Privacy Policy

Information We Collect

When you create a QMailing account, we collect your name and email address (or OAuth profile information from Google, Microsoft, GitHub, or Telegram). We do not require a phone number.

When you use QMailing, we store the emails you send and receive, mailbox configurations, and usage data (storage used, mailbox count).

How We Use Your Information

We use your information to:

• Provide, maintain, and improve the QMailing service
• Send you transactional notifications (security alerts, billing receipts)
• Detect and prevent abuse, fraud, and security threats
• Comply with legal obligations

We do not read, scan, or analyze the content of your emails.

Data Storage and Security

Your data is stored on encrypted servers within the European Union. We use TLS encryption for all data in transit and AES-256 encryption for data at rest.

Third-Party Services

We rely on a small set of third-party providers to operate the service:

• A payment processor — handles subscriptions and invoices for paid plans
• Error tracking — to detect and fix issues quickly

Sub-processors

QMailing relies on a small set of trusted vendors to operate the service. Each is bound by a Data Processing Agreement (DPA) consistent with GDPR Article 28. The full list is below; we update this section before adding or removing a sub-processor.

OAuth Sign-in

When you sign in with Google, Microsoft, GitHub, or Telegram, the provider returns a minimal profile to QMailing: your email address, display name, and (where available) avatar URL. We use these strictly to create your account on first sign-in and to log you back in on subsequent visits.

QMailing never reads or writes data in your Google/Microsoft/GitHub/Telegram account beyond the sign-in handshake itself. We do not request inbox, drive, calendar, repository, or contact scopes. We do not send you marketing email through these providers. We do not share OAuth-derived data with any third party.

API Access & MCP Integrations

QMailing issues OAuth-style Bearer tokens (qm_live_*) for programmatic access through the public REST API and the hosted MCP server at https://qmailing.com/mcp. Each token is scoped at issue (e.g. mailbox:read, email:send) and is bound to a single account.

When an AI agent connects with a token, QMailing logs request metadata — timestamp, tool name, HTTP status, response time — for 30 days for abuse detection and rate-limit accounting. Request payloads and tool results are NOT persisted to logs. Tokens are stored as bcrypt hashes server-side; the plaintext value is shown exactly once at issue.

You can revoke any token at Settings → Developers or, for OAuth-granted connections, at Settings → Connections. Revocation is honoured on the next request — not cached.

Cookies

We use essential cookies for authentication and session management. Analytics cookies are only set with your explicit consent. You can manage your cookie preferences at any time.

Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Export your data in a machine-readable format
• Request deletion of your account and all associated data
• Object to data processing

You can exercise these rights in Settings > Privacy, or by contacting privacy@qmailing.com.

International Data Transfers

QMailing is hosted in the European Union (AWS eu-north-1, Stockholm). Email delivery through Amazon SES traverses AWS edge infrastructure, which may include facilities outside the EEA depending on the recipient's mail server. AWS Standard Contractual Clauses (SCCs) approved by the European Commission apply to any transfer of personal data outside the EEA. We do not transfer data to jurisdictions without an adequacy decision or equivalent safeguards.

Data Retention & Deletion

We retain your data for as long as your account is active. When you delete your account, an individual mailbox, or an email, the data enters a 30-day soft-delete grace window — during this period you may restore it (accounts by signing back in and cancelling the deletion, mailboxes and emails from Trash). After 30 days, the data is permanently removed from our active systems.

We do not retain off-system backup copies beyond the soft-delete window — once the grace period elapses, recovery is no longer possible.

Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in line with GDPR Article 33. Where the breach is likely to result in a HIGH risk, we will notify affected users directly without undue delay, by email to your registered address.

Children's Privacy

QMailing is not directed to or intended for children. We do not knowingly collect personal data from anyone under 16 years of age in the European Economic Area, or under 13 in the United States. If you believe we have inadvertently collected such data, please contact us and we will delete it without undue delay.

Data Controller

The data controller for QMailing is Bohdan Abramovych, an individual residing in Kyiv, Ukraine. For any privacy-related question, exercise of GDPR rights (access, rectification, erasure, restriction, portability, objection), or a complaint, write to privacy@qmailing.com.

Contact

For privacy-related questions, contact us at privacy@qmailing.com.