Privacy Policy | SpamCipher

1.Introduction and Our Role

SpamCipher is an email deliverability intelligence platform. We help senders verify email addresses, find and confirm business contacts, check domain health and email authentication, monitor blacklists and sender reputation, and analyze message content, so their email reaches the inbox.

We act in two different roles depending on the data involved:

For information about your account and your use of the Service (such as your name, login details, billing data, and usage logs), we are the data controller. This Policy describes how we handle that information.
For the email lists and contact data you submit to be verified or processed ("Customer Data"), you are the controller and we are a data processor acting on your instructions. We only process Customer Data to provide the Service to you. If you are a business customer subject to the GDPR or similar laws, our GDPR page and Data Processing Agreement govern that relationship.

By using the Service, you agree to this Policy. If you do not agree, please do not use the Service.

2.Information We Collect

Account and profile information

When you create an account we collect your name, email address, a password (which we store only in hashed form), and optionally your company name, role, and phone number. We may also collect information you provide when you contact support or respond to surveys.

Billing information

Payments are processed by our payment provider, Stripe. We do not store full payment card numbers on our systems. We retain billing details such as your billing contact, subscription plan, transaction history, and limited card metadata (for example, card brand and last four digits) returned to us by Stripe to manage your subscription and invoices.

Customer Data you submit for processing

To use the Service you submit data to be processed, such as email addresses and any associated fields in the lists you upload or send through our API or integrations, the names and domains you query with Email Finder, and the domains and sending IPs you add for monitoring. We process this Customer Data only to return results to you (for example, validity status, deliverability signals, or monitoring alerts).

Authentication and monitoring data

If you use domain health, DMARC, blacklist, or reputation monitoring, we collect the domains and IP addresses you ask us to watch and the related public DNS and authentication records. If you route your DMARC aggregate (RUA) reports to us, we receive and parse those reports, which describe sources sending email on behalf of your domain.

Information from connected accounts (OAuth)

When you connect a third-party mailbox or account — such as a Google (Gmail / Google Workspace) or Microsoft (Outlook / Microsoft 365) account — you authorize us through OAuth to access specific data needed for the feature you enable. We receive and store an OAuth access token and, where applicable, a refresh token so the integration can run; these tokens are encrypted at rest. We request the minimum access necessary, you choose which features to enable, and you can disconnect at any time.

Depending on the feature you turn on, the access we request includes:

Inbox Warm-up (send only). To grow a connected mailbox’s sending reputation, we send a small, controlled volume of warm-up messages from your mailbox, on your behalf, to the seed inboxes we operate. You can connect by OAuth or by an app-specific password. With Google, OAuth requests only the permission Google labels “Send email on your behalf” (the https://www.googleapis.com/auth/gmail.send scope); with Microsoft it requests only SMTP.Send; app-password connections authenticate an SMTP send. All are send-only — no read access, so we never read, scan, index, or store your email. Whether each warm-up message landed in the inbox or spam is measured on our own receiving seed inboxes, not in your mailbox.
Reputation monitoring (Google Postmaster). To report your domain and IP reputation, spam rate, and authentication results, we request Google’s read-only Postmaster Tools scope https://www.googleapis.com/auth/postmaster.readonly. This returns aggregate reputation metrics for domains you own; it does not expose the contents of any email.
Basic profile. To identify the connected account we request openid and email (and, with Microsoft, offline_access so the connection can refresh without re-prompting you). This gives us the email address of the connected mailbox, not your contacts or message content.

Our handling of Google data is described in more detail in the Google User Data section below, and our handling of Microsoft data immediately follows it.

Usage, device, and log data

Like most online services, we automatically collect technical information when you use the Service: your IP address, browser and device type, operating system, referring pages, the pages and features you use, and timestamps. We use this for security, fraud prevention, troubleshooting, and to understand and improve the Service.

Cookies and similar technologies

We use a small number of cookies and similar technologies, described in the Cookies section. We do not use advertising or cross-site tracking cookies.

3.How We Use Information

We use the information we collect to:

Provide, operate, and maintain the Service, including verifying addresses, running monitoring, and returning results;
Operate Inbox Warm-up — sending the controlled warm-up messages our system generates from a mailbox you connect, to grow its sending reputation (inbox placement is measured on our own receiving seed inboxes, not in your mailbox);
Create and secure your account and authenticate you;
Process payments, manage subscriptions, and send invoices and receipts;
Respond to your requests and provide customer support;
Detect, prevent, and investigate fraud, abuse, and security incidents;
Maintain and improve the Service, including diagnosing problems and developing new features;
Send you service and administrative messages (such as security alerts, billing notices, and changes to our terms), which you cannot opt out of while you have an account;
Send you optional product news and marketing, which you can opt out of at any time; and
Comply with our legal obligations, enforce our terms, and protect our rights and the rights and safety of others.

We do not sell your personal information, and we do not use Customer Data or data obtained from connected accounts for advertising.

4.Google User Data (Limited Use)

Inbox Warm-up lets you connect a Google account (Gmail or Google Workspace) so SpamCipher can send warm-up email on your behalf, and reputation monitoring can optionally read your Gmail Postmaster statistics. When you connect, Google asks you to grant specific OAuth permissions (scopes). We request only the minimum scopes needed for the feature you turn on — send-only for warm-up — and we use the access only to provide that feature.

The specific Google scopes we request, what we do with the access, and how we protect it:

https://www.googleapis.com/auth/gmail.send (shown to you as “Send email on your behalf”) — used by Inbox Warm-up to send a small, controlled volume of warm-up messages from your connected Gmail mailbox, on your behalf. This is a send-only scope: it grants no read, search, or delete access, so SpamCipher cannot and does not read, scan, index, export, or store any of your email. Whether a warm-up message reached the inbox or spam is determined on the receiving seed inboxes we operate.
https://www.googleapis.com/auth/postmaster.readonly — used by reputation monitoring to read aggregate Gmail Postmaster Tools metrics (domain and IP reputation, spam rate, and authentication results) for domains you own. It returns statistics only and never the contents of any email.
openid and email — used to identify the connected mailbox by its email address so we can show it to you and attach results to the right account.

We protect this data with encryption in transit (TLS) and encryption at rest: OAuth access and refresh tokens, and any stored mailbox credentials, are encrypted (AES-256-GCM). Access is limited to the systems that run the feature, on a need-to-know basis. We retain Google user data only for as long as needed to provide the feature; when you disconnect the mailbox or delete your account, we delete the tokens and the warm-up and placement data derived from it.

SpamCipher’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, we will not:

transfer or sell Google user data to third parties such as advertising platforms, data brokers, or information resellers;
use or transfer Google user data for serving advertisements, including retargeting or personalized advertising;
allow humans to read your Google user data, unless we first obtain your consent to read specific messages or data, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or the data has been aggregated and anonymized; or
use Google user data to develop, improve, or train generalized or non-personalized artificial intelligence or machine-learning models.

We use Google user data only to provide and improve the user-facing feature you requested. We store OAuth tokens in encrypted form and retain Google user data only for as long as needed to provide that feature. You can review or revoke SpamCipher’s access at any time from your Google Account at myaccount.google.com/permissions, or by disconnecting the integration inside SpamCipher.

5.Microsoft Account Data

Inbox Warm-up also lets you connect a Microsoft account (Outlook.com or Microsoft 365) so SpamCipher can send warm-up email on your behalf. When you connect, Microsoft asks you to grant specific OAuth permissions. We request only the minimum permissions needed — send-only — and we use the access only to provide that feature.

The specific Microsoft permissions we request, and what we do with them:

SMTP.Send — to send a small, controlled volume of warm-up messages from your connected mailbox. We do not request read access (no IMAP scope), so we never read, scan, index, or store your mail.
offline_access — to obtain a refresh token so the connection keeps working without re-prompting you.
openid and email — to identify the connected mailbox by its email address.

We handle Microsoft account data on the same terms as Google user data: we do not sell it, share it with advertising platforms or data brokers, use it for advertising, or use it to train generalized AI or machine-learning models, and we do not allow humans to read your messages except with your consent, for security, to comply with law, or in aggregated and anonymized form. OAuth tokens and any stored credentials are encrypted at rest (AES-256-GCM) and in transit (TLS). You can revoke SpamCipher’s access at any time from your Microsoft account at account.microsoft.com, or by disconnecting the mailbox inside SpamCipher; doing so deletes the tokens and the warm-up and placement data derived from it.

