Privacy Policy

1. Overview

Sendie is a cold-email and outreach platform. To run campaigns on your behalf, we need a small amount of information about you, your contacts, and the email servers you use. We do not sell personal data. We do not share contact lists between accounts. SMTP credentials, recipient data, and campaign content stay scoped to your account.

2. Our role: processor, not controller

This section explains who is legally responsible for the different categories of personal data the Service handles. The distinction matters under GDPR, the UK GDPR, CCPA/CPRA, and similar laws: the controller decides why and how data is processed, and bears most of the compliance obligations; the processor handles data on the controller's instructions and bears narrower obligations.

For contact data you upload, paste, import, or send to: we are a processor; you are the controller

When you upload a CSV of contacts, paste recipient addresses, import a list from another tool, or use Sendie to send messages, you are the data controller for those individuals' personal data. You decide whose data to upload, why you are contacting them, what to say, and on what lawful basis you process them. Sendie acts as your data processor — we store and transmit that data on your behalf and on your documented instructions (the actions you take inside the product).

As your processor for that data, we commit to:

• Process it only on your instructions, expressed through your use of the Service.
• Apply appropriate technical and organisational measures, including encryption of credentials at rest, access controls, and audit logging.
• Not transfer it to third parties except (i) the sub-processors listed below or on our website, (ii) where you direct us to (e.g. an SMTP provider you connect), or (iii) where required by law.
• Make available all information necessary to demonstrate compliance with Article 28 GDPR, and submit to audits as agreed in any Data Processing Addendum we sign with you.
• Notify you without undue delay of any personal-data breach affecting your contact data.
• Return or delete your data on termination, subject to the retention windows in section 7.
• Assist you with data-subject requests (access, deletion, rectification, objection) within a reasonable timeframe.

Because you are the controller for that data, you remain responsible for: choosing the lawful basis you rely on (GDPR Art. 6); making sure each recipient was lawfully obtained and is lawfully contactable; honoring opt-out, deletion, and objection requests from those recipients; providing a Privacy Notice to them where required; and any other controller obligation under applicable law. Sendie cannot, as a practical matter, verify the provenance of contact data you upload, and we are entitled to rely on the representations you make to us in our Terms of Service.

If your processing is subject to GDPR or UK GDPR and you require a written Data Processing Addendum (DPA), contact us at the address in section 13 and we will arrange one.

For account-holder data (you, the Sendie user): we are the controller

For data about you as our customer — your account email, password hash, billing information, support correspondence, and similar — Sendie is the controller. Sections 3–11 of this policy explain what we collect, why, and your rights. This dual-role structure is standard for B2B SaaS and is the same shape used by tools like Mailchimp, SendGrid, and similar services.

For aggregated or anonymized data we derive

Where we generate aggregated or de-identified statistics that cannot reasonably be linked back to a specific individual (e.g. "X% of campaigns from the Starter tier hit our deliverability heuristics"), that information is no longer personal data and we are free to use it to operate and improve the Service.

3. What we collect

Account information

• Email address (required) and password (stored as a bcrypt hash, never in plaintext).
• Display name and onboarding goal (optional).
• Account preferences such as theme and notification settings.

SMTP credentials

• The hostname, port, username, and password of the email server(s) you connect for sending. These are stored so we can send on your behalf. We are working to move all SMTP passwords to authenticated encryption at rest.

Contact & campaign data

• CSV files and contact lists you upload, including names, email addresses, company info, and any custom columns you map.
• Subject lines, body content, and any merge tags or templates you create.
• Send history, including timestamps, status (sent / failed / bounced), and per-recipient errors.

Usage data

• Basic request logs (IP address, browser user-agent, timestamp) used for security and abuse prevention.
• Demo-request and waitlist submissions, if you opt in.

4. How we use it

• Run the service. Authenticate you, store your campaigns, and send your emails.
• Improve the product. Understand which features are used, and find bugs. Aggregated, de-identified usage statistics may be used for product analytics and to train internal models that improve features like search, smart filtering, and deliverability heuristics.
• Communicate. Send transactional emails (password resets, send-status notifications) and, only with consent, occasional product updates.
• Security. Detect abuse, prevent unauthorized access, and protect both you and your recipients.

By default, we do not use the contents of your contact lists or campaign bodies for any purpose other than running your account. The one exception is the opt-in contribution program described in section 4 — you control whether your uploads ever feed our enrichment database, and the default is off.

