Privacy Policy

Introduction

At Mailfra ("we", "our", or "us"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cold email platform and related services (collectively, the "Services").

By using Mailfra, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services. This policy applies to all users of our Services, including visitors, registered users, and subscribers.

We operate in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations. This Privacy Policy should be read in conjunction with our Terms of Service.

Information We Collect

We collect several types of information to provide and improve our Services. The information we collect falls into the following categories:

Personal Information

Information that identifies you as an individual or relates to an identifiable individual:

• Full name and email address
• Company name, job title, and business information
• Billing information including credit card details and billing address
• Phone number and other contact details (optional)
• Profile information including profile picture and bio
• Account credentials including username and encrypted password
• Communication preferences and notification settings

Usage Data

Information automatically collected about how you interact with our Services:

• Email campaign performance metrics including send rates, delivery rates, and bounce rates
• Login and access times, session duration, and frequency of use
• Features used, actions taken within the platform, and user preferences
• Device information including type, operating system, and unique device identifiers
• Browser type, version, language settings, and time zone
• IP address, location data, and network information
• Referring and exit pages, clickstream data, and navigation paths
• Error logs, diagnostic data, and performance metrics

Email Data

Information related to your email campaigns and outreach activities:

• Email content, subject lines, and templates you create
• Recipient email addresses, names, and contact information
• Email engagement data including opens, clicks, replies, and bounces
• Email sending schedules, automation rules, and sequence configurations
• Custom fields, tags, and segments you create for organizing contacts
• Email metadata including timestamps, sender information, and delivery status

Third-Party Authentication Data

When you connect third-party services to Mailfra:

• OAuth tokens and refresh tokens for connected accounts
• Account identifiers from third-party services
• Permission scopes granted to our application
• Profile information shared by the third-party service

Payment Information

Financial information necessary to process your subscription:

• Credit card number, expiration date, and CVV (processed securely by our payment processor)
• Billing address and payment method details
• Transaction history and payment receipts
• Tax identification numbers if required by law

Communications

Information from your interactions with us:

• Customer support inquiries and correspondence
• Feedback, survey responses, and product reviews
• Marketing communications preferences
• Participation in contests, promotions, or events

Gmail API Data Usage and Disclosure

When you connect your Gmail account to Mailfra, we access specific data through the Google Gmail API to provide our email outreach automation services. This section explains in detail how we handle your Gmail data.

Gmail Data We Access

We request access to the following Gmail data through specific API scopes:

• Email Sending Capabilities (gmail.send scope): Allows us to send emails on your behalf as part of your outreach campaigns. This is the core functionality that enables automated email sequences.
• Email Composition and Drafts (gmail.compose scope): Enables us to create, edit, and manage email drafts in your account. This allows you to preview and modify emails before they are sent.
• Read Access to Emails (gmail.readonly scope): Provides read-only access to your emails, which we use exclusively to monitor replies from prospects and track email engagement metrics for your campaigns.
• Email Modification Capabilities (gmail.modify scope): Allows us to apply labels, organize campaign emails, and manage email metadata. This helps you track campaign performance and organize your inbox.

How We Use Gmail Data

We use your Gmail data solely and exclusively to provide our email outreach automation services. Specifically:

• Sending Campaign Emails: We send personalized outreach emails to prospects you have added to your campaigns. Each email is sent from your Gmail account using your authenticated credentials, maintaining your sender reputation and email deliverability.
• Reply Detection and Tracking: We monitor your inbox specifically for replies to campaign emails. When a prospect responds, we automatically detect the reply, notify you through our platform, update the campaign status, and pause any scheduled follow-up emails to that prospect.
• Email Organization: We apply custom labels to sent campaign emails to help you organize and track your outreach efforts. This includes labels for campaign names, prospect status, and email sequence steps.
• Draft Management: We create draft emails that you can review, edit, and approve before they are sent. This gives you full control over the content and timing of your outreach.
• Engagement Analytics: We track email opens, clicks, and other engagement metrics to provide you with performance insights and help optimize your campaigns.