6.How We Share Information

We do not sell your personal information and we do not share it for third-party marketing. We share information only in the limited ways described here.

Service providers (sub-processors)

We use trusted service providers to run the Service. They may process information on our behalf, only for the purposes we specify and under contracts that require them to protect it. Our main categories of sub-processors are:

Stripe — payment processing and billing;
Google Cloud Platform — cloud hosting, databases, and infrastructure;
Cloudflare — content delivery, DNS, and security (including bot and DDoS protection);
Email and deliverability infrastructure providers — the sending and probing infrastructure used to test address deliverability (these checks do not deliver mail to the recipient); and
AI service providers — for optional automated analysis and plain-language summaries, where we send only the limited data needed for the feature. These providers are contractually prevented from using your data to train their models, and we do not use this data for advertising.

A current list of sub-processors is available on request at [email protected].

Legal and safety

We may disclose information if required by law, subpoena, or other legal process, or where we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud or abuse, or protect the safety of any person.

Business transfers

If SpamCipher is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will require the recipient to honor this Policy or notify you of any material changes.

7.How Long We Keep Information

We keep information only for as long as we need it for the purposes described in this Policy, unless a longer period is required or permitted by law.

Customer Data (uploaded lists and results): we store it encrypted and retain it only as long as needed to provide your results. You can delete uploaded files and results at any time from your account, and we delete uploaded lists within 30 days unless you ask us to keep them longer.
Account and billing data: we keep it while your account is active and for a limited period afterward to meet legal, tax, accounting, and dispute-resolution requirements.
Connected-account data and OAuth tokens: we keep these only while the integration is connected; revoking access or disconnecting deletes them.
Logs and usage data: we retain these for a limited period for security and operational purposes.

When we no longer need information, we delete it or anonymize it. Residual copies may remain in backups for a limited time before they are overwritten.

8.How We Protect Information

We use technical, administrative, and organizational measures designed to protect information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These include:

Encryption of data in transit using TLS, and encryption of sensitive data at rest;
Access controls that limit who can access systems and data, on a need-to-know basis;
Secure, reputable cloud infrastructure (Google Cloud Platform) and security tooling (Cloudflare);
Hashing of passwords and encrypted storage of OAuth tokens and connected-mailbox credentials using authenticated encryption (AES-256-GCM); and
Monitoring, logging, and regular review of our systems.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach that materially affects your personal information, we will notify you and the appropriate authorities as required by law.

9.Cookies and Similar Technologies

Cookies are small files stored on your device. We use them sparingly:

Strictly necessary cookies keep you logged in, secure your session, and enable core functionality. These cannot be turned off without breaking the Service.
Analytics cookies help us understand how the Service is used so we can improve it. We use privacy-respecting analytics and do not use this data for advertising.

We do not use advertising, retargeting, or cross-site tracking cookies. You can control or delete cookies through your browser settings; disabling strictly necessary cookies may prevent parts of the Service from working.

10.Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

Access a copy of the information we hold about you;
Correct inaccurate or incomplete information;
Delete your information;
Object to or restrict certain processing;
Receive your information in a portable format;
Withdraw consent where processing is based on consent; and
Opt out of marketing communications at any time.

If you are in the European Economic Area, the United Kingdom, or Switzerland, these rights arise under the GDPR and equivalent laws; see our GDPR page for details, including the lawful bases on which we rely. If you are a California resident, you have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of any "sale" or "sharing" of personal information; we do not sell or share personal information as those terms are defined.

To exercise any of these rights, email us at [email protected]. We will respond within the time required by applicable law. We will not discriminate against you for exercising your rights. If the information at issue is Customer Data for which one of our customers is the controller, we will refer your request to that customer.

11.International Data Transfers

SpamCipher is operated from, and primarily hosts data in, the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where we or our sub-processors operate, which may have different data-protection laws than your country.

Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), to protect that information. Business customers can request our Data Processing Agreement, which incorporates these clauses, at [email protected].

12.Children’s Privacy

The Service is intended for businesses and adults. It is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

13.Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will provide additional notice, such as by email or an in-product notice. Your continued use of the Service after an update means you accept the revised Policy.

14.Contact Us

If you have questions about this Privacy Policy or how we handle your information, or if you wish to exercise your rights, contact us at:

Privacy and data requests: [email protected]
General support: [email protected]