Privacy Policy

Last updated: 8 June 2026

This policy explains how CodeOutbox ("we", "us") handles personal data. We act in two roles:

• As a controller for the personal data of our account holders and visitors to this website.
• As a processor for the subscriber data that our customers upload and send to through the service. For that data, our customer is the controller — if you're a subscriber, contact the sender of the email to exercise your rights, and we'll assist them.

Data we collect

• Account data — your email address and authentication tokens (we're passwordless).
• Billing data — handled by Stripe; we never see or store your card number.
• Subscriber data (processed for customers) — the email addresses and engagement events (opens, clicks, bounces, unsubscribes) our customers collect and send to.
• Usage & analytics — basic site analytics via Google Analytics (only with your consent — see Cookies), plus standard server logs.

How we use it

• To provide, secure, and improve the service.
• To send sign-in links and account/service notices.
• To process payments and manage subscriptions.
• To deliver email and report deliverability (bounces, complaints, opens, clicks) on behalf of our customers.
• To prevent abuse and protect sending reputation.

Legal bases (GDPR)

Performance of our contract with you; our legitimate interests in running and securing the service; your consent (for analytics cookies); and compliance with legal obligations.

Cookies

We use a strictly-necessary session cookie for signed-in users. We use a Google Analytics cookie only after you accept it via the banner; analytics are denied by default (Google Consent Mode). You can change your choice anytime by clearing the co_consent value in your browser.

Who we share with (sub-processors)

• Stripe — payment processing.
• Google Analytics — website analytics (consent-gated).
• We run our own mail servers to send email — we do not hand your lists to a third-party email provider.

We don't sell personal data.

International transfers

Some providers (e.g. Google) may process data outside the EU/EEA under appropriate safeguards such as Standard Contractual Clauses.

Retention

We keep account and subscriber data for as long as the account is active, and delete or anonymise it within a reasonable period after closure, unless we must retain it for legal reasons.

Security

Transport is encrypted (TLS). Sensitive secrets such as per-domain DKIM keys are encrypted at rest. Access is limited to what's needed to run the service.

Your rights

Subject to applicable law you may request access, correction, deletion, portability, or restriction of your personal data, and object to certain processing. Email privacy@codeoutbox.com. You may also complain to your local data-protection authority (in the Netherlands, the Autoriteit Persoonsgegevens). Customers can request a Data Processing Agreement from the same address.

Children

The service is not directed to children under 16, and we don't knowingly collect their data.

Changes

We'll update this page and the "last updated" date when this policy changes.

Contact

CodeOutbox · privacy@codeoutbox.com