shipmail

Privacy Policy

Last updated: March 13, 2026

Summary

We collect the minimum data needed to run your email. We do not sell your data. We do not show you ads. We do not track you across the web.

What we collect

Account information

Name and email address when you sign up. We use magic links for authentication, so we do not store passwords.

Email data

The emails you send and receive through shipmail, including message content, attachments, headers, and metadata (sender, recipients, timestamps). This is the core of the service. You can enable encryption at rest with your own key, in which case stored email cannot be read by anyone without the corresponding private key, including us.

Domain and mailbox configuration

Domain names, DNS verification status, mailbox addresses, and display names you configure.

Billing

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers or bank details.

Audit and security logs

IP addresses and user agent strings for login sessions. Actions performed in the dashboard and API (who did what, when). These logs exist for security and debugging.

Analytics

We use DataFast on our marketing site. DataFast is privacy-focused, does not use cookies, does not collect personal data, and is compliant with GDPR, CCPA, and PECR without requiring a cookie banner.

Cookies

We use a single session cookie to keep you logged in. That is it. No tracking cookies, no third-party cookies, no advertising cookies.

How we use your data

  • Deliver and store your email.
  • Authenticate you and protect your account.
  • Process your subscription payments through Stripe.
  • Send you transactional emails (magic links, billing alerts, security notices).
  • Debug issues and investigate abuse.

We do not use your email content for advertising, profiling, or training machine learning models.

Who has access

Only the shipmail team has access to production systems. We access your data only when necessary to operate the service, debug issues you report, or respond to legal obligations. If you enable encryption at rest, stored email is unreadable without your private key. For full details on how we protect your email, see our security page.

Third-party services

We use a small number of infrastructure providers to run shipmail:

  • Stripe for payment processing.
  • AWS SES for outbound email relay.
  • Neon for database hosting (PostgreSQL).
  • Cloudflare for email blob storage (R2, encrypted at rest).
  • Vercel for application hosting.
  • DataFast for privacy-friendly website analytics.

Each provider processes data only as needed to deliver their service. We do not share your data with anyone else.

Data location

Our mail server and database are hosted in the United States. If you are in the EU or elsewhere, your data will be transferred to and stored in the US.

Data retention

We keep your data for as long as your account is active. When you delete your account, we delete your data within 30 days. Backups may retain data for up to 90 days after deletion. Audit logs are retained with personally identifiable fields removed.

Your rights

You can export your data, correct your information, or delete your account at any time from the dashboard. If you need help exercising any data rights, email us and we will handle it promptly.

Changes to this policy

We may update this policy. Material changes will be communicated by email at least 30 days before they take effect.

Contact

Questions about your privacy? Email us at support [at] shipmail.to.