Privacy Policy

Effective date: 2026-05-07

This page describes what data SendBolt collects, how we use it, and the controls you have over it. We follow the principle of least data: we only collect what we need to deliver mail and surface analytics for the senders who use us.

What we collect

Account data — email, name, password hash (bcrypt), timezone, 2FA state
Tenant configuration — sending domains, DKIM keys (encrypted at rest), SMTP credentials (encrypted), API keys (hashed)
Contact lists you upload — email addresses, names, custom fields you define
Engagement events — opens, clicks, bounces, unsubscribes (with timestamps and IPs)
Audit log of every administrative action you take inside the dashboard

What we don't collect

The content of email bodies after they're delivered (we keep the rendered template, not per-recipient renderings)
The browsing history of recipients beyond the open/click events generated by your campaigns
Third-party trackers — there are no Google Analytics, Facebook Pixel, or similar tags on the dashboard

How long we keep it

By default we keep events forever so you have full history. Tenants on the Pro plan can configure a retention policy at /dashboard/settings/privacy (90 / 180 / 365 days / forever). Audit logs follow the same policy.

Data export & deletion

Per GDPR Article 15 (right of access) and Article 17 (right to erasure), every contact in your tenant has a per-row Export data button (returns a signed-URL ZIP of all PII for that contact) and a Delete & forget button (cascades the contact to all related rows and replaces the email with deleted-<uuid>@gdpr.invalid).

Where the data lives

SendBolt runs on a single OVH VPS (Strasbourg, France region; AS35540). Postgres 16 with daily on-disk encrypted backups. DKIM private keys and SMTP passwords are AES-256-GCM encrypted using a per-deployment API_ENCRYPTION_KEY.

Bring-your-own-SMTP

Tenants who configure per-domain SMTP credentials (Mailgun, SendGrid, Postmark, AWS SES, etc.) are sending through their own provider — SendBolt only orchestrates the campaign and tracks the events. The email body and recipients still pass through us so the analytics work, but the actual SMTP delivery uses your provider's infrastructure.

Contact

Questions, data requests, or concerns: rahul@sendbolt.io.