Privacy at a glance

MailTrigger is an email routing and automation platform that can process both inbound and outbound email.

When your emails are delivered to or sent through MailTrigger’s SMTP endpoints (inbound or outbound), we:

• Receive and parse the email (headers, body, attachments) and execute the Routes and Actions you configure (e.g., forwarding, webhook delivery, outbound sending, Slack/Telegram/Microsoft Teams notifications, LLM automation, etc.).
• Temporarily store the email message file (for example, an EML file) in our protected, encrypted storage area, solely for processing, logging, and debugging. These email message files are automatically deleted after the relevant Actions have finished executing.
• Retain logs and processing records for auditing, troubleshooting, and security validation.
• Never use email content for advertising, commercial profiling, or model training.

This Privacy Policy explains how MailTrigger (“we”, “us”, “our”) collects, uses, stores, and protects information when you use our website, SMTP, API, and related services (collectively, the “Service”). If you do not agree with this Policy, you may discontinue use of the Service.

1. Who we are & how to contact us

Controller: MailTrigger
Contact: support@mailtrigger.app

2. Definitions

“Personal Information”

Personal Information means any information relating to an identified or identifiable person, including data that can directly or indirectly identify an individual (such as an email address, IP address, account details, identifiers, or metadata associated with an email).

“Email Content” and “Email Message Files”

“Email Content” means the headers, body, and attachments of an email. “Email Message Files” means the stored representation of that content within our systems (for example, an EML file or other equivalent format). In this Policy, references to stored email files are intended to cover all such formats, not only EML. These files are stored in encrypted form and are automatically deleted after the related Actions have finished executing, as described in Sections 4 and 10.

“Processing”

Processing refers to any operation performed on Personal Information, whether automated or manual, such as collection, receipt, parsing, storage, organization, reading, forwarding, modification, transmission, disclosure, retention, deletion, or destruction.

These definitions apply throughout this Policy.

3. What we do

MailTrigger provides an SMTP entry point and automation engine that allows you to:

• Receive inbound emails
• Send outbound emails on your behalf (for example, as part of forwarding, auto-responses, or other Actions you configure)
• Automatically execute Routes such as forwarding, webhook delivery, LLM processing, auto-responses, and notification integrations
• Store and display email logs and processing history
• Build automated workflows driven by email events

Our core role is to safely and reliably automate the processing of email that you choose to send to or through MailTrigger.

4. Email data and how it is processed

4.1 Email reception and sending (SMTP entry/relay)

When an email is processed via a MailTrigger SMTP address (inbound to you or outbound from you), we:

• Receive the complete email and store it as an Email Message File (for example, an EML file, including headers, body, and attachments)
• Perform DKIM/SPF/DMARC checks
• Execute Actions according to your Route Settings
• Create Action and Route execution log entries

We parse email content only as necessary to operate the Service.

4.2 Temporary email message file storage

Email Content may be written to an Email Message File (for example, an encrypted EML file) and stored securely within our isolated storage environment.

Stored email message files are used only for:

• Executing Routes and Actions
• Displaying the message in your dashboard
• Debugging, auditing, and security validation

Email Message Files are stored only for as long as necessary to execute the relevant Actions and maintain short-term reliability, and are automatically deleted after the corresponding Action workflow has finished.

4.3 Email content processing

Actions may send email content or metadata to external destinations that you configure, such as:

• A webhook endpoint
• Another email recipient (forwarding or outbound delivery)
• A language model for generating a reply
• Third-party services (Slack, Telegram, Microsoft Teams, etc.)

We never transmit email content to third parties on our own initiative—only based on your explicit automation settings.

4.4 Logs and metadata

We may process metadata such as:

• Sender/recipient addresses (From/To/Return-Path)
• Subject line
• Message-ID
• Path or identifier of the stored email message file (for example, an EML file)
• DKIM/SPF/DMARC verification results
• Route execution status
• Worker performance metrics and error details
• SMTP session details, timestamps, and IP addresses

These help ensure reliability, security, and debugging.

5. Information we collect

We collect the minimum information necessary to provide the Service:

Email content

Headers, body, and attachments contained in the received or sent email (Email Content).

Service metadata

SMTP connection details, IP addresses, TLS information, system logs, queue execution logs, error traces, and dashboard session data.

Account & billing data

Email address, password hash, subscription info, and payment history (we do not store full card details).

Payment records

Processed by third-party providers (Pixiu, Stripe, PayPal). We receive only:

• Transaction ID
• Amount and status
• Subscription details

Support communications

Messages or emails you send to us.

