Privacy Policy

Account information. When you create an account, we collect your email address and password (stored as a cryptographic hash, never in plain text). If you sign in through a third-party provider (Google, GitHub, or Bavlio), we receive your name, email address, and profile identifier from that provider.

Email data. When you send or receive email through Bavimail, we process message content, headers, metadata (sender, recipients, subject, timestamps), and attachments. This data is necessary to deliver, route, and store your email.

Engagement data. When you enable open tracking or click tracking on outbound emails, we collect data about recipient interactions — specifically when a tracking pixel is loaded (opens) or a tracked link is clicked (clicks).

Domain and DNS data. When you add a sending domain, we store the domain name and associated DNS records (SPF, DKIM, DMARC, MX, Return-Path) needed to authenticate and verify your domain.

Usage and technical data. We automatically collect your IP address, user agent, browser language preferences, pages visited, API requests made, and feature usage patterns. This helps us operate, secure, and improve the platform.

Payment information. Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive transaction confirmations, invoice records, and subscription status from Stripe.

Analytics data. We use PostHog to understand how people use the Bavimail dashboard. PostHog collects pageview data, session information, and interaction events. When you are logged in, we associate analytics data with your account to improve your experience.

Error monitoring data. We use GlitchTip to capture client-side and server-side application errors, operational warnings, and limited diagnostic context needed to investigate reliability problems. This may include route paths, request timing, browser and device details, and account identifiers such as your user id or email when you are signed in. We configure GlitchTip to avoid storing sensitive secrets such as session cookies, authorization headers, and API keys.

We use the information we collect to:

• Provide, operate, and maintain the Bavimail platform
• Process, deliver, route, and store email messages on your behalf
• Authenticate your identity and secure your account
• Track email engagement when you enable open or click tracking
• Process payments and manage your subscription
• Analyze usage patterns and improve the platform
• Monitor for abuse, spam, and policy violations
• Maintain suppression lists and process bounces and complaints
• Communicate with you about your account, billing, and service changes
• Comply with legal obligations

We process your data based on our contractual obligation to provide the service you signed up for, our legitimate interest in improving and securing the platform, and your consent where applicable.

Session cookies. We use cookies to authenticate your sessions. These are set by our authentication service and are essential for the platform to function. They persist for the duration of your session or longer if you choose “remember me” during sign-in.

Analytics. We use PostHog for product analytics. PostHog may set cookies or use local storage to track sessions and distinguish unique visitors. You can opt out of analytics tracking by using browser privacy settings or extensions that block PostHog.

Error monitoring. GlitchTip may receive technical error and request metadata when the application encounters a failure. We use this solely for debugging, reliability monitoring, and incident response.

Email open tracking. When you enable open tracking on outbound emails, a small transparent pixel is included in the message. When a recipient loads this image, we record the open event. Recipients can disable image loading in their email client to prevent this.

Email click tracking. When you enable click tracking, links in your outbound emails are routed through our servers. When a recipient clicks a tracked link, we record the click and redirect them to the original URL.

External resources. Our website loads fonts from Google Fonts. This results in your browser making requests to Google’s servers, which is subject to Google’s privacy policy.

We rely on the following third-party services to operate the platform:

• PostHog — Product analytics. Data processed in the United States.
• GlitchTip — Application error monitoring and diagnostic log storage.
• Stripe — Payment processing. Data processed in the United States.
• Amazon Web Services (AWS) — Email delivery infrastructure and hosting.
• Google — OAuth authentication and web font delivery.
• GitHub — OAuth authentication.
• Railway — Application hosting and deployment.

Each third-party service processes data according to their own privacy policies. We share only the minimum data necessary for each service to perform its function.

Service providers. We share data with the third-party services listed above, only as needed to operate the platform. These providers are contractually obligated to protect your data.

Legal requirements. We may disclose your information if required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers. If Bavimail is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

No sale of personal data. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

Account data. We retain your account information for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Email data. Emails and attachments are retained according to your plan’s retention period — 7 days on Free, 30 days on Pro, and 90 days on Business. Enterprise customers may negotiate custom retention periods. After the retention period, email data is permanently deleted.

Analytics data. Aggregated analytics data (without personal identifiers) may be retained indefinitely to improve the platform.

Error monitoring data. Error events and diagnostic logs are retained according to our operational retention settings and are deleted when they are no longer needed for debugging, incident response, or reliability analysis.

Payment records. Transaction and invoice records are retained as required by tax and accounting regulations, typically for 7 years.

Technical logs. Server logs containing IP addresses and request data are retained for up to 90 days for security and debugging purposes.

We implement technical and organizational measures to protect your data:

• All data in transit is encrypted using TLS
• Stored data is encrypted at rest
• Passwords are hashed using industry-standard algorithms
• Two-factor authentication (TOTP) is available for all accounts
• API keys are scoped and rate-limited
• Access to production systems is restricted and audited

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. You are responsible for keeping your account credentials and API keys confidential.

Depending on your jurisdiction, you may have the right to:

• Access — Request a copy of the personal data we hold about you
• Correction — Update or correct inaccurate information
• Deletion — Request deletion of your account and personal data
• Export — Receive your data in a portable format
• Objection — Object to certain types of data processing
• Restriction — Request that we limit how we use your data

To exercise any of these rights, contact us at support@bavimail.com. We will respond within 30 days.

You can also manage your data directly through the dashboard: update your profile, delete your account, or configure email tracking and retention preferences.

Bavimail is designed for professional and business use. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by posting a notice in the dashboard at least 30 days before the changes take effect.

The “Last updated” date at the top of this page indicates when the policy was most recently revised. Your continued use of Bavimail after changes become effective constitutes your acceptance of the revised policy.

If you have questions about this Privacy Policy or how we handle your data, contact us: