Legal

Privacy Policy

This policy explains what data sendvia collects from you, why, and how we handle it.

Last updated: 20 April 2026

01What we collect

We keep the minimum necessary to run the service, nothing more. Specifically:

Account info — your email address and a bcrypt-hashed password. We never store plaintext passwords.
AWS credentials — the AWS Access Key ID and Secret Access Key you provide when adding a sending domain. These are used only to make API calls to Amazon SES and SNS on your behalf. You can revoke them at any time in your AWS Console.
Domain records — the sending domains you register, their DKIM tokens, SES configuration set names, SNS topic ARNs, and live DKIM/SPF/DMARC/BIMI lookup results.
Email logs — for each email sent through the API we record: the sender address, recipient address, subject line, optional tag, send timestamp, delivery status (queued / sent / delivered / bounced / complained / failed), and any error messages returned by SES. For premium accounts we also store the HTML and plain-text body to enable email preview, the open timestamp, a truncated sender IP address (first two octets only, e.g. 1.2.*.*), and an ISO 3166-1 alpha-2 country code resolved from that IP at the time of the open tracking pixel hit. Email logs are retained for 90 days and then permanently deleted.
Mailing list subscribers — email addresses and optional names imported into your mailing lists. Stored only for the purpose of sending newsletters you create.
Payment records — plan tier, amount, currency and reference number for any payments recorded against your account. We do not store full card numbers or payment instrument details.
Server logs — IP address, user-agent and timestamps of requests to the dashboard and API. Retained for 30 days for abuse prevention.
Cookies — a single, first-party session cookie used to keep you signed in. No analytics or third-party tracking cookies.

02How we use your data

Sending mail — your AWS credentials sign API calls to SES on your behalf. Credentials never leave our backend and are never shared.
Delivery event processing — Amazon SNS sends delivery, bounce and complaint notifications to our webhook. We process these to update the status in your email log and to automatically add hard-bounce and complaint addresses to your blocklist.
Open tracking — a 1×1 transparent pixel is injected into outbound HTML emails. When the pixel is loaded we record the timestamp, a truncated IP address and a country code. This feature is premium-only. You may omit the pixel by sending plain-text-only emails.
Operational emails — service notifications, billing receipts and security alerts. These are transactional and can't be opted out of while your account is active.
Fraud and abuse detection — we may inspect sending patterns to enforce our Acceptable Use policy.
Billing — payment records are stored to maintain a history of your subscription.

03Third-party services

sendvia relies on the following providers:

Amazon Web Services — primary hosting and mail dispatch via SES. You also integrate with your own AWS account for sending.
Amazon Simple Notification Service (SNS) — SES publishes delivery, bounce and complaint events to an SNS topic we create in your AWS account. Our webhook receives these notifications to update your send logs and blocklist.
Cloudflare — DNS, CDN and DDoS protection for our marketing site and dashboard.

Note. Because your AWS account is yours, mail leaving SES is subject to AWS's privacy terms — not ours. See the AWS Privacy Notice.

We do not sell, rent, or share your data with advertisers.

04Data retention

Email logs — automatically deleted after 90 days.
Sessions — purged after 30 days of inactivity.
Server logs — 30 days.
Account data — retained until you delete your account. On deletion, your profile, domains, email logs, mailing lists and blocklist are permanently removed within 30 days.
Backups are encrypted and retained for a short period beyond these windows before being overwritten.

05Security

Passwords are hashed with bcrypt and never stored in plaintext.
All web traffic is served over HTTPS.
API keys are prefixed sv_live_ and randomly generated per account.
All forms are protected with CSRF tokens.
Optional two-factor authentication (TOTP) is available and strongly recommended.
AWS Secret Access Keys are stored in our database. We recommend creating a dedicated IAM user with the minimum required permissions (AmazonSESFullAccess and AmazonSNSFullAccess) and not reusing credentials from other services.

06Your rights

Under GDPR, CCPA and similar laws, you may:

Access: Request a copy of the personal data we hold about you.
Correction: Correct inaccurate account info.
Deletion: Delete your account and all associated data at any time.
Portability: Export your email logs and mailing list subscribers as CSV from the dashboard.

If you are an EU resident and believe we've mishandled your data, you have the right to complain to your local supervisory authority. To make any of these requests, email [email protected].

07Cookies

A single, first-party session cookie is set when you log in. It's HttpOnly, Secure, and SameSite=Lax. We use no analytics or tracking cookies.

08Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 30 days in advance. Non-material edits (typo fixes, reordering) may be made without notice; the "last updated" date at the top of this page will always reflect the most recent version.

09Contact

Privacy questions go to [email protected]. We typically respond within two business days.