Product Compare AI Prompts Docs Pricing Changelog
Start free Sign in
Legal

Privacy Policy

Effective date: 1 January 2025 · Last updated: 1 May 2025

1. Who we are

JS2Mail is an email dispatch API operated by Prodasoft. Our registered address and contact details are available at [email protected]. We are the data controller for account and billing data, and act as a data processor for email content you send through our API.

2. What data we collect

Account data
Name, email address, password hash. Required to identify you and secure your account.
Mailbox credentials
OAuth refresh tokens or SMTP credentials you connect. Encrypted at rest with AES-256-GCM. Never logged in plaintext.
Send logs
Timestamp, recipient domain, status (delivered / failed / queued), message ID. Retained 30 days on free plans, 90 days on paid plans.
Message content
Passed through to your connected mailbox provider and immediately discarded. We do not store body text or attachments.
Billing data
Handled entirely by Stripe. We store only a Stripe customer ID — no raw card numbers.
Usage metrics
Request counts, error rates, latency. Aggregated and anonymised after 90 days.

3. How we use your data

  • To authenticate you and secure your account.
  • To dispatch emails through your connected mailbox on your instruction.
  • To detect abuse, enforce rate limits, and protect the platform.
  • To send transactional emails (receipts, password resets, quota warnings). No marketing without explicit opt-in.

3a. Form endpoint data (contact forms)

When a website visitor submits a form that posts to a JS2Mail /f/ endpoint, the submitted fields (typically name, email address, and message) pass through our servers.

Who is the data controller?
The website owner who created the form endpoint. They determine what fields to collect and how the data is used. JS2Mail acts solely as a data processor on their instruction.
What do we do with the data?
We validate the submission, apply spam filtering, and forward it to the website owner's connected mailbox. We do not use form data for our own purposes, analytics, or marketing.
How long is it retained?
Submission metadata (timestamp, status, sender IP hash) is retained in send logs for 30 days on free plans and 90 days on paid plans — the same as API sends. The message body is not stored after delivery.
Spam filter (honeypot)
We inspect a hidden honeypot field to reject automated submissions. No machine-learning profiling of content is performed.
KVKK / GDPR responsibility
Website owners are responsible for informing their own visitors that form data is processed by JS2Mail as a sub-processor. A one-line disclosure in the site's own privacy policy is sufficient: "Form submissions are processed by JS2Mail (js2mail.dev) and forwarded to our inbox."

4. Data sharing

We do not sell your data. We share it only with:

  • Your mailbox provider (Google, Microsoft, your SMTP host) — to dispatch the mail you requested.
  • Stripe — for payment processing.
  • Hetzner / AWS — infrastructure hosting in the EU (Frankfurt).
  • Law enforcement — only when required by a valid legal order.

5. Your rights (GDPR)

If you are in the EU or UK you have the right to access, correct, port, or delete your data. You can exercise these rights from Dashboard → Settings → Data, or by emailing [email protected]. We respond within 72 hours and fulfil requests within 30 days.

6. Cookies

We use a single session cookie for authentication and a js2mail.theme key in localStorage for your dark/light preference. No third-party tracking or advertising cookies.

7. Changes to this policy

Material changes will be emailed to account holders at least 14 days before taking effect. Minor clarifications (grammar, formatting) may be updated without notice.

Questions? Email [email protected]