Privacy Policy

Last Updated: May 20, 2026
Effective Date: Immediately
Company: Sendarix (“we”, “us”, “our”)
Website: https://www.sendarix.com
Client Dashboard: https://app.sendarix.com
Privacy contact: privacy@sendarix.com

This Policy explains our general privacy practices. Where Sendarix processes personal data on behalf of a customer as processor, the Data Processing Agreement (DPA) governs those processor obligations.

This legal document is provided in English. If translations or localized summaries are made available, the English version controls to the maximum extent permitted by law.

---

1. Scope and relationship to other documents

This Privacy Policy explains how Sendarix collects, uses, stores, shares, retains, and protects personal data when you visit our Website, use the Client Dashboard at app.sendarix.com, contact us, receive customer communications, pay invoices, use SMTP relay or Email API, configure domains, webhooks, suppressions, dashboards, analytics, reputation tooling, DNS guidance, support, security monitoring, or related deliverability features.

Our Terms of Service govern commercial use of the Service. Our DPA governs processor processing of Customer Personal Data where it applies. Our Cookie Policy explains cookies, local storage, consent storage, and similar technologies on the public Website and related pages. Our Acceptable Use Policy explains prohibited traffic and abuse rules.

This Policy does not create a service-level, security, deliverability, retention, or deletion commitment beyond what is expressly stated in an applicable agreement, DPA, or product setting.

---

2. Definitions

• “Account Data” means data about a Sendarix account, user, login, billing profile, workspace, support request, authentication method, security setting, or administrative contact.
• “Controller” means the party that determines the purposes and means of processing personal data where that concept applies under privacy law.
• “Customer” means the person or entity that registers for, pays for, configures, or uses the Service.
• “Customer Content” means email messages, templates, subject lines, headers, attachments, sender identities, recipient lists, template variables, suppression records, and other content or instructions submitted to or transmitted through the Service.
• “Customer Data” means Customer Content and data a Customer or User provides to Sendarix, including recipient personal data and service configuration.
• “Email Data” means sender and recipient addresses, message content and metadata, headers, subject lines, attachments if transmitted, message IDs, SMTP/API transaction data, delivery events, opens/clicks where enabled, bounces, complaints, unsubscribes, suppressions, block events, and related telemetry.
• “Processor” means a party that processes personal data on behalf of a Controller where that concept applies under privacy law.
• “Recipient” means an end user or other person whose email address or related personal data is submitted by a Customer or appears in Email Data.
• “Service Data” means operational, usage, security, billing, fraud, abuse, product telemetry, aggregated, or de-identified data generated by or for Sendarix in operating, protecting, measuring, improving, or enforcing the Service.
• “Subprocessor” means a service provider engaged by Sendarix to process personal data in support of the Service.
• “Usage Data” means logs, request metadata, device and browser data, IP addresses, user agents, API/SMTP calls, dashboard activity, feature usage, performance data, authentication events, and other telemetry generated by use of the Website, Dashboard, or Service.

---

3. Our roles: controller and processor

3.1 Sendarix as controller. Sendarix may act as Controller or business for Account Data, billing data, fraud and payment review, account authentication, security monitoring, abuse prevention, support, legal compliance, customer communications, product telemetry, website analytics, service improvement, marketing to customers where lawful, and defense of legal claims.

3.2 Sendarix as processor. Where Sendarix processes recipient lists, message content, Email Data, or campaign/email traffic on behalf of a Customer to provide SMTP, API, dashboard, webhook, suppression, analytics, or deliverability features, Sendarix generally acts as Processor or service provider and the DPA applies.

3.3 Customer as sender/controller. Customers are responsible for their Recipients, Customer Content, sender identity, lawful basis, consent, notices, unsubscribe handling, suppression handling, tracking choices, targeting, and sending instructions. Sendarix is not the sender of Customer emails unless we expressly state otherwise in writing.

3.4 Recipient requests. If a Recipient contacts Sendarix about an email sent by a Customer, we may refer the Recipient to that Customer or assist the Customer under the DPA, unless applicable law requires Sendarix to respond directly.