5. Contact-data contribution (opt-in)

Sendie operates an enrichment database that helps users find verified contact information for outreach. You can choose to contribute the contact data you upload (CSV uploads, verified addresses, lead submissions) to this database. We treat this as a deliberate, separate choice — not something we infer from your use of the product.

What contribution covers

If you opt in, the contact records you upload (email address, name, title, company, and any associated metadata you've provided) may be added to Sendie's enrichment database. Records contributed this way can subsequently be returned to other users as enrichment results when they query the database for the same person or company. The same record contributed by multiple users is deduplicated.

Bounce records also flow in when contribution is on. If your block list contains an address that was automatically marked as bounced (the mail server rejected the message), that fact may be contributed too — bounces are objective deliverability signals that help other users avoid wasting verifications on the same dead address. This is similar to, and complements, the cross-user verification cache described in our Terms of Service (section 9).

What contribution does NOT cover

• Your campaign bodies and subject lines are never contributed. Message content stays scoped to your account regardless of contribution settings.
• Your SMTP credentials, billing data, and account settings are never contributed.
• Your unsubscribes and manual blocks are never contributed. An unsubscribe is a person's "I don't want to hear from you" — narrowly scoped to the original sender. Turning that into a global blacklist would be worse for the prospect, not better, and is something other contact-data platforms also deliberately exclude. Manual blocks (competitor domains, blocked industries, etc.) reveal strategic business decisions and stay scoped to your account.
• Linkage to you as the contributor. When records are surfaced to other users, they are not attributed to you. Other users cannot see which lists you uploaded or which addresses you verified.

How you control it

• The contribution toggle is off by default. We will never enable it without your explicit, affirmative action.
• You can turn contribution on or off at any time in your account settings. Turning it off stops future contributions immediately.
• Records you contributed before turning it off remain in the database. You may request removal of specific records, or of all of your historical contributions, via the contact methods in section 12. We will action verified requests within 30 days.
• If you contribute lead submissions via the Submit Lead flow, the contribution and reward rules in our Terms of Service (section 7) apply.
• The cross-user verification cache described in our Terms of Service (section 8) operates separately and uses one-way SHA-256 hashes; it does not retain the original email address and is not affected by your contribution setting.

Legal basis (GDPR / UK GDPR)

The lawful basis for processing under contribution is your explicit consent (Article 6(1)(a) GDPR), which you provide by enabling the contribution toggle. You may withdraw consent at any time, and we will stop further processing. We do not rely on "legitimate interests" to contribute your contact data without your consent.

Your obligations to the people in your lists

When you contribute contact data, you confirm that you have a lawful basis to do so (for example, business-purpose processing under GDPR Article 6(1)(f), or relevant authorisation in your jurisdiction). Sendie cannot verify the lawful basis behind every record and relies on you to make this assessment. We honour subject-access and erasure requests from individuals in our database regardless of who contributed them.

6. Sharing & disclosure

We share data only in the following limited cases:

• Sub-processors. Service providers we use to operate Sendie (hosting, error monitoring, etc.). These providers are contractually bound to use data only to deliver their service to us.
• Email delivery. When you send a campaign, the recipient's email and the message body are transmitted via the SMTP server you configured. We do not route mail through our own servers without your explicit configuration.
• Legal compliance. If required by a valid legal request — and only to the extent required. We will notify you if legally permitted.
• Business transfer. If Sendie is acquired or merged, your data may transfer to the new entity under the same protections described here.

7. Data retention

• Account data is retained while your account is active.
• Campaign history and send logs are retained for 12 months by default unless you delete them earlier.
• If you delete your account, we delete your personal data and uploaded contacts within 30 days, except where retention is required by law (e.g., financial records).

8. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct or update inaccurate data.
• Delete your data (the "right to be forgotten").
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent at any time.

To exercise any of these rights, contact us at the address in section 12. We will respond within 30 days.

9. Security

We protect your data using industry-standard practices:

• Passwords are hashed with bcrypt, not stored in plaintext.
• All traffic to the application is served over HTTPS.
• Per-user data isolation: one account cannot read or write another account's contacts, campaigns, or settings.
• Regular dependency updates and a documented incident-response process.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately.

10. Cookies & tracking

Sendie uses cookies only for session management — to keep you signed in. We do not use third-party advertising cookies or cross-site tracking pixels on the application. The marketing site may use minimal analytics to measure page views; you can opt out by enabling "Do Not Track" or by using a blocker.

11. Children

Sendie is not directed at, and we do not knowingly collect data from, anyone under 16. If you believe a minor has provided us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify active customers by email and update the "Last updated" date at the top. Continued use after a change constitutes acceptance.

13. Contact