Gmail Data Storage and Security

We take the security and privacy of your Gmail data seriously:

• No Email Content Storage: We do not store the full content of emails from your Gmail account on our servers. We only store minimal metadata necessary for campaign tracking, such as sender, recipient, subject line, and timestamps.
• Encrypted Token Storage: Your Gmail access tokens and refresh tokens are encrypted using AES-256 encryption and stored securely in our database. These tokens are never exposed to unauthorized parties.
• Secure Data Transmission: All communication between Mailfra and Gmail API uses industry-standard TLS/SSL encryption to protect your data in transit.
• No Password Storage: We never store your Gmail password. Authentication is handled entirely through Google's secure OAuth 2.0 protocol.
• Limited Access: Only authorized Mailfra systems and personnel with legitimate need have access to Gmail API credentials, and all access is logged and monitored.

Data Sharing and Third-Party Access

Your Gmail data is treated with the highest level of confidentiality:

• No Selling or Renting: We will never sell, rent, or trade your Gmail data to third parties under any circumstances.
• No Advertising Use: We do not use your Gmail data for advertising purposes, either on our platform or for third-party advertising networks.
• No Third-Party Applications: We do not allow third-party applications or services to access your Gmail data through our platform.
• Service Provider Access: The only exception is our infrastructure providers (e.g., cloud hosting, database services) who may have technical access to encrypted data as part of providing core infrastructure services. These providers are bound by strict confidentiality agreements and data protection obligations.

Data Retention for Gmail Data

We retain Gmail-related data according to the following policies:

• Active Account: Gmail access tokens are retained as long as your Mailfra account is active and you have not revoked Gmail access.
• Campaign Metadata: Email metadata (sender, recipient, subject, timestamps, engagement metrics) is retained for up to 24 months after campaign completion for analytics and reporting purposes.
• Upon Revocation: When you revoke Gmail access through Mailfra or Google Account settings, we immediately stop accessing your Gmail and delete all stored access tokens within 24 hours.
• Account Deletion: When you delete your Mailfra account, all Gmail-related data including access tokens and campaign metadata is permanently deleted within 30 days.

Your Control Over Gmail Data

You maintain complete control over your Gmail data at all times:

• Revoke Access Anytime: You can disconnect Gmail from Mailfra at any time through your account settings. Additionally, you can revoke access directly through your Google Account Permissions page.
• Review Connected Apps: You can view all apps with access to your Gmail at any time through your Google Account settings.
• Data Export: You can request an export of your campaign data, including metadata about emails sent through Mailfra, by contacting our support team.
• Data Deletion: You can request deletion of all your Gmail-related data by contacting privacy@mailfra.com. We will process your request within 30 days.

Human Access to Gmail Data

We strictly limit human access to your Gmail data. Mailfra employees will only access your Gmail data under the following specific circumstances:

• With Your Explicit Consent: When you specifically request support assistance that requires reviewing your email data.
• Security Purposes: To investigate potential security incidents, fraud, or abuse of our Services.
• Legal Compliance: When required by applicable law, legal process, or valid government requests.

All human access to user data is logged, monitored, and subject to strict internal access controls and approval processes.

Compliance with Google API Services User Data Policy

Mailfra's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the minimum Gmail API scopes necessary to provide our email automation services
• We do not use Gmail API data for serving advertisements to you or others
• We do not allow humans to read Gmail API data unless explicitly permitted for security, compliance, or with your consent
• We do not transfer Gmail API data to others unless necessary to provide our Services, for security purposes, or to comply with applicable law
• All Gmail API data access is logged and auditable

Security Measures for Gmail Data

We implement comprehensive security measures specifically for Gmail data protection:

• OAuth 2.0 Authentication: All Gmail API access uses industry-standard OAuth 2.0 protocol. We never request or store your Gmail password.
• Encrypted Token Storage: Access tokens and refresh tokens are encrypted using AES-256 encryption before storage in our database.
• TLS/SSL Encryption: All API communications with Gmail use TLS 1.3 encryption to protect data in transit.
• Regular Security Audits: We conduct regular security audits and vulnerability assessments of our Gmail API integration.
• Access Logging: All Gmail API requests are logged with timestamps, user IDs, and action types for security monitoring and audit purposes.
• Employee Training: All employees with access to systems handling Gmail data undergo mandatory security and privacy training.
• Least Privilege Access: Internal access to Gmail API credentials and user data is restricted to only those employees who require it for their job functions.

