Privacy Policy
This Privacy Policy explains how Mailloop ("we", "us", or "our") collects, uses, stores, and protects personal data when you use our email testing service at mailloop.io. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
We are not in the business of collecting data for advertising or training AI models. We collect only what we need to provide a reliable, secure email sandbox service.
1. Data Controller
The data controller responsible for your personal data is Mailloop. For all data protection enquiries, contact us at [email protected].
2. Data We Collect
Account data
When you register: your name, email address, and optionally a profile image. If you sign up via Google OAuth, we receive your name, email, and Google profile ID.
Authentication & session data
Session tokens, IP address, and browser user agent stored for each active login session. Hashed passwords (bcrypt) for email/password accounts; OAuth tokens for Google sign-in.
Email sandbox data
Emails received by your sandbox: sender, recipients, subject, body, headers, and attachments. This data may contain personal data belonging to third parties that you introduce when testing your applications. Sandbox email content is Brotli-compressed at rest (not end-to-end encrypted).
API usage data
API endpoint called, IP address, and request parameters for each API key request. Retained for up to 90 days for abuse prevention and billing purposes.
Security & threat intelligence data
Our SMTP server logs authentication attempts including the username used, a hash of the password attempt, the originating IP address, port, approximate geolocation (country and city level), and whether the attempt succeeded. We operate a honeypot SMTP endpoint to capture and analyse malicious email infrastructure. Captured data includes IP addresses, email content, sender/recipient headers, and subject lines from automated senders only. This processing is conducted under the legitimate interest of protecting our infrastructure and users from spam and abuse.
Support request data
When you submit a support request: your name, email address, description of the issue, browser information, and any error messages you provide.
Billing data
For paid plans, billing is handled by Polar.sh (see Third-Party Processors below). We store your subscription status and plan information, but not full payment card details.
3. Lawful Basis for Processing
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the email sandbox service | Art. 6(1)(b) — performance of a contract |
| Account registration and authentication | Art. 6(1)(b) — performance of a contract |
| Processing payments via Polar.sh | Art. 6(1)(b) — performance of a contract |
| SMTP auth attempt logging (security) | Art. 6(1)(f) — legitimate interest (infrastructure security) |
| Honeypot threat intelligence | Art. 6(1)(f) — legitimate interest (abuse prevention) |
| API usage logging | Art. 6(1)(f) — legitimate interest (abuse prevention, billing) |
| Responding to support requests | Art. 6(1)(b) — performance of a contract |
4. How We Use Your Data
- Providing, maintaining, and improving the email sandbox service
- Processing subscription payments and managing your plan
- Sending transactional emails (verification, password reset, billing receipts)
- Responding to your support requests
- Detecting and preventing abuse, spam, and unauthorized access to our infrastructure
- Complying with legal obligations
We do not sell your data, use it for advertising, or share it with third parties for their own marketing purposes.
5. Third-Party Processors
We use the following sub-processors to operate our service. All processors handle your data only as directed by us and are bound by data processing agreements.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner | Infrastructure hosting (SMTP server, API, database) | Germany (EU) | EU adequacy — no transfer |
| Vercel | Web application hosting | US | Standard Contractual Clauses |
| Polar.sh | Billing and subscription management (paid users only) | US | Standard Contractual Clauses |
| OAuth sign-in (optional) | US | Standard Contractual Clauses | |
| Cloudflare Turnstile | Bot / spam prevention on registration forms | US | Standard Contractual Clauses |
| SMTP2GO | Transactional email delivery (verification, password reset) | US / AU | Standard Contractual Clauses |
| Plausible Analytics | Privacy-friendly website analytics (no cookies, no cross-site tracking) | EU | EU adequacy — no transfer |
6. International Data Transfers
Some of our processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c) as the transfer safeguard. We have also conducted transfer impact assessments for each US-based processor to verify that supplementary measures are adequate.
Our primary infrastructure (database, SMTP server, API) runs on Hetzner servers located in Germany and does not involve international transfers.
7. Data Retention
| Data category | Retention period |
|---|---|
| Account data (name, email) | Until account deletion (30-day grace period) |
| Session data | Until session expiry or account deletion |
| Sandbox email content | Per your plan's retention setting (default: plan limit) |
| SMTP auth attempt logs | 90 days |
| Honeypot session data | 2 years |
| API usage logs | 90 days |
| Support requests | Until account deletion, then deleted alongside account |
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you. Use the "Export My Data" feature in Account Settings.
- Right to rectification (Art. 16): Correct inaccurate personal data via Account Settings → Profile.
- Right to erasure (Art. 17): Request deletion of your account and personal data via Account Settings → Danger Zone. Deletion is executed after a 30-day grace period.
- Right to restriction (Art. 18): Request that we restrict processing of your data while a dispute is resolved. Contact [email protected].
- Right to data portability (Art. 20): Export your data in machine-readable JSON format via Account Settings → Export My Data.
- Right to object (Art. 21): Object to processing based on legitimate interest (security logging). Contact [email protected] to exercise this right.
- Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. In the Czech Republic: Úřad pro ochranu osobních údajů (ÚOOÚ).
To exercise any right, email [email protected]. We will respond within 30 days.
9. Cookies
We use the following cookies on our service:
| Cookie | Purpose | Category |
|---|---|---|
| better-auth.session_token | Keeps you logged in | Strictly necessary |
| currentOrganization | Remembers which organization you are working in | Strictly necessary |
| cf-turnstile (Cloudflare) | Bot detection on registration and password reset forms | Security |
We do not use analytics cookies, advertising cookies, or any cross-site tracking cookies. Plausible Analytics (our website analytics tool) is cookieless.
10. Automated Decision-Making
We calculate an email score for emails received in sandboxes based on spam signals (SPF, DKIM, DMARC results and content heuristics). This score is displayed to you as a diagnostic tool to help test your email deliverability. It does not affect access to any services, create legal effects, or significantly affect you in any other way (GDPR Art. 22 does not apply).
Our honeypot system automatically detects and logs connections from known malicious senders. No automated decisions affecting individuals are made solely from this data.
11. AI and Data Training
Your data is never used for AI training, model development, or any form of machine learning — by us or any of our processors. We have no arrangements with any AI provider that involves your data.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- All data in transit is protected by TLS 1.2+
- Email sandbox content is Brotli-compressed at rest in PostgreSQL
- Passwords are hashed with bcrypt; API keys are stored as SHA-256 hashes
- Database access is restricted to private network; no public database port
- Infrastructure runs on Hetzner servers in Germany under ISO 27001-certified data centres
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33–34.
13. Children's Privacy
Mailloop is a professional developer tool and is not intended for use by persons under the age of 16 (or the applicable minimum age in your country). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact [email protected] and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users and/or by displaying a notice in the application at least 14 days before the change takes effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
15. Contact
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our data protection point of contact at:
We aim to respond to all privacy-related enquiries within 30 days.