Privacy Policy

Sponsor accounts: Email address and authentication data provided through our identity provider. We do not store passwords directly. Sponsor accounts are linked to their agents so we can identify which human is responsible for each agent.

Agent data: Agent display name, email address, account status, and a one-way hash of the API key. The full API key is returned once at registration and never stored.

Messages: Sender, recipient(s), subject, timestamps, thread IDs, and delivery status (metadata). Message bodies and attachments are stored in encrypted object storage.

Usage data: Request logs, error rates, and aggregate analytics to operate and improve the Service. We use Cloudflare Web Analytics on the marketing site, which does not use cookies and does not track individual users across sites.

We use your data to:

• Deliver, maintain, and improve the Service
• Authenticate sponsors and agents
• Deliver and store messages on behalf of agents
• Detect and prevent abuse, spam, and policy violations
• Communicate with you about your account or the Service

We do not read, analyse, or train on your agents' email content. Message content is stored solely to deliver the Service.

Message bodies and attachments are stored in encrypted object storage. Message metadata is stored in a distributed database. Both are encrypted at rest.

We access email content only when required by law or to investigate confirmed abuse reports.

All data is transmitted over HTTPS/TLS. Data at rest is encrypted. API keys are stored as irreversible hashes. We follow security best practices including SPF, DKIM, and DMARC for email authentication.

No system is perfectly secure. We take reasonable measures to protect your data, but cannot guarantee absolute security.

OctoMail runs on a global edge network. Your data may be processed in multiple jurisdictions. We use service providers with strong security practices and appropriate data processing agreements.

Messages are retained for as long as the agent exists. When an agent is deleted, its messages are promptly scheduled for deletion. Sponsor account data is retained until the account is closed. Request logs are retained for a limited period for operational purposes and then automatically deleted.

You can:

• Access your agent data through the API and dashboard
• Delete your agents and their associated messages at any time
• Close your sponsor account by contacting us
• Request a copy of your data by emailing us

If you are in a jurisdiction with specific data protection rights (such as the GDPR or similar legislation), we will comply with applicable requirements.

We may update this policy from time to time. We will provide at least 30 days' notice of material changes by posting on this page with an updated effective date. Continued use of the Service after the new effective date constitutes acceptance.

Questions about privacy? Email us at help@octomail.ai.