Privacy policy

How the CamelMailer cloud service processes personal data (GDPR).

Template. This document ships with the open-source project as a starting point. Replace the bracketed placeholders and have your counsel review it before publishing it for a commercial offering.

1. Controller

[COMPANY LEGAL NAME], [ADDRESS] ("we"). Data protection contact: privacy@camelmailer.example. This policy covers the cloud service; if you self-host CamelMailer, you are the controller of your instance and this policy does not apply.

2. What we process

CategoryExamplesPurpose / legal basis
Account dataName, email, password hash, 2FA state, SSO subjectProviding the service (Art. 6(1)(b) GDPR)
Customer contentMessages you send/receive through your servers, templates, suppression listsProcessed on your behalf as processor (Art. 28; see DPA)
Usage & security dataAPI logs, auth audit events, IP addresses, user agentsSecurity, abuse prevention, billing (Art. 6(1)(f)/(b))
Billing dataCompany details, invoices, payment referencesContract & legal obligations (Art. 6(1)(b)/(c))

3. Where it lives

All production systems run on EU infrastructure operated by the providers listed on the sub-processors page. We do not transfer customer content outside the EU/EEA. Mail you send is, by nature, delivered to its recipients' providers worldwide.

4. Retention

  • Message content and events: [30/60/90] days by default, then deleted; configurable per server.
  • Auth audit events: [12] months.
  • Account and billing data: for the life of the contract plus statutory retention periods.

5. Your rights

Access, rectification, erasure, restriction, portability and objection under Art. 15–21 GDPR, plus complaint to a supervisory authority. Write to privacy@camelmailer.example.

6. Cookies

The dashboard uses no third-party trackers and no advertising cookies. Session state is a bearer token stored in your browser's local storage; this website sets no cookies at all.