long as necessary to honor opt-outs and demonstrate anti-spam compliance. Hashed credentials and API keys are deleted or rotated in accordance with security practices. Recipient data processed on a customer's behalf is retained and deleted in accordance with the customer's instructions and the DPA. When information is no longer required, we delete, anonymize, or aggregate it.
10. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, database row-level security (RLS) on our PostgreSQL/Supabase backend, storage of passwords and API keys as one-way hashes, access controls and least-privilege principles, audit logging of security-relevant events, and reputable infrastructure providers (AWS, Supabase, Stripe). Mailmundo is not currently SOC 2 certified; achieving SOC 2 is on our roadmap, and we do not claim any certification we have not obtained. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; you are responsible for safeguarding your credentials and API keys and for promptly notifying us of any suspected compromise.
11. Cookies and Tracking Technologies
We and our providers use cookies, local storage, pixels, and similar technologies to operate the Service, authenticate sessions, remember preferences, measure performance, and understand usage. Strictly necessary technologies are required for the Service to function; analytics and preference technologies may be controlled through your browser settings or any cookie banner we present. Where required by law, we obtain consent for non-essential cookies and honor recognized opt-out preference signals such as Global Privacy Control. Within email campaigns, open- and click-tracking pixels and links may be used; recipients can typically disable image loading in their email client. Disabling certain technologies may limit functionality.
12. Children's Privacy
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from individuals under 16 (or the minimum age in their jurisdiction). If you believe a child has provided us personal information, contact us and we will delete it. Customers must not use the Service to send marketing to individuals from whom such marketing is prohibited by law, including children where consent or other requirements apply.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Service. We will post the revised version with an updated effective date and, where required by law or where changes are material, provide additional notice. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact Us
For privacy questions, requests, or complaints, contact Mailmundo LLC at privacy@mailmundo.com (or the contact address published on our website). Please include enough detail for us to verify your identity and respond. If you have an unresolved concern, you may also contact your state attorney general or, for international users, your local supervisory or data protection authority.