6. Why we process information

To provide the Service

• Receiving, parsing, storing, routing, forwarding, sending outbound email, and automating email delivery
• Displaying logs and processing history records
• Providing dashboard functionality

Security & abuse prevention

• Spam detection and intrusion detection
• Fraud prevention and abuse mitigation
• Logging and incident response

Diagnostics & improvement

• Performance tuning and capacity planning
• Debugging and reliability improvements

Billing & licensing

• Subscription verification
• Usage calculation
• Payment handling and invoicing

Legal compliance

• Responding to valid legal requests
• Preventing fraud
• Enforcing our Terms of Service

7. Lawful basis for Processing (where applicable)

When privacy laws such as the GDPR require a legal basis for Processing Personal Information, we rely on:

• Contractual necessity: To provide the Service you signed up for, including receiving, processing, and sending emails.
• Legitimate interests: Security, fraud prevention, diagnostics, and service improvement, balanced against your rights.
• Consent: For optional analytics, marketing communications, and certain integrations where consent is required.
• Legal obligations: Retaining records required by tax, accounting, or regulatory frameworks.

8. Sharing of information

We share Personal Information only when necessary:

Service providers

We use third-party providers for infrastructure hosting, DNS/SMTP services, analytics, customer support, and payment processing. They act under our instructions and are not allowed to use your data for their own purposes.

Your configured integrations

We send data to webhook URLs, email forwarding targets, outbound SMTP destinations, LLM endpoints, and third-party notification services only where you explicitly configure such integrations.

Legal & safety

We may disclose data to comply with lawful requests, protect our users, or maintain the security and integrity of the Service.

Business transfers

In the event of a merger or acquisition, data may be transferred under this Policy’s safeguards.

We do not sell your Personal Information. We do not sell, rent, trade, or license Personal Information to advertisers or data brokers, and we do not permit our service providers to use your data for their own advertising or profiling purposes.

9. Cookies and similar technologies

The dashboard uses:

• Essential cookies (authentication, session management)
• Optional analytics cookies (e.g., Umami or Google Analytics)

Analytics load only with your consent where legally required.

SMTP and API endpoints do not use cookies.

10. Data retention

We retain data only as long as needed to operate the Service or meet legal requirements. Examples include:

Email message files & attachments

• Email Message Files (for example, EML files) and attachments are stored in encrypted form for the limited time needed to execute the related Actions and ensure short-term reliability.
• They are automatically deleted after the corresponding Action workflow has finished and are not retained as long-term archives.

Route Execution Log & Action Execution Log

• Retained for a limited period (currently up to 180 days) to support debugging, auditing, and abuse detection, after which they are deleted or anonymized.

IP logs & SMTP session metadata

• Typically retained for up to 90 days for abuse detection and security investigations, unless regulations require a longer period.

Billing & account records

• Retained for 5–7 years to comply with tax and accounting obligations.

Support messages

• Retained as long as necessary to provide customer service and maintain an accurate support history.

When data is no longer required, we securely delete it or anonymize it.

11. Security

We apply industry-standard safeguards, including:

• TLS/HTTPS encryption
• Access controls and role-based restrictions
• Segregated processing environments
• DKIM/SPF verification to prevent spoofing
• Secure, encrypted storage for email message files and strict audit controls
• Least privilege principles across our infrastructure

No system is 100% secure; please protect your SMTP credentials, API tokens, and dashboard access.

12. Automated decision-making & profiling

We use automated processing only for operational and security purposes, such as detecting abuse, spam, or anomalous SMTP activity, applying rate limits, and identifying suspicious patterns to prevent service misuse.

We do not use automated decision-making for advertising, behavioral profiling, or personalized content targeting. Automated analysis is strictly limited to protecting the Service and its users.

13. International data transfers

MailTrigger processes and stores data using cloud infrastructure that may be located outside of Taiwan. In such cases, we comply with the requirements of Taiwan’s Personal Data Protection Act (PDPA) regarding the security and cross-border transfer of personal data. We implement appropriate safeguards — including encryption, access controls, and careful selection of third-party service providers — to ensure that personal data is protected regardless of where it is processed.

14. Your rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your Personal Information (including Email Message Files, where applicable)
• Export your data (data portability)
• Restrict or object to certain processing activities
• Withdraw consent for analytics or marketing where consent is the legal basis

We respond to verified requests within 30 days, subject to any extensions permitted by law.

15. Children’s privacy

MailTrigger is not intended for use by children under 13 (or the age defined by applicable local law). We do not knowingly collect Personal Information from children.

16. Changes to this Policy

We may update this Policy as our services or legal obligations evolve.

Significant updates will be communicated where required by law.

The “Effective date” at the top of this page will be updated to reflect changes.

17. Contact

For questions, rights requests, or privacy concerns, you can contact us at:
📧 support@mailtrigger.app

18. Law enforcement and transparency

If we receive a request from law enforcement or other authorities, we:

• Require valid legal process before providing any user data
• Disclose only what is legally required
• Notify affected users where permitted by law

MailTrigger does not proactively monitor the content of your emails and does not voluntarily share user data with governments.