Privacy Policy

Last updated: April 2026

1. Data Controller

sendstorm is operated by [Your Company Name], [Your Address], Germany. Contact: privacy@sendstorm.app

2. Data We Collect

Account Data

When you create an account, we collect your email address and password (hashed). We use Supabase Auth for authentication.

Campaign & CRM Data

We store the email campaigns you create, your subscriber lists, and email addresses of your subscribers. This data is processed solely to provide the email sending service.

Usage Data

We collect analytics on email opens, clicks, bounces, and unsubscribes to provide campaign performance metrics.

Technical Data

Server logs may include IP addresses, browser type, and timestamps for security and debugging purposes.

3. Legal Basis (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — processing your account and campaign data to provide the service
• Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, service improvement
• Consent (Art. 6(1)(a)) — where explicitly given (e.g., marketing emails from us to you)

4. Data Processors

• Supabase (database, auth) — EU region
• Resend (email delivery) — US, EU Standard Contractual Clauses
• Vercel (hosting) — US/EU edge network
• Stripe (payments) — US, PCI DSS compliant

5. Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Delete your data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent

To exercise these rights, contact privacy@sendstorm.app.

6. Data Retention

We retain your data for as long as your account is active. When you delete your workspace, all associated data is permanently deleted within 30 days.

7. Cookies

We use essential cookies only (authentication session). No tracking or advertising cookies are used.

8. Changes

We may update this policy. Material changes will be communicated via email or in-app notification.