Privacy Policy

Effective date: April 17, 2026  ·  Last updated: May 10, 2026

MailSetu ("MailSetu", "we", "our", or "us") is a transactional email delivery service operated from Mumbai, Maharashtra, India. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our website at mailssetu.in, our dashboard, our API, or any related service (collectively, the "Service").

By accessing or using the Service you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

1. Information We Collect

1.1 Information You Provide Directly

  • Account registration: name, email address, password (stored as a bcrypt hash), and GSTIN (optional).
  • Billing information: billing address, GST number, and payment method details. Card numbers and UPI VPAs are never stored on our servers — they are handled exclusively by our payment processor, Razorpay.
  • Domain records: domain names you add for email sending and the DNS verification status of those domains.
  • Email content: subject lines, HTML/text bodies, recipient addresses, sender addresses, and attachments that you submit through the API or dashboard for delivery.
  • Template content: HTML and text templates you store in our template library.
  • Support communications: any information you share when you contact our support team.

1.2 Information Collected Automatically

  • Log data: IP address, browser type, pages visited, referring URL, timestamps, and HTTP response codes.
  • API usage metadata: API key identifiers (never the raw secret), request volumes, endpoint names, and error codes.
  • First-party journey analytics: landing pages, referral source, UTM parameters, coarse geo headers (when your proxy provides them), page transitions, and conversion milestones such as signup completion or dashboard activation.
  • Delivery events: opens, clicks, bounces, complaints, and unsubscribe events as reported back to us by AWS Simple Email Service (SES) via SNS webhooks.
  • Device & browser data: operating system, device type, and screen resolution collected through standard HTTP headers and session cookies.

1.3 Information from Third Parties

  • Razorpay: payment status, order ID, and masked card/UPI details provided by Razorpay after payment authorisation.
  • AWS SES & SNS: email delivery status events (delivered, bounced, complained, opened, clicked).

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Process payments and issue GST-compliant invoices.
  • Send transactional emails on your behalf via AWS SES.
  • Monitor Service health, detect abuse, and enforce our Acceptable Use Policy.
  • Enforce monthly sending quotas tied to your subscription plan.
  • Respond to your support requests and communicate about your account.
  • Send critical service announcements (e.g., downtime notices, security alerts). You cannot opt out of these.
  • Send optional product updates and newsletters (you may opt out at any time).
  • Comply with applicable law, legal process, or government requests.
  • Detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities.
  • Improve and develop new features based on aggregate, anonymised usage patterns.
  • Understand onboarding friction, landing-page drop-off, and product adoption using first-party journey analytics.

We do not sell your personal data to any third party.

3. Legal Basis for Processing (GDPR & Indian DPDP Act 2023)

  • Contract performance: processing necessary to deliver the Service you have subscribed to.
  • Legitimate interests: fraud prevention, security monitoring, service analytics.
  • Legal obligation: compliance with Indian taxation law (GST), IT Act 2000, and court orders.
  • Consent: marketing communications (you may withdraw consent at any time).

4. Data Sharing and Disclosure

We share data only with the following categories of recipients:

4.1 Service Providers (Sub-processors)

  • Amazon Web Services, Inc. — cloud infrastructure (Mumbai region, ap-south-1) and email delivery via SES.
  • Razorpay Software Private Limited — payment processing. Razorpay's privacy policy governs data they hold.
  • Redis Labs / Upstash — in-memory queue storage (no personal email content is persisted in Redis beyond the processing window).

4.2 Legal Requirements

We may disclose your information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.3 Business Transfers

If MailSetu is involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website at least 30 days prior to any such transfer and will describe your choices.

5. Data Retention

  • Email logs & delivery events: retained for 90 days from the date of sending. After 90 days, logs are purged from our primary database. Aggregate anonymised statistics may be retained indefinitely.
  • Email content (HTML/text bodies): not stored after the email is queued and dispatched. Bodies are held in the BullMQ queue only for the duration of processing (seconds to minutes) and are deleted on successful dispatch or after 3 failed retry attempts.
  • Account data: retained for the lifetime of your account, plus 30 days after account deletion (to allow for re-activation). Tax-relevant payment records are retained for 8 years as required by the Indian Income Tax Act.
  • API keys: hashed keys are retained until you delete them.

6. Data Security

We implement industry-standard technical and organisational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+.
  • Passwords are hashed using bcrypt (cost factor 12).
  • API key secrets are shown only once at creation and stored as SHA-256 hashes thereafter.
  • Our infrastructure runs in AWS VPC with private subnets and security groups restricting inter-service traffic.
  • Database access requires IAM role-based permissions; no shared credentials are used.
  • Regular automated vulnerability scanning is performed on our codebase and dependencies.

Despite these measures, no security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of the breach, as required by applicable law.

7. Cookies

We use strictly necessary session cookies to maintain your authenticated state in the dashboard. We do not use third-party advertising or tracking cookies. We do collect first-party product analytics events so we can understand traffic sources, journey drop-off, and onboarding conversion. For full details, see our Cookie Policy.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your data (subject to our legal retention obligations).
  • Portability: receive your data in a machine-readable format.
  • Restriction: request that we restrict processing of your data.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: withdraw consent for marketing communications at any time.

To exercise any of these rights, email us at privacy@mailssetu.in. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@mailssetu.in and we will delete the information.

10. International Data Transfers

Your data is primarily stored and processed on AWS infrastructure in the ap-south-1 (Mumbai) region. In limited circumstances (e.g., support tooling), data may be accessed by personnel or systems outside India. We ensure adequate safeguards are in place for any such transfers.

11. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email and/or by posting a prominent notice on our website at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Governing Law

This Privacy Policy is governed by the laws of the Republic of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. Any disputes shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.

14. Contact Us

If you have questions or concerns about this Privacy Policy:

© 2026 MailSetu. All rights reserved. · Mumbai, India