Data Privacy Policy

---

Strategic Alignment

Strategic Alignment: This comprehensive privacy policy supports our enterprise compliance strategy by providing regulatory compliance and risk mitigation across international data protection frameworks, establishing market leadership through transparent privacy practices and GDPR/CCPA compliance excellence.

Technical Authority: Our privacy infrastructure integrates with comprehensive monitoring systems featuring automated consent tracking, data subject rights processing, and international transfer safeguards, positioning us as a technical authority in global privacy compliance.

Operational Excellence: Backed by enterprise privacy platforms with 99.9% privacy compliance uptime, advanced audit logging, and automated data lifecycle management, ensuring reliable privacy protection across all operational domains.

User Journey Integration: This privacy feature is part of your complete data protection and transparency experience - connects to user authentication workflows, consent management processes, and international data transfer mechanisms throughout your entire user journey.

---

Effective Date: October 28, 2025

1. Introduction

PenguinMails (“we,” “our,” or “us”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email infrastructure and campaign management platform (“Services”).

We comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and other relevant privacy regulations worldwide.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you directly provide to us:

Account Information

• Name, email address, phone number

• Company name, industry, and size

• Billing and payment information

• Account preferences and settings

Campaign Data

• Email recipient lists and contact information

• Email content, subject lines, and templates

• Campaign scheduling and delivery settings

• Campaign performance metrics and analytics

Customer Support

• Communications with our support team

• Issue descriptions and troubleshooting information

• Feedback and survey responses

2.2 Information We Collect Automatically

When you use our Services, we automatically collect:

Usage Data

• IP addresses, browser type, and device information

• Pages visited, features used, and time spent

• Email open rates, click-through rates, and engagement metrics

• System performance and error logs

Cookies and Tracking Technologies

• Essential cookies for platform functionality

• Analytics cookies for service improvement

• Preference cookies for user experience customization

2.3 Information from Third Parties

We may receive information from:

Email Service Providers

• Delivery confirmations and bounce notifications

• Spam complaints and unsubscribe requests

• Email engagement metrics

Payment Processors

• Billing and transaction information

• Account verification data

Business Partners

• Referral information and partnership data

• Integration and API usage data

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Improving Our Services

• Creating and managing your account

• Processing email campaigns and deliveries

• Providing customer support and technical assistance

• Analyzing usage patterns to improve functionality

3.2 Communication and Marketing

• Sending service updates and maintenance notifications

• Providing educational content and best practices

• Sharing product announcements and feature updates

• Conducting customer surveys and feedback collection

3.3 Security and Compliance

• Detecting and preventing fraud and abuse

• Ensuring platform security and data protection

• Complying with legal obligations and regulatory requirements

• Conducting security audits and risk assessments

3.4 Business Operations

• Processing payments and managing subscriptions

• Analyzing business performance and metrics

• Conducting research and development

• Supporting mergers, acquisitions, or asset sales

4. How We Share Your Information

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this policy:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our platform:

• Email Service Providers (Mailgun, SendGrid): For email delivery and analytics

• Payment Processors (Stripe): For billing and payment processing

• Analytics Providers (PostHog): For usage analytics and product improvement

• Cloud Infrastructure (Hostwinds): For hosting and data storage

• Database Services (NileDB): For secure data management

4.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to continued privacy protections.

4.3 Legal Requirements

We may disclose information when required by law, court order, or government request, or when necessary to protect our rights, safety, or the rights and safety of others.

4.4 Consent-Based Sharing

With your explicit consent, we may share information for specific purposes, such as integrations with third-party applications or referral programs.

4.5 Aggregated and De-identified Data

We may share aggregated, anonymized data that cannot be used to identify individual users for research, analytics, or business purposes.

5. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights:

5.1 Access and Portability

• Request a copy of your personal information

• Receive your data in a structured, machine-readable format

• Understand how your data is processed

5.2 Rectification

• Correct inaccurate or incomplete personal information

• Update your account information and preferences

5.3 Erasure

• Request deletion of your personal information

• Close your account and remove associated data

• Note: Some data may be retained for legal or legitimate business purposes

5.4 Restriction and Objection

• Limit how we process your information

• Object to processing based on legitimate interests

• Opt-out of marketing communications

5.5 Consent Withdrawal

• Withdraw consent for data processing where applicable

• Modify communication preferences

• Adjust privacy settings

5.6 Data Portability

• Export your data in a portable format

• Transfer data to another service provider

• Access raw data for backup purposes

6. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes outlined in this policy:

• Account Data: Retained for the duration of your account plus 3 years for legal compliance

• Campaign Data: Retained for 2 years for analytics and compliance purposes

• Payment Data: Retained for 7 years for financial compliance

• Support Communications: Retained for 2 years for quality assurance

• Analytics Data: Aggregated after 1 year, individual data deleted after 2 years

Data retention periods may be extended for legal requirements, ongoing disputes, or legitimate business needs.

7. International Data Transfers

PenguinMails operates globally, and your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards for international transfers:

• Adequacy Decisions: Transfers to countries with adequate protection

• Standard Contractual Clauses: EU-approved data transfer mechanisms

• Binding Corporate Rules: Internal privacy rules for global transfers

• Encryption and Security: Technical measures to protect data in transit

8. Data Security

We implement comprehensive security measures to protect your information:

8.1 Technical Safeguards

• Encryption: Data encrypted at rest and in transit using AES-256

• Access Controls: Role-based access with multi-factor authentication

• Network Security: Firewalls, intrusion detection, and regular vulnerability scanning

• Secure Development: Code review and security testing practices

8.2 Administrative Safeguards

• Employee Training: Regular privacy and security awareness training

• Background Checks: Screening for employees with data access

• Access Reviews: Regular audit of system access permissions

• Incident Response: 24/7 monitoring and rapid response procedures

8.3 Physical Safeguards

• Secure Facilities: Data centers with physical security controls

• Environmental Controls: Climate control and disaster recovery systems

• Equipment Security: Secure storage and disposal of hardware

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

• Essential Cookies: Required for platform functionality

• Analytics Cookies: Help us understand user behavior and improve services

• Functional Cookies: Remember your preferences and settings

• Marketing Cookies: Used for targeted communications (with consent)

9.2 Cookie Management

• Browser Settings: Most browsers allow you to control cookie settings

• Opt-out Options: Links provided in cookie banners and preference centers

• Granular Controls: Choose which types of cookies to accept

• Regular Reviews: Cookie usage reviewed annually for necessity

10. Third-Party Services

Our platform integrates with various third-party services. Each integration has its own privacy practices:

10.1 Email Service Providers

• Mailgun and SendGrid process emails on our behalf

• They have their own privacy policies for email delivery data

• We limit data shared to necessary delivery information

10.2 Payment Processing

• Stripe handles payment processing and billing

• Payment information is subject to Stripe’s PCI DSS compliance

• We do not store full payment card details

10.3 Analytics Services

• PostHog collects usage analytics for product improvement

• Data is anonymized and aggregated where possible

• You can opt-out of analytics tracking in account settings

11. Children’s Privacy

Our Services are not intended for children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website

• Send notification via email for significant changes

• Provide a summary of key changes

• Allow 30 days for review before major changes take effect

13. Contact Information

If you have questions about this Privacy Policy or our data practices:

Data Protection Officer

• Email: privacy@penguinmails.com

• Address: [Company Address]

• Response Time: Within 30 days

EU Representative (for GDPR matters)

• Email: dpo@penguinmails.com

• Address: [EU Representative Address]

US Privacy Contact (for CCPA matters)

• Email: privacy@penguinmails.com

• Phone: [Privacy Hotline Number]

14. Complaints and Dispute Resolution

If you believe we have not adequately addressed your privacy concerns:

14.1 Internal Review

• Contact our Data Protection Officer for internal review

• We will investigate and respond within 30 days

• Provide detailed explanation of our findings

14.2 Regulatory Authorities

You have the right to lodge a complaint with your local data protection authority:

Europe: Your local supervisory authority under GDPR United States: Your state Attorney General or the FTC Canada: Privacy Commissioner of Canada Other jurisdictions: Your local data protection regulator

14.3 Alternative Dispute Resolution

For disputes not resolved through regulatory channels, we participate in binding arbitration or mediation as required by applicable law.

15. Additional Regional Notices

15.1 European Union (GDPR)

• We are the data controller for personal information collected through our Services

• International transfers use Standard Contractual Clauses

• Data Protection Impact Assessments conducted for high-risk processing

• Records of processing activities maintained and available upon request

15.2 California (CCPA)

• We do not sell personal information

• We provide notice at collection about categories of information collected

• You can request information about our data practices

• You can request deletion of your personal information (with exceptions)

15.3 Canada (PIPEDA)

• We comply with the Personal Information Protection and Electronic Documents Act

• Consent is obtained for collection, use, and disclosure of personal information

• Reasonable security safeguards are implemented

• Privacy policies are made readily available

15.4 Other Jurisdictions

We comply with applicable privacy laws in other jurisdictions where we operate, including but not limited to Australia (Privacy Act), Japan (APPI), and Brazil (LGPD).

---

This Privacy Policy is incorporated into our Terms of Service. By using PenguinMails, you acknowledge that you have read and understood this Privacy Policy

Last Reviewed: October 28, 2025

Related Documents

• Compliance Procedures - Detailed compliance workflows

• Security Framework - Technical security implementation

• SOP Guidelines - Standard operating procedures

---