---

4. Information we collect

4.1 Account profile and authentication data

• Name, email address, company, role, workspace, account identifiers, and contact details
• Password hashes or authentication identifiers, MFA and security settings where available, session identifiers, login timestamps, IP addresses, user agents, and approximate location derived from IP
• Dashboard users, permissions, audit events, admin actions, and support or billing contacts

4.2 Billing, tax, payment, and fraud data

• Billing contact details, invoices, plan, usage, credits, tax or VAT details where applicable, transaction IDs, receipts, payment status, refund or chargeback records, and accounting records
• Payment processor tokens, card brand, last four digits, wallet/payment method metadata, and fraud or risk signals where provided by payment processors; Sendarix does not store full payment card numbers

4.3 Service configuration data

• Sending domains, DNS records, DKIM/SPF/DMARC status, bounce domains, tracking domains, return-path configuration, sender identities, routing settings, warmup settings, templates, suppression settings, webhooks, API key metadata, SMTP credential metadata, IP allowlists, and plan limits
• Support configuration details, troubleshooting material, deliverability settings, and customer-provided diagnostics

4.4 Email Data and recipient data

When Customers send email through Sendarix, configure suppressions, use analytics, receive webhooks, or request support, we may process Email Data, including:

• Sender and recipient email addresses, display names, reply-to addresses, envelope data, message IDs, subject lines, headers, body content, attachments if transmitted, and template variables
• Delivery, deferral, bounce, complaint, unsubscribe, suppression, block, open, click, webhook, and engagement events where enabled or available
• Mailbox provider responses, authentication results, spam or abuse signals, URL/domain indicators, reputation signals, and related troubleshooting data

We do not use message content for unrelated advertising profiling or sell it. We process message content and metadata as needed to transmit email, provide features, secure the Service, troubleshoot, enforce policies, investigate abuse, comply with law, and as otherwise instructed by the Customer under the DPA.

4.5 Logs, telemetry, security, and abuse signals

• IP addresses, user agents, device/browser data, request IDs, SMTP/API logs, dashboard activity, login logs, webhook delivery attempts, admin/support actions, rate-limit events, errors, queue events, performance data, and system telemetry
• Abuse and security signals, including suspicious logins, credential misuse, open relay behavior, spam, phishing, malware, fraud, scraping, list bombing, complaint patterns, bounce patterns, URLs, domains, headers, attachments, and traffic anomalies

4.6 Website, cookies, pixels, and similar technologies

The public Website uses strictly necessary technologies, security protections, consent storage, and optional analytics or marketing technologies as described in the Cookie Policy. The Client Dashboard uses cookies and similar technologies for authentication, session management, functionality, security, fraud prevention, and service operation.

When Customers enable email tracking features, Sendarix may process opens, clicks, pixels, tracked links, user agent data, IP-derived information, and related event data. Customers are responsible for providing Recipients any notices and obtaining any consents required for tracking.

4.7 Information from third parties

We may receive information from payment processors, fraud and abuse prevention providers, security vendors, mailbox providers, DNS and domain systems, support tools, analytics/monitoring tools, public sources, and complainants who report abuse.

---

5. How we use information

• Provide, operate, route, transmit, queue, retry, and troubleshoot SMTP relay and Email API delivery
• Operate dashboards, analytics, logs, webhooks, suppression lists, reputation tooling, DNS guidance, support, billing, and account administration
• Authenticate users, secure accounts, detect suspicious logins, prevent credential misuse, and enforce access controls
• Process payments, invoices, taxes, refunds where applicable, fraud review, chargebacks, accounting, and financial compliance
• Monitor, detect, prevent, investigate, and respond to spam, phishing, malware, fraud, open relay behavior, scraping, list bombing, abuse, suspicious traffic, sanctions risk, and policy violations
• Maintain deliverability, platform integrity, reputation, routing quality, suppression integrity, mailbox provider relationships, and service reliability
• Diagnose errors, provide support, handle customer requests, investigate complaints, and communicate about security, billing, product, policy, legal, and operational matters
• Enforce the Terms, AUP, DPA, Order Forms, checkout terms, and legal rights
• Comply with legal obligations, valid legal process, tax and accounting duties, sanctions/export requirements, and regulator or law-enforcement requests where required or permitted
• Improve reliability, safety, product functionality, documentation, abuse detection, deliverability tooling, and customer experience
• Send marketing or educational communications to customers where lawful, with opt-out where required