Data Breach Notification

In the unlikely event of a security breach affecting your Gmail data, we commit to:

• Immediate Action: Contain and remediate the breach as quickly as possible
• Timely Notification: Notify you within 72 hours of discovering the breach, or sooner if required by applicable law
• Google Notification: Notify Google as required by the Gmail API Terms of Service
• Detailed Information: Provide you with specific details about what data was affected, the nature of the breach, and steps we are taking to address it
• Assistance: Offer guidance and assistance in securing your Gmail account if necessary
• Regulatory Compliance: Notify relevant regulatory authorities as required by data protection laws

Questions About Gmail Data Usage

If you have any questions or concerns about how we handle your Gmail data, please contact us at privacy@mailfra.com. We are committed to transparency and will respond to your inquiries within 48 hours.

How We Use Your Information

We use the information we collect for various purposes related to providing, maintaining, and improving our Services. Below is a comprehensive explanation of how we use your data:

Service Provision and Operations

• Provide, operate, and maintain our email outreach automation platform
• Process and manage your email campaigns, sequences, and automation workflows
• Enable you to create, send, and track email communications
• Manage your account, profile, and preferences
• Authenticate your identity and maintain account security
• Provide customer support and respond to your inquiries

Billing and Transactions

• Process subscription payments and manage billing cycles
• Send transaction confirmations, invoices, and payment receipts
• Manage subscription upgrades, downgrades, and cancellations
• Detect and prevent fraudulent transactions
• Calculate and collect applicable taxes

Communication and Notifications

• Send you technical notices, system alerts, and security notifications
• Provide updates about new features, improvements, and service changes
• Send administrative messages related to your account
• Respond to your comments, questions, and customer service requests
• Send marketing communications about our Services (with your consent)
• Notify you about campaign performance and important events

Analytics and Improvement

• Monitor and analyze usage patterns, trends, and user behavior
• Measure the effectiveness of our Services and features
• Conduct research and development to improve our platform
• Develop new features, products, and services
• Optimize user experience and interface design
• Generate aggregate statistics and analytics reports

Personalization

• Customize your experience based on your preferences and usage
• Provide personalized recommendations and suggestions
• Remember your settings and preferences across sessions
• Tailor content and features to your specific needs

Security and Fraud Prevention

• Detect, prevent, and address technical issues and system errors
• Identify and prevent fraud, abuse, and unauthorized access
• Protect against security threats and vulnerabilities
• Monitor for suspicious activity and policy violations
• Enforce our Terms of Service and other policies
• Maintain the security and integrity of our Services

Legal Compliance

• Comply with applicable laws, regulations, and legal obligations
• Respond to legal requests and prevent illegal activities
• Enforce our legal rights and defend against legal claims
• Maintain records as required by law
• Cooperate with law enforcement and regulatory authorities

Business Operations

• Conduct business planning and forecasting
• Manage relationships with service providers and partners
• Facilitate mergers, acquisitions, or business transfers
• Maintain business records and documentation
• Perform accounting, auditing, and financial reporting

Data Sharing and Disclosure

We do not sell your personal information to third parties. We may share your information only in the specific circumstances described below, and we require all recipients to protect your data and comply with applicable privacy laws.

Service Providers and Business Partners

We share data with carefully selected third-party vendors who perform services on our behalf. These service providers are contractually obligated to protect your information and may only use it for the specific purposes we authorize:

• Payment Processors: To process subscription payments, manage billing, and detect fraud (e.g., Stripe, PayPal)
• Cloud Infrastructure: To host our platform and store data securely (e.g., AWS, Google Cloud)
• Analytics Services: To understand usage patterns and improve our Services (e.g., Google Analytics, Mixpanel)
• Email Delivery: To send transactional emails and notifications (e.g., SendGrid, Amazon SES)
• Customer Support: To provide technical support and respond to inquiries (e.g., Intercom, Zendesk)
• Security Services: To protect against fraud, abuse, and security threats
• Database Services: To store and manage data efficiently

Business Transfers

In connection with a corporate transaction, your information may be transferred:

• During negotiations of a merger, acquisition, or sale of company assets
• In the event of a bankruptcy or insolvency proceeding
• As part of a corporate reorganization or restructuring
• To a successor entity that assumes our obligations under this Privacy Policy

We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

Legal Requirements and Protection

We may disclose your information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes
• Respond to valid legal requests from government authorities or law enforcement
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of Mailfra, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Investigate potential violations of our policies
• Defend against legal claims or litigation

