Privacy Policy

1. What we collect

When you create an account and use sendvia, we collect and store the following:

• Account information — your email address and a bcrypt-hashed password. We never store your password in plaintext.
• AWS credentials — the AWS Access Key ID and Secret Access Key you provide when adding a sending domain. These are stored in our database and used solely to make API calls to Amazon SES and SNS on your behalf.
• Domain records — the sending domains you register, their DKIM tokens, SES configuration set names, and SNS topic ARNs.
• Email logs — for each email sent through the API we record: the sender address, recipient address, subject line, optional tag, send timestamp, delivery status (queued / sent / delivered / bounced / complained / failed), and any error messages returned by SES. For premium accounts we also store the HTML and plain-text body to enable email preview, the open timestamp, a truncated sender IP address (first two octets only, e.g. 1.2.*.*), and an ISO 3166-1 alpha-2 country code resolved from that IP at the time of the open tracking pixel hit. Email logs are retained for 90 days and then permanently deleted.
• Mailing list subscribers — email addresses and optional names imported into your mailing lists. These are stored only for the purpose of sending newsletters you create.
• Payment records — plan tier, amount, currency, and reference number for any payments recorded against your account. We do not store full card numbers or payment instrument details.
• Session data — a server-side session record used to keep you signed in. Sessions inactive for 30 days are automatically purged.
• Two-factor authentication secret — if you enable 2FA, we store a TOTP secret used to verify one-time codes.

2. How we use your data

• Delivering email — your email content (from/to/subject/HTML/text) is transmitted to Amazon Simple Email Service (SES) using your own AWS credentials. We do not use a shared sending pool; email is sent from your own SES identity.
• Delivery event processing — Amazon SNS sends delivery, bounce, and complaint notifications to our webhook endpoint. We process these to update the status in your email log and to automatically add hard-bounce and complaint addresses to your blocklist.
• Open tracking — a 1×1 transparent pixel is injected into outbound HTML emails. When the pixel is loaded we record the timestamp, a truncated IP address, and a country code. This feature is available on premium plans only. You may omit the pixel by sending plain-text-only emails.
• Account administration — we use your email address to identify your account. We may send transactional notices (e.g. plan expiry) and occasional newsletters about new features or important changes to the service.
• Billing — payment records are stored to maintain a history of your subscription.

3. Third-party services

sendvia relies on Amazon Web Services to deliver email:

• Amazon Simple Email Service (SES) — email content (including headers, subject, and body) is transmitted to SES in the AWS region you choose when adding a domain. SES processes and delivers the email on your behalf.
• Amazon Simple Notification Service (SNS) — SES publishes delivery, bounce, and complaint events to an SNS topic we create in your AWS account. Our webhook receives these notifications to update your send logs and blocklist.

Because you supply your own AWS credentials, the SES and SNS resources are created in your AWS account. AWS's own privacy and data processing terms apply to data held within those services. See the AWS Privacy Notice.

We do not sell, rent, or share your data with any other third parties.

4. Data retention

• Email logs — automatically deleted after 90 days.
• Sessions — purged after 30 days of inactivity.
• Account data — retained until you delete your account. On deletion, your profile, domains, email logs, mailing lists, and blocklist are permanently removed.
• Backups — database backups may retain data for a short period beyond these windows before being overwritten.

5. Security

• Passwords are hashed with bcrypt and never stored in plaintext.
• All web traffic is served over HTTPS.
• API keys are prefixed sv_live_ and are randomly generated per account.
• All forms are protected with CSRF tokens.
• Optional two-factor authentication (TOTP) is available for your account.
• AWS Secret Access Keys are stored in our database. We recommend creating a dedicated IAM user with the minimum required permissions (AmazonSESFullAccess and AmazonSNSFullAccess) and not reusing credentials from other services.

6. Your rights

You may request any of the following at any time by contacting us at [email protected]:

• Access — a copy of the personal data we hold about you.
• Correction — correction of inaccurate information.
• Deletion — deletion of your account and all associated data. You may also delete your account directly from within the dashboard.
• Portability — export of your mailing list subscribers and email log data in CSV format.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority.

7. Cookies

sendvia uses a single session cookie to keep you signed in. No third-party tracking cookies or advertising cookies are used.

8. Changes to this policy

We may update this policy from time to time. If we make material changes we will update the effective date at the top of this page. Continued use of the service after any change constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions or requests, contact us at [email protected].

sendvia.io
167-169 Great Portland Street, 5th Floor, London