Deliverability analytics, opens, clicks, tracking, webhooks, event logs, bounce/complaint signals, and reputation indicators are operational signals and may be delayed, blocked, duplicated, incomplete, inaccurate, sampled, or unavailable due to mailbox providers, privacy proxies, bots, recipient settings, network behavior, customer configuration, or third-party systems.

---

6. Legal bases where GDPR/UK GDPR applies

Where GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases depending on the context:

• Contract: to provide the Service, Dashboard, SMTP/API delivery, billing, support, account administration, and requested features.
• Legitimate interests: to secure the Service, prevent fraud and abuse, protect deliverability and reputation, improve reliability and product functionality, communicate with customers, investigate complaints, enforce terms, and defend legal claims, balanced against applicable rights.
• Legal obligation: to comply with tax, accounting, sanctions, export, legal process, regulator, security, and other legal requirements.
• Consent: where required for optional cookies, certain marketing communications, or other processing that legally requires consent. You may withdraw consent where applicable without affecting prior lawful processing.

---

7. Processing summary

Category	Purpose	Legal basis where applicable	Retention summary
Account Data	Accounts, authentication, support, service notices	Contract, legitimate interests, legal obligation	Account life plus a reasonable period after closure
Billing and payment data	Invoices, taxes, payments, fraud review, chargebacks	Contract, legal obligation, legitimate interests	As required for tax, accounting, disputes, and compliance
Service configuration	Domains, DNS, credentials metadata, routing, webhooks, settings	Contract, legitimate interests	While needed for the account, support, security, or records
Email Data	Transmit email, analytics, suppressions, troubleshooting, policy enforcement	Processor under DPA for customer instructions; legitimate interests/legal obligation where Sendarix acts as controller for security or abuse	Standard operational SMTP/API logs, delivery event logs, message metadata, and related operational email logs are generally retained for 30 days; longer retention may apply for abuse, security, legal, billing, disputes, suppressions, backups, or platform integrity
Usage, security, and abuse logs	Security, fraud prevention, abuse investigation, deliverability protection, reliability	Legitimate interests, legal obligation	As long as reasonably necessary for security, investigation, enforcement, disputes, and platform protection
Website cookies and analytics	Website operation, security, consent storage, analytics/marketing where enabled	Legitimate interests, consent where required	As described in the Cookie Policy and consent settings

---

8. Retention

We retain personal data only as long as reasonably necessary for the purposes described in this Policy, the DPA, product settings, legal requirements, security, abuse prevention, billing, tax, accounting, dispute resolution, suppression integrity, backups, and deliverability protection.

• Account Data: retained while the account is active and for a reasonable period after closure for legal, billing, support, security, and audit purposes.
• Billing and tax records: retained as required by applicable law and accounting practices.
• Standard operational email logs: SMTP/API logs, delivery event logs, message metadata, and related operational email logs are generally retained for 30 days. This 30-day period applies to standard operational logs only and does not require deletion of all data after exactly 30 days.
• Operational log exceptions: related data may be retained longer where reasonably necessary for abuse prevention, security investigations, fraud, billing or tax records, legal compliance, disputes, suppression, unsubscribe, bounce, complaint, or block management, backups, legal holds, deliverability protection, or platform integrity.
• Message content: processed transiently where possible, but may be stored if features require it, messages are queued or retried, Customers store templates or logs, support requests include samples, abuse or compliance investigation requires evidence, legal obligations apply, or backups retain it until normal rotation.
• Suppressions, unsubscribes, bounces, complaints, block events, and abuse reports: retained as needed to prevent unwanted or unlawful sending, honor opt-outs, protect recipients, preserve suppression integrity, and protect deliverability and reputation.
• Security and abuse logs/evidence: retained as long as reasonably necessary for investigation, enforcement, platform protection, legal defense, and compliance.
• Backups: deleted on normal backup rotation unless retained longer for legal, security, abuse, or continuity reasons.