With Your Consent

We may share your information with third parties when you explicitly consent or direct us to do so. For example:

• When you authorize integrations with third-party applications or services
• When you participate in promotional activities with partners
• When you request us to share information with specific third parties

Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This data may be used for:

• Industry research and analysis
• Marketing and promotional purposes
• Improving our Services and developing new features
• Creating benchmarks and industry reports

API and Integration Partners

When you connect third-party services (such as Gmail, CRM systems, or other tools) to Mailfra, you authorize us to share relevant data with those services to enable the integration functionality. These integrations are subject to both our Privacy Policy and the third party's privacy policy.

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods are based on business needs and legal requirements.

Active Account Data

While your account remains active, we retain:

• Profile Information: Retained for the lifetime of your account
• Campaign Data: Retained for 24 months after last activity or campaign completion
• Email Metadata: Retained for 24 months to support analytics and reporting
• Usage Analytics: Retained for 18 months for platform improvement purposes
• Authentication Tokens: Retained until revoked or account deletion

Billing and Transaction Data

Financial and transaction records are retained to:

• Comply with tax laws and financial regulations (typically 7 years)
• Handle chargebacks, refunds, and billing disputes
• Maintain accurate financial records for accounting purposes
• Support audits and regulatory compliance

Inactive Accounts

If your account becomes inactive (no login for 24 consecutive months):

• We will send email notifications warning of potential account deletion
• After 90 days of continued inactivity following the final notice, we may delete your account
• Essential information may be retained for legal and security purposes

Account Deletion

When you delete your account:

• Immediate: Your account access is disabled and active campaigns are stopped
• Within 30 days: Personal information, campaign data, and email metadata are permanently deleted
• Exceptions: Some data may be retained longer if required by law, for fraud prevention, to resolve disputes, or to enforce our Terms of Service
• Backups: Data in backup systems may persist for up to 90 days before complete deletion

Legal and Regulatory Requirements

We may retain certain information longer than standard retention periods when:

• Required by applicable law or regulation
• Necessary to comply with legal obligations
• Needed to resolve disputes or enforce agreements
• Required for legitimate business purposes (fraud prevention, security)
• Subject to legal hold or ongoing litigation

Anonymized Data

We may convert personal data into anonymized, aggregated data that cannot be used to identify you. This anonymized data may be retained indefinitely for analytics, research, and product improvement purposes.

Your Privacy Rights

Depending on your location and applicable laws, you may have certain rights regarding your personal data. We are committed to facilitating the exercise of these rights in accordance with applicable privacy regulations.

Right to Access

You have the right to request access to the personal data we hold about you, including:

• Confirmation of whether we process your personal data
• Categories of personal data we collect and process
• Purposes for which we use your personal data
• Third parties with whom we share your data
• How long we retain your data
• A copy of your personal data in a structured format

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data:

• Update your account information directly through your account settings
• Request correction of data you cannot update yourself
• Add supplementary information to complete incomplete data

Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with a legal obligation

Please note that we may retain certain information when we have a legal obligation or legitimate interest to do so.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format:

• Export your campaign data, templates, and contact lists
• Receive data in CSV, JSON, or other standard formats
• Request that we transmit your data directly to another service provider where technically feasible

Right to Object

You have the right to object to:

• Processing of your personal data for direct marketing purposes (including profiling)
• Processing based on legitimate interests or performance of a task in the public interest
• Automated decision-making and profiling that produces legal or similarly significant effects

Right to Restriction of Processing

You have the right to request that we limit the processing of your personal data when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification of our legitimate grounds

Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal. You can withdraw consent through your account settings or by contacting us.

Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority in your jurisdiction. We would appreciate the opportunity to address your concerns first, so please contact us at privacy@mailfra.com.

How to Exercise Your Rights

To exercise any of these rights:

• Email us at privacy@mailfra.com with your request
• Use the data management tools in your account settings
• Contact our Data Protection Officer (if applicable)

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing certain requests. There is no fee for exercising your rights, unless your request is clearly unfounded, repetitive, or excessive.

Security Measures

We implement comprehensive technical, administrative, and physical security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. While no system is completely secure, we continuously work to maintain and improve our security practices.

