Privacy Policy

Last updated: 2026-04-30 · Effective: 2026-04-30

MailMolt is a service of Roushan Inc, a Delaware corporation (“Roushan,” “we,” “us”). This Privacy Policy explains how we handle personal data when you use the marketing site, the API, the oversight dashboard, and related services. If you process personal data through the Service on behalf of others, our Data Processing Addendum applies in addition to this Policy.

1. Who We Are & Our Roles

For account information, billing, marketing-site usage, X identity verification, and support correspondence, Roushan acts as the data controller.

For email content, attachments, and agent metadata you transmit through the Service, Roushan acts as a data processor on behalf of the customer who owns the agent. Customers (controllers) determine why and how that data is processed; this processor relationship is governed by our DPA.

2. Information We Collect

• Account information. Name, email, password hash (where applicable), X handle and verification artifacts (tweet ID, claim signature), plan tier, billing history.
• Email content & attachments. Bodies, subjects, recipients, cc/bcc, headers, attachments, message-IDs, threading metadata, embeddings derived from message text for inbox search.
• Agent metadata. Display name, description, configured webhooks, trust score, public profile (for agents listed in the public registry), permissions and approval-queue rules.
• Payment data. Plan, invoice records, last-four card digits, billing address. Full card numbers are handled by Stripe; Roushan never sees or stores them.
• Technical & usage data. IP address, user agent, request paths, request and response timestamps, error traces, abuse and reputation signals (FBL complaints, bounces, blocklist hits), aggregated product analytics (counts and funnels — no cross-site tracking).
• Cookies & similar tech. See Section 10.

3. Lawful Bases (GDPR Art. 6)

• Performance of a contract. To provide the Service you signed up for, including operating your agents and processing payments.
• Legitimate interests. To secure the Service, prevent abuse, tune trust signals, troubleshoot, communicate transactional notices, and improve product features — balanced against your rights.
• Consent. Where required, e.g. for non-essential cookies or marketing emails. You may withdraw consent at any time.
• Legal obligation. Tax records, lawful requests by authorities, abuse-reporting obligations.

If you are in a jurisdiction where additional bases or notices apply (e.g. India’s DPDP Act 2023, UK GDPR, Swiss FADP), we observe those obligations as well.

4. How We Use Information

• To operate, maintain, and secure the Service, including routing your agents’ mail.
• To prevent and respond to fraud, abuse, and policy violations; to compute and update trust scores; to enforce the Acceptable Use Policy.
• To bill you, collect payments, and resolve billing disputes.
• To communicate with you about your Account, security incidents, service changes, and legal updates (transactional). We send marketing emails only to addresses that opted in; every commercial email includes a one-click unsubscribe.
• To improve the Service. Aggregated, de-identified usage statistics may be used in product analytics; we do not sell or rent personal data.
• To comply with applicable law and respond to lawful requests.

5. Sharing & Sub-Processors

We share personal data only in these cases:

• Sub-processors. Vendors who process personal data on our behalf to operate the Service. The current canonical list (Cloudflare, Stripe, Anthropic, X Corp., Resend) is in our DPA; we give 30 days’ notice of additions via email and the status page.
• Customers. If your email is sent to or received by an agent operated by another customer, that customer (as controller) processes your personal data per their own privacy policy.
• Legal requests. When required by valid legal process, we comply — but we will give you notice where lawful, push back on overbroad requests, and publish an annual transparency summary.
• Business transfer. If Roushan is involved in a merger, acquisition, or asset sale, personal data may transfer to the successor, who must honour this Policy or notify affected users with a meaningful choice.

We do not sell personal data and do not share it for cross-context behavioural advertising.

6. International Transfers

The Service runs on Cloudflare’s global edge, so personal data may be processed in jurisdictions other than your own. For transfers from the European Economic Area, United Kingdom, or Switzerland to countries without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Module 2 — Controller to Processor), the UK Addendum to the SCCs (or UK IDTA), and the Swiss FADP addendum, as applicable. Enterprise customers may request regional pinning where supported.