Some data cannot be deleted immediately because it is needed for legal obligations, billing, security, abuse prevention, suppression integrity, dispute resolution, backups, or compliance. Processor retention for Customer Personal Data may also be governed by the DPA.

---

9. Sharing, service providers, and subprocessors

We share personal data with service providers and Subprocessors only as needed to operate, secure, bill, support, monitor, improve, and enforce the Service. Categories may include hosting, cloud, storage, email transport and infrastructure, CDN/security, DNS, monitoring, error logging, analytics, support/helpdesk, payment processors, fraud/abuse/security tooling, professional advisers, and business operations providers.

Subprocessors and service providers process data under contracts or terms designed to protect personal data and limit processing to authorised purposes. Subprocessor categories are described in the DPA or are available on request; Sendarix does not currently publish a separate vendor-specific subprocessor list on this page.

We may disclose information where required or permitted by law, court order, valid legal process, regulator request, emergency, security threat, abuse report, or to protect rights, safety, recipients, mailbox providers, infrastructure, customers, or the integrity of the Service.

We may disclose or transfer data in connection with a merger, acquisition, financing, reorganisation, sale of assets, bankruptcy, or similar corporate transaction, subject to appropriate protections where required.

We do not rent or sell recipient lists. We do not sell personal information for money. We do not knowingly share personal information for cross-context behavioral advertising as defined by applicable U.S. state privacy laws unless we provide any legally required notice and opt-out mechanism.

---

10. International transfers

Personal data may be processed in countries where Sendarix, Customers, service providers, or Subprocessors operate. These countries may have data protection laws different from those in your location.

Where required and applicable, Sendarix uses appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, the UK Addendum or International Data Transfer Agreement, supplementary safeguards, or other valid mechanisms under applicable law. Processor transfer commitments may be further described in the DPA.

---

11. Customer responsibilities

Customers must have a lawful basis for Recipient data, provide required privacy notices, obtain required consent for marketing and tracking, honor unsubscribe and opt-out requests, handle complaints, maintain suppression lists, keep consent records, and respond to Recipient rights requests.

Customers must configure webhooks, integrations, forms, DNS, tracking domains, preference centers, and downstream systems securely and lawfully. Customers are responsible for downstream processing after Sendarix sends event data to Customer-configured webhook endpoints or integrations.

Customers must not submit unnecessary sensitive data or use Sendarix for prohibited or high-risk data processing unless expressly allowed by law, the DPA, product terms, and an appropriate agreement.

---

12. Sensitive data

Sendarix is not designed for unnecessary processing of highly sensitive personal data in email campaigns. Customers should not submit special category data, children’s data, health data, biometric data, financial account data, government identifiers, precise location data, or similarly sensitive data unless lawful, necessary for the agreed use, covered by appropriate agreements, and permitted by product settings and the DPA.

Transactional email may naturally contain personal data. Customers should minimize sensitive content, avoid placing sensitive data in subject lines or headers, and use appropriate security controls for their own systems and recipients.

---

13. Automated security, abuse, and deliverability processing

Automated systems may process metadata, headers, message samples, URLs, attachments, IPs, domains, authentication results, reputation signals, bounce and complaint patterns, list quality signals, login patterns, payment or fraud signals, and traffic patterns to detect spam, phishing, malware, fraud, suspicious logins, account risk, deliverability risk, AUP violations, open relay behavior, scraping, list bombing, and other abuse.