Technical Security Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security) protocol
• Encryption at Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption
• Password Protection: User passwords are hashed using industry-standard bcrypt algorithm with appropriate salt rounds
• OAuth Token Security: Third-party authentication tokens are encrypted and stored securely with restricted access
• Secure APIs: All API endpoints are protected with authentication and authorization mechanisms
• Database Security: Databases are hosted in secure environments with network isolation and access controls
• Regular Security Updates: We promptly apply security patches and updates to all systems and dependencies

Administrative Security Measures

• Access Controls: Strict least-privilege access policies ensure employees only access data necessary for their roles
• Employee Training: All employees undergo mandatory security awareness and privacy training
• Background Checks: Employees with access to sensitive data undergo appropriate background screening
• Confidentiality Agreements: All employees and contractors sign confidentiality and data protection agreements
• Access Logging: All access to production systems and user data is logged and regularly audited
• Incident Response: We maintain a documented incident response plan for security breaches

Physical Security Measures

• Secure Data Centers: Our infrastructure is hosted in tier-3+ certified data centers with 24/7 monitoring
• Environmental Controls: Data centers maintain appropriate temperature, humidity, and fire suppression systems
• Access Control: Physical access to servers is restricted to authorized data center personnel
• Redundancy: Critical systems have redundant power supplies, network connections, and backup systems

Monitoring and Testing

• Security Audits: Regular third-party security audits and penetration testing
• Vulnerability Scanning: Automated vulnerability scans of our infrastructure and applications
• Security Monitoring: 24/7 monitoring for suspicious activities and security incidents
• Intrusion Detection: Automated systems detect and alert on potential security threats
• Code Reviews: All code changes undergo security-focused peer review before deployment

Account Security Features

We provide you with tools to protect your account:

• Strong password requirements with minimum complexity standards
• Two-factor authentication (2FA) option for enhanced account security
• Session management with automatic timeout after periods of inactivity
• Login notifications for new devices or suspicious activity
• Ability to review active sessions and revoke access from specific devices
• Security alerts for important account changes

Third-Party Security

We carefully vet all third-party service providers and require them to implement appropriate security measures. Our agreements with service providers include:

• Contractual obligations to protect your data
• Compliance with applicable data protection laws
• Regular security assessments and certifications
• Breach notification requirements
• Data processing agreements compliant with GDPR and other regulations

Security Best Practices for Users

We recommend you take these steps to protect your account:

• Use a strong, unique password for your Mailfra account
• Enable two-factor authentication (2FA)
• Never share your password with others
• Log out when using shared or public computers
• Keep your contact information up to date for security notifications
• Regularly review your account activity and connected integrations
• Report any suspicious activity or security concerns immediately

Security Incident Response

In the event of a data breach or security incident:

• We will investigate and contain the incident immediately
• Affected users will be notified within 72 hours (or as required by law)
• We will provide specific information about what data was affected
• We will offer guidance on steps you can take to protect yourself
• We will notify relevant regulatory authorities as required
• We will conduct a post-incident review and implement preventive measures

Limitations

While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data using industry-leading practices. You use our Services at your own risk, and we encourage you to take appropriate precautions to protect your own data.

Cookies and Tracking Technologies

We use cookies and similar technologies to track activity and remember your preferences:

• Essential cookies for platform functionality
• Analytics cookies to understand usage patterns
• Preference cookies to remember your settings
• Marketing cookies for campaigns and retargeting

You can control cookies through your browser settings. Disabling cookies may limit your ability to use certain features of our platform.

International Data Transfers

Your information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have different data protection laws than your home country. By using our Services, you consent to the transfer of your information to countries outside your country of residence.

We implement safeguards to ensure adequate data protection, including Standard Contractual Clauses and Privacy Shield frameworks where applicable.

Children's Privacy

Our Services are not intended for children under the age of 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete such information and terminate the child's account.

Parents or guardians who believe their child has provided information to us should contact us immediately at privacy@mailfra.com.

California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under the CCPA:

Right to Know

You can request to know what personal information we collect, use, share, and sell.

Right to Delete

You can request deletion of personal information we have collected, subject to certain exceptions.

Right to Opt-Out

We do not sell personal information. You have the right to opt-out of any potential future sales.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@mailfra.com. We will verify your identity and respond within 45 days.

Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of our Services after such modifications constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: