Anti-Spam & Acceptable Use

Scope & who this binds

This Policy applies to you, every user on your account, and — critically — every sub-workspace and end-client you operate on the Agency plan or through Stripe-Connect white-label. You are responsible for your sub-workspace users' conduct as if it were your own. If a client of yours sends spam through infrastructure you provisioned on NuMail, that is your violation to answer for.

NuMail is a conduit and tooling provider, not the sender of record. You decide who to contact, what to send, and on what lawful basis. We do not supply, sell, rent, or scrape contact lists, and we never will. The obligation to send compliant mail rests with the party hitting send — which is you.

The consent principle

You must have a lawful basis to contact every recipient, for every message, before it is sent. Cold email is legitimate when there is a real, defensible reason for the outreach. It is spam — and a breach of this Policy — when there is not. Acceptable bases include:

• Opt-in consent — the recipient explicitly asked to hear from you, where consent is the required standard.
• A prior or existing business relationship — they are a customer, a past customer, an inquirer, or otherwise have an established connection to you.
• A documented legitimate-interest basis for B2B outreach — a relevant business contact, targeted because of their professional role and a genuine fit, properly assessed and recorded where the law permits it (for example, certain B2B outreach under the GDPR).

What is never an acceptable basis

• Purchased, rented, or list-broker data. Buying a list is not consent and is not a relationship.
• Scraped data harvested indiscriminately from websites, social platforms, directories, or breaches.
• “Found” addresses — catch-all guesses, role accounts blasted at scale, or pattern-generated addresses (first.last@ permutations) sent without any relevance filter.

You must be able to articulate, on request and on short notice, why you were entitled to contact a given recipient and where the data came from. “We bought a list” is not an answer that survives this Policy. Relevance is not optional: a lawful basis is necessary but not sufficient — irrelevant blast mail to technically-permissible contacts still generates the complaints that get accounts removed.

Legal compliance

You are responsible for complying with every email, privacy, and marketing law that applies to your recipients — not just the ones in your own country. At minimum, that includes the U.S. CAN-SPAM Act, Canada's CASL, and the EU's GDPR and ePrivacy rules, plus any equivalent regime (UK PECR, Australia's Spam Act, and others) wherever your recipients sit.

Hard requirements for every message

• Truthful headers and routing. The From, Reply-To, and originating information must be accurate and tied to a mailbox you legitimately control. No spoofing, no forged headers, no misleading routing.
• Honest subject lines. Subjects must not deceive about the contents or purpose of the message. No fake Re: / Fwd: threads where no prior thread exists.
• Clear sender identity. The recipient must be able to tell who is emailing them and, where required, that the message is a commercial or promotional communication.
• A valid physical postal address. CAN-SPAM and others require a real, current mailing address in the message. A PO box or registered-agent address that the recipient can reach is acceptable.
• A working, conspicuous opt-out. Every recipient must be able to unsubscribe in one obvious step, with no fee, login, or hoop-jumping.
• Prompt honoring of opt-outs. You must stop emailing anyone who unsubscribes promptly — and well within the windows the law sets (CAN-SPAM's is ten business days). NuMail maintains per-workspace suppression lists and auto-suppresses on unsubscribe, but the legal duty to honor a request is yours, including for requests received outside the platform.

Where you process personal data of recipients in regulated regions, you are the controller for that processing and we act as processor; our Data Processing Addendum governs it. Maintaining records of your lawful basis, your consents, and your opt-outs is part of compliance — and your evidence if a complaint is ever escalated to a regulator.

Prohibited content & uses

Regardless of consent, you may not use NuMail to send, promote, facilitate, or distribute any of the following. This list is illustrative, not exhaustive — if something is obviously abusive, assume it is prohibited.

• Deception & fraud — phishing, credential harvesting, spoofed brands, fake invoices, “you've won” schemes, advance-fee fraud, or any attempt to trick recipients.
• Malware & exploits — links or attachments that install malware, ransomware, spyware, or that exploit the recipient's device.
• Illegal goods & regulated verticals abused — controlled substances, weapons, counterfeit goods, illegal financial products, and other unlawful offerings; high-risk verticals (crypto solicitation, gambling, adult, pharma, debt relief, lead-gen for predatory lending) are restricted and may require prior written approval.
• Harassment & harmful content — threatening, hateful, defamatory, sexually exploitative (especially anything involving minors — reported to authorities, no exceptions), or content that incites violence.
• Misappropriation — content that infringes intellectual property, misappropriates a brand, or violates a third party's rights.
• Evasion & abuse of the platform — rotating domains, identities, or mailboxes to disguise the true source or scale of a campaign; circumventing rate limits, filtering, or suppression; probing or reverse-engineering the Service; or manipulating the warmup pool.
• Reputation endangerment — any use that threatens the deliverability or standing of other NuMail customers, our sending infrastructure, or our relationships with Google, Microsoft, and downstream receiving networks.