This processing may result in rate limits, throttling, routing changes, sandboxing, manual review, credential or domain disabling, suspension, or other enforcement. Customers may contact support unless immediate action is required for security, abuse, legal, payment, or platform protection reasons.

We do not use Recipient message content for unrelated advertising model training. Sendarix may use aggregated or de-identified telemetry and Service Data to improve reliability, safety, abuse detection, deliverability tooling, recommendations, and product functionality.

---

14. Security

We use technical and organisational measures appropriate to the nature of the Service, which may include encryption in transit, access controls, least-privilege access, authentication controls, logging, monitoring, backups, segmentation, abuse detection, incident response, and vendor review. No system, transmission, storage, or email delivery service is perfectly secure.

Customers must secure their own accounts, API keys, SMTP passwords, webhook secrets, domains, DNS records, forms, websites, integrations, devices, and user access. Customer misconfiguration, credential exposure, compromised systems, or insecure webhook endpoints can affect privacy and deliverability.

---

15. Your rights and choices

Depending on your location and the role in which Sendarix processes your data, you may have rights to access, correct, delete, port, restrict, or object to processing of personal data, withdraw consent where processing is consent-based, and opt out of marketing communications. Contact privacy@sendarix.com to exercise rights as a Sendarix account holder or Website visitor.

If you are a Recipient of email sent by a Sendarix Customer, you should usually contact the sender/customer first because that Customer controls the mailing list, content, purpose, and legal basis. Sendarix will assist Customers with Recipient requests as required by the DPA and applicable law.

We may verify identity, request additional information, refer requests to a Customer, decline or limit requests where an exception applies, and retain certain data where needed for legal, billing, tax, security, abuse, suppression, backup, compliance, or dispute reasons.

If GDPR, UK GDPR, or similar law applies, you may have the right to lodge a complaint with your local data protection authority. Sendarix has not published a specific DPO, EU representative, UK representative, or lead supervisory authority on this page.

---

16. California and U.S. state privacy rights

Where applicable U.S. state privacy laws apply, residents may have rights to know/access, delete, correct, obtain a copy, opt out of sale or sharing, limit certain sensitive personal information uses, and not be discriminated against for exercising privacy rights.

Sendarix does not sell recipient lists and does not sell personal information for money. Sendarix does not knowingly share personal information for cross-context behavioral advertising as defined by applicable law unless we provide any required notice and opt-out mechanism.

Submit requests to privacy@sendarix.com. We may verify your request as permitted by law. If you are a Recipient of a Customer email, the Customer may be the business/controller responsible for your campaign data, and we may refer your request to that Customer or assist them as required.

---

17. Children

The Service is not directed to children under 18. Customers must not use the Service to knowingly collect or process children’s personal data unless they have all required legal authority and an appropriate agreement with Sendarix.

---

18. Third-party links and customer endpoints

Our Website, Dashboard, emails, and Documentation may link to third-party sites or services. Customer emails may also link to Customer or third-party sites. Sendarix is not responsible for the privacy or security practices of those third parties.

Webhook endpoints, redirect domains, tracking domains, landing pages, preference centers, and customer integrations are controlled by Customers or their providers. Customers are responsible for their security, privacy notices, and downstream processing.

---

19. Changes

We may update this Policy by posting a revised version on www.sendarix.com or notifying you through the Dashboard or email where practicable. Material changes will be notified where reasonably practicable, but changes required for legal, security, abuse, operational, or service reasons may take effect sooner.

Continued use after the effective date means you acknowledge the updated Policy where permitted by law. If processor terms are affected, the DPA controls as described there.

---

20. Contact and conflict

Privacy: privacy@sendarix.com
Legal: legal@sendarix.com
Abuse: abuse@sendarix.com
Dashboard: app.sendarix.com for account, billing, and support controls where available.

This Policy explains general privacy practices. The DPA controls processor processing of Customer Personal Data. The Terms of Service control commercial use of the Service. The AUP controls prohibited sending and abuse rules. The Cookie Policy controls cookies and similar technologies on the Website and related pages. If there is a conflict for processor processing, the DPA controls.