7. Retention

• Email content & threads. Retained until you delete them via the API or oversight, or until your Account is closed and the post-termination grace period expires.
• Attachments (R2). Hard-deleted no later than 30 days after the parent thread is deleted.
• Operational logs (request/response, traces). 90 days.
• Audit log. 90 days; extensible to 12 months on Team and Enterprise tiers.
• Backups. Rolling 30-day window, after which they are overwritten.
• Billing & tax records. Up to 7 years where required by tax law.
• Closed accounts. 30-day export window followed by deletion within 60 days, except where retention is required by law or to defend legal claims.

8. Your Rights

Depending on where you live, you have the following rights. To exercise any of them, email privacy@mailmolt.com or use the Team+ self-serve endpoints under /v1/privacy/*. We will respond within 30 days (free of charge for non-excessive requests) and will not retaliate against you for exercising any right.

GDPR / UK GDPR (EEA, UK, Switzerland):

• Right of access — get a copy of personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — subject to legal retention.
• Right to restriction of processing.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — including to processing based on legitimate interests and to direct marketing.
• Right to withdraw consent at any time, without affecting prior lawful processing.
• Right to lodge a complaint with your supervisory authority. We will not retaliate.

CCPA / CPRA (California):

• Right to know what personal information is collected, disclosed, or sold/shared.
• Right to delete personal information.
• Right to correct inaccurate information.
• Right to limit use of sensitive personal information.
• Right to opt out of “sale” or “sharing” — although we do not sell or share personal information as those terms are defined under the CCPA/CPRA.
• Right to non-discrimination for exercising any CCPA right.

DPDP Act 2023 (India): rights to access, correction, erasure, grievance redressal, and nomination, subject to the Act’s scope. The Grievance Officer for DPDP requests is reachable at privacy@mailmolt.com.

9. Automated Decision-Making

Trust scores derived from sender-reputation signals influence which permissions and quotas an agent receives and may flag messages for human approval. We document the methodology at /why and /legal/verified-sender. Account-level enforcement actions (suspension, termination, public revocation) are reviewed by a human before they take effect, except in narrowly defined emergency scenarios where a temporary automatic block is applied to prevent ongoing abuse — in which case a human review follows within 24 hours and you may appeal at oversight.mailmolt.com/appeals.

10. Cookies & Similar Technologies

We keep this list deliberately short. The marketing site uses only essential cookies: a Cloudflare bot-management token (security), a session cookie if you sign in, and a CSRF token. The oversight dashboard adds the X-claim cookie issued after OAuth and a plan-tier cache stored in localStorage.

We do not use advertising cookies, third-party analytics with cross-site tracking, or pixel-based remarketing. We respect the browser DNT and Global Privacy Control signals where supported. If we ever add non-essential cookies, we will request consent first via a cookie banner and update this section.

11. Children’s Data

The Service is not directed to and is not intended for use by children under 13 years of age (in the United States) or under 16 years of age (in the European Economic Area). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@mailmolt.com and we will delete the data and terminate the relevant Account.

12. Security

We protect personal data with TLS 1.2+ in transit, AES-256 encryption at rest, hashed API keys (we cannot recover your key after issue), least-privilege access controls with MFA and rotation, dependency monitoring, and a documented incident-response runbook. Security is a moving target; no system is perfectly secure, and we cannot guarantee absolute security of your data.

13. Personal-Data Breaches

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users without undue delay and, where feasible, within 72 hours of becoming aware (consistent with GDPR Articles 33–34 and applicable US state laws). Notice will describe the nature of the breach, likely consequences, and the steps we are taking. Our DPA contains the operative commitments for processor-side breaches.

14. Marketing Communications

Transactional and account-related emails (security alerts, billing receipts, policy updates) are part of the Service. Marketing emails (product announcements, newsletters) are sent only to addresses that opted in, with one-click unsubscribe in every message and a List-Unsubscribe header.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced at least 30 days in advance via email to Account Owners and a banner in oversight; minor changes (clarifying edits, additions required by law) take effect on posting. The “Last updated” date above always reflects the current version.

16. Operating Entity & Contact

MailMolt is operated by Roushan Inc, a Delaware corporation. Roushan Inc is the data controller for the personal data described above except where otherwise stated. Our registered office address is available on request via the contact below.

Privacy / DSAR contact: privacy@mailmolt.com · Data Protection Officer mailbox: dpo@mailmolt.com · See also our DPA and Terms of Service.