List hygiene

Clean lists are not a courtesy — they are a condition of using the platform. Sending to dead, invalid, or hostile addresses generates the bounces and complaints that wreck sender reputation, and on shared infrastructure that harm is collective. You are expected to:

• Verify before you send. Validate addresses for syntax, domain, and mailbox existence before enrolling them. Remove obvious traps and role accounts (abuse@, postmaster@, noreply@) unless they are genuinely your intended, consented contact.
• Suppress permanently. Unsubscribes, hard bounces, spam complaints, and explicit “do not contact” replies must never be emailed again. NuMail enforces suppression automatically across the workspace; do not attempt to re-add suppressed contacts.
• Re-permission stale data. Lists that have sat untouched for many months go stale and accumulate spam traps. Re-verify before reactivating an old segment.
• Never seed spam traps. Pristine and recycled spam traps are how blocklists catch list buyers and scrapers. If you are hitting traps, your acquisition method is the problem, not your hygiene step.

NuMail's warmup, gradual volume ramps, and per-mailbox limits exist to protect you here, but they do not substitute for sending to people who actually want — or have a real reason to receive — your mail.

Bounce & complaint thresholds

We monitor deliverability signals continuously at the mailbox, workspace, and account level. The figures below are guardrails, not licenses: cross them and the platform will throttle, quarantine, or suspend automatically. Healthy senders run far below these numbers.

Thresholds are evaluated over rolling windows and may be tightened for new accounts, new mailboxes, or during a deliverability incident. These numbers are defaults we may adjust to protect the platform; they are not a contractual ceiling you are entitled to push up against.

Warmup-pool quarantine

NuMail's shared warmup pool is a collective asset: mailboxes exchange genuine, positively-engaged conversations to build and maintain sending reputation. To keep the pool clean, a mailbox is automatically quarantined — removed from the pool and restricted or stopped from cold sending — when it shows signs of harming itself or others.

What triggers quarantine

• Crossing the complaint, bounce, or invalid-rate thresholds in Section 06.
• Appearance on a major blocklist, or authentication failures (SPF / DKIM / DMARC misalignment) that signal spoofing or misconfiguration.
• Sudden volume spikes inconsistent with the mailbox's warmup stage, or sending patterns that look automated-abusive rather than human.
• Evidence the mailbox is sending to purchased, scraped, or trap-laden lists.
• OAuth revocation, provider throttling, or a mailbox.error condition from Google or Microsoft.

Quarantine is a containment step, not a punishment — it protects every other mailbox in the pool, including your own healthy ones. You will see the mailbox's state and the reason in the dashboard, and we fire a mailbox.error webhook so your systems can react. Mailboxes can re-enter the pool once the signals recover and the underlying cause is fixed; mailboxes implicated in deliberate abuse do not return.

Enforcement

We would rather coach a sender into compliance than remove them — most threshold trips are honest list problems we can fix together. But when behavior endangers the platform or other customers, we act first and discuss after. Enforcement generally escalates along this ladder, though we may skip straight to suspension or termination for egregious conduct:

1. Automated guardrails. Throttling, ramp halts, campaign pauses, and warmup-pool quarantine kick in the moment thresholds are crossed — no human in the loop, no warning required.
2. Notice & cure. For most policy issues we notify you of the problem and give you a window to fix the list, the content, or the configuration. Where practical, we'll tell you exactly what tripped.
3. Workspace or mailbox suspension. If the issue persists, is severe, or recurs, we suspend the affected mailbox, campaign, or workspace while it's investigated.
4. Account termination. Deliberate spam, fraud, phishing, evasion, or repeated violations result in termination of the account, with no refund and possible reporting to providers, blocklists, or authorities.

Decisions about thresholds, quarantine, and suspension are made at our discretion in good faith. Repeated or egregious violations may result in permanent removal without refund and without the right to re-register. Enforcement under this Policy is in addition to — not in place of — our rights under the Terms of Service.

Report abuse

If you received unwanted mail sent through NuMail, or you believe a customer is violating this Policy, tell us. We investigate every credible report and act on confirmed abuse — it directly protects the deliverability of every legitimate sender on the platform.

• Email abuse@numail.ai with the full message, including complete headers if you can capture them.
• Tell us the receiving address and roughly when it arrived, so we can trace the sending mailbox and workspace.
• For phishing, fraud, or anything involving the safety of a minor, say so plainly — those reports are escalated immediately.

We treat reporters' details as confidential to the extent we can while still investigating, and we don't share your information with the reported sender. To unsubscribe from a specific NuMail-delivered campaign, use the opt-out link in that message; if it is broken or ignored, report it here and we will suppress you and investigate the sender.

Contact

Questions about this Policy, or reports under it, go to the addresses below. Abuse reports are read and actioned every day.