Privacy Policy
Effective Date: April 7, 2026
Last Updated: April 7, 2026
Jonah and Associates Pty Ltd, operating as Sendmux (“Sendmux”, “we”, “us”, or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal information when you use the Sendmux platform at sendmux.ai, including our APIs, SMTP endpoints, dashboards, and related services (the “Service”).
This policy applies to all users of the Service, including account holders, their team members, and recipients whose personal information may be processed through the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name
- Email address
- Organisation name (if applicable)
- Password (stored in hashed form)
- Billing information (processed and stored by Stripe — we do not store full payment card details)
1.2 Email Metadata
When emails are routed through the Service, we collect and retain metadata including:
- Sender and recipient email addresses
- Subject lines
- Timestamps (sent, delivered, bounced, opened, clicked)
- Delivery status and provider used
- Message size
- SMTP response codes
1.3 Email Content (Temporary)
For outbound routing, email body content is temporarily held in our processing queue during delivery and retry attempts. Once delivery is completed or retries are exhausted, email body content is deleted from our systems. We do not retain outbound email body content for analytics, training, or any purpose beyond delivery.
1.4 Mailbox Data
For customers using mailbox features, we store incoming email content, attachments, metadata, labels, and folder organisation as necessary to provide the mailbox service. This data persists until the customer deletes it or the account is terminated.
1.5 Provider Credentials
When you connect email providers to the Service, we store your SMTP credentials encrypted using AES-256-GCM. These credentials are used solely to route email on your behalf.
1.6 Usage Data
We collect information about how you use the Service, including:
- Dashboard interactions
- API calls and endpoints accessed
- Feature usage patterns
- Error logs
1.7 Website Analytics
We use Umami, a privacy-focused analytics platform, to collect anonymised website usage data. Umami does not use cookies, does not collect personal information, and does not track visitors across websites.
2. How We Use Your Information
We use collected information to:
- Provide, operate, and maintain the Service
- Route and deliver emails through configured providers
- Monitor delivery performance and provider health
- Enforce per-provider quotas and rate limits
- Provide delivery logs and analytics dashboards
- Process payments and manage billing
- Send Service-related communications (account notifications, security alerts, product updates)
- Detect, prevent, and address abuse, fraud, and security issues
- Comply with legal obligations
- Improve the Service
We do not sell your personal information. We do not use your email content or metadata to train machine learning models. We do not serve advertising.
3. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:
- Contract performance — Processing necessary to provide the Service you have requested
- Legitimate interests — Processing necessary for our legitimate interests, such as fraud prevention, Service improvement, and security, where these interests are not overridden by your rights
- Legal obligation — Processing necessary to comply with applicable laws
- Consent — Where we rely on consent, you may withdraw it at any time by contacting us at contact@sendmux.ai
4. Data Storage and Security
4.1 Storage Locations
| Data Type | Provider | Location |
|---|---|---|
| Email processing, mailbox data, metadata, logs | Hetzner | European Union (Germany, Finland) |
| Application edge compute, caching, sessions | Cloudflare | Global edge network |
| Payment information | Stripe | As per Stripe's privacy policy |
| Website analytics | Umami | Self-hosted / provider infrastructure |
We do not store data on Amazon Web Services or in the United States, except where Cloudflare's global edge network may temporarily cache non-sensitive data at edge nodes.
4.2 Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- AES-256-GCM encryption for stored provider credentials
- TLS/SSL encryption for all data in transit
- Hashed password storage
- Role-based access controls
- Regular security reviews
- Infrastructure deployed on isolated Kubernetes clusters
4.3 Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law.
5. Data Sharing
We share personal information only in the following circumstances:
5.1 Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, edge compute, application hosting (Workers), KV/D1/R2 storage | Global |
| Hetzner | K8s cluster hosting, load balancer, email infrastructure | EU (Germany, Finland) |
| Stripe | Payment processing and billing | As per Stripe's privacy policy |
| DigitalOcean | Occasional supplementary infrastructure | EU |
| Umami | Privacy-focused website analytics | Self-hosted / provider infrastructure |
We maintain contracts with all sub-processors that require them to protect personal data to at least the same standard as this Privacy Policy.
5.2 Email Providers
When you configure your own email providers (such as SendGrid, Gmail, or Microsoft 365), email content and metadata are transmitted to those providers for delivery. Your use of those providers is subject to their respective privacy policies and terms of service.
5.3 Legal Requirements
We may disclose personal information if required to do so by law, regulation, legal process, or enforceable governmental request.
5.4 Business Transfers
In connection with a merger, acquisition, or sale of assets, your personal information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days after termination |
| Email metadata and delivery logs | 90 days (configurable by customer) |
| Outbound email body content | Deleted after delivery or retry exhaustion (typically minutes to hours) |
| Mailbox content (inbound) | Until deleted by customer or account termination |
| Provider credentials | Duration of account, deleted within 30 days of termination |
| Payment and billing records | 7 years (as required by Australian tax law) |
| Website analytics | Aggregated, anonymised, no personal data retained |
7. Your Rights
7.1 All Users
You have the right to:
- Access your personal information through your account dashboard
- Correct inaccurate information through your account settings
- Delete your account and associated data by contacting us
- Export your data (delivery logs, provider configurations) through the API or dashboard
7.2 EEA and UK Residents (GDPR)
In addition to the above, you have the right to:
- Request restriction of processing
- Object to processing based on legitimate interests
- Data portability (receive your data in a structured, machine-readable format)
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with your local data protection supervisory authority
7.3 Australian Residents
Your personal information is handled in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles. You have the right to access and correct your personal information. If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
8. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.
9. Cookies
The Sendmux website and dashboard use only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party marketing cookies. Our analytics provider (Umami) is cookie-free.
10. International Data Transfers
Your data is primarily stored within the European Union (Hetzner). Where data is processed by Cloudflare's global network, Cloudflare maintains appropriate safeguards including Standard Contractual Clauses for international transfers. We do not transfer data to jurisdictions without adequate data protection unless appropriate safeguards are in place.
11. Data Processing Agreement
If you process personal data of third parties through the Service (for example, email recipients), you may be a data controller and Sendmux a data processor under GDPR. Our Data Processing Agreement, available at sendmux.ai/legal/dpa or upon request at contact@sendmux.ai, governs this relationship.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The “Last Updated” date at the top of this policy indicates when it was last revised.
13. Contact
For questions, requests, or complaints about this Privacy Policy or our handling of your personal information, contact us at:
Jonah and Associates Pty Ltd
Trading as Sendmux
Email: contact@sendmux.ai
Website: sendmux.ai
For complaints about privacy handling in Australia, you may also contact the Office of the Australian Information Commissioner at oaic.gov.au.