NuMail is email infrastructure: we send, receive, and reason over email on our customers' behalf. That makes privacy load-bearing, not boilerplate. This policy explains what we collect, why, the legal grounds we rely on, who we share it with, and the rights you can exercise — for both the people who use NuMail and the people whose data flows through it.
This Privacy Policy describes how NuMail(“NuMail,” “we,” “us,” or “our”) handles personal data in connection with our cold-email infrastructure — the web app, the REST API, the MCP server, the SDKs, and any related services (together, the “Service”). It applies to agencies, founders, operators, and the AI agents acting on their behalf who use NuMail (“Customers”), and to visitors of our marketing site.
NuMail plays two distinct privacy roles, and the distinction matters for everything below:
Where this policy covers email content, recipient lists, and mailbox data we handle on your behalf, our Customer is the controller and is responsible for having a lawful basis to email those recipients and for honoring their rights. Recipients with questions about a specific campaign should contact the sender; we will route verified requests to the relevant Customer. Our DPA and Terms of Service govern in the event of any conflict with this page.
When you sign up, we collect your name, email address, password credentials (managed via our authentication provider), workspace and organization names, role, and — for Agency-tier Customers — the sub-workspace and end-client details you create. We never see or store your raw password.
Plan, subscription status, invoices, and tax/region information. Card numbers are handled directly by Stripe; we store only Stripe customer and payment-method identifiers, never full card data. For agencies using Stripe Connect to bill end-clients, payouts and connected-account metadata are processed by Stripe under their own terms.
When you connect a mailbox, we store OAuth access and refresh tokens (encrypted at rest), the connected email address, provider type, and reputation/health signals (sending limits, bounce rates, warmup tier). These tokens are scoped to the permissions you grant and can be revoked at any time from Settings or by disconnecting the mailbox.
To deliver the Service, we process — as your processor — the messages you send and the replies you receive, including: subject lines and bodies, recipient names and email addresses, lead fields and tags you import, thread history, delivery and engagement events (sent, opened, clicked, bounced, unsubscribed), reply classifications, and AI-generated draft replies. Reply detection runs in roughly 2.4 seconds; draft generation uses Anthropic's Claude models on content limited to the relevant thread.
Log data such as IP address, browser and device type, pages viewed, API requests, timestamps, and feature interactions. We use this for security, debugging, rate-limiting, and improving the product.
We use strictly necessary cookies for authentication and session security, and a small set of analytics cookies to understand aggregate product usage. We do not sell cookie data or use third-party advertising trackers on the application. Where required, we present a consent banner; you can adjust non-essential cookies there or in your browser settings.
We use the data described above to:
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR when we act as a controller:
For email content and recipient data we process on a Customer's behalf, the Customer determines the legal basis as controller; we process strictly under their documented instructions per our DPA.
NuMail operates globally, so personal data may be transferred to and processed in countries other than your own, including the United States. Where we transfer data out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs)(and the UK International Data Transfer Addendum where applicable), together with supplementary technical and organizational measures such as encryption in transit and at rest.
Customers can request a copy of the SCCs we have in place by emailing privacy@numail.ai.
We keep personal data only as long as we need it for the purposes described here:
DELETE /v1/leads/:id) purge it from primary systems promptly and from backups on the normal backup-rotation cycle.When you delete a workspace, we delete or anonymize its data on the timeline above. Residual copies may persist briefly in encrypted backups before they expire.
Subject to conditions and exemptions in law, you have the right to:
You have the right to:
To exercise any of these rights, email privacy@numail.ai. We will verify your identity before acting and respond within the timeframe required by applicable law. You may use an authorized agent where the law allows. If your request concerns email data we processed on a Customer's behalf, we will refer you to, or coordinate with, that Customer as the controller.
We protect personal data with technical and organizational measures appropriate to the risk, including: encryption in transit (TLS) and at rest, encrypted storage of OAuth tokens and secrets, scoped API keys (nm_live_) with per-workspace isolation, HMAC-signed webhooks, least-privilege access controls, audit logging, and routine patching of infrastructure. Access to production data is restricted to personnel who need it and is logged.
No system is perfectly secure. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by applicable law and without undue delay.
NuMail is a business tool intended for use by professionals. The Service is not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact privacy@numail.ai and we will delete it.
We may update this policy as our Service, the law, or our practices evolve. When we make material changes, we will revise the “Last updated” date above and, where appropriate, notify Customers by email or an in-app notice. Your continued use of the Service after an update takes effect constitutes acceptance of the revised policy.
Questions about this policy or how we handle your data? Reach our privacy team — we read every message.
This Privacy Policy is provided as a template for NuMail's launch and is intended to reflect our practices in good faith. It is not legal advice, may not address every requirement applicable to your jurisdiction or use case, and should be reviewed and finalized by qualified counsel before being relied upon. Where this page conflicts with our signed DPA or Terms of Service, those documents control.
Encrypted tokens, scoped keys, a signed DPA, and a real sub-processor list. Built so agencies can sell to enterprise without flinching.