Privacy Policy

Last updated: June 2025  ·  CarcMail

Summary: CarcMail collects only the data needed to run your outbound campaigns. We do not sell your data. We use Supabase for auth, Paddle for billing, and encrypt all sensitive credentials. You can request deletion at any time.

1. Who We Are

CarcMail ("we", "us", "our") is an AI-assisted outbound campaign platform. This Privacy Policy explains how we collect and use personal data when you use carcmail.com and the CarcMail application.

Contact: contact.cyberarcmsp@gmail.com

2. Data We Collect

  • Account data: Email address and name provided during signup or OAuth sign-in.
  • Campaign data: Lead lists, email content, campaign settings, and send logs you create in the application.
  • Inbox credentials: OAuth tokens (Google) or SMTP credentials for connected sending inboxes. All credentials are encrypted at rest using AES-256.
  • Usage data: Credits consumed, actions taken, and feature usage for billing and plan enforcement.
  • Billing data: Subscription and payment information is handled directly by Paddle. We do not store card numbers.
  • Error logs: Anonymised error traces collected by Sentry for platform reliability.

3. How We Use Your Data

  • To operate, maintain, and improve the CarcMail platform.
  • To send emails on your behalf using your connected inboxes.
  • To enforce plan limits, credit usage, and billing.
  • To display campaign analytics and reply tracking in your workspace.
  • To respond to support requests.

We do not use your data for advertising, profiling, or sale to third parties.

4. Data Sharing

We share your data only with the following processors, under strict data processing agreements:

  • Supabase — Authentication and database hosting (EU region).
  • Anthropic / OpenAI — AI email generation. Lead data may be included in prompts. No data is used to train models under our agreements.
  • Paddle — Subscription billing and payment processing.
  • Sentry — Error monitoring. Personally identifiable data is scrubbed before transmission.

5. Data Retention

We retain your account and campaign data for as long as your account is active. After account deletion, data is purged within 30 days. Send logs and analytics are retained for audit purposes for up to 90 days post-deletion before permanent deletion.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access a copy of your personal data.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Object to certain processing activities.
  • Data portability (export your lead lists and campaign data).

To exercise any of these rights, email contact.cyberarcmsp@gmail.com. We respond within 5 business days.

7. Cookies

We use a minimal set of cookies for authentication sessions, user preferences, and error monitoring. We do not use advertising cookies. See our Cookie Policy for full details.

8. Security

All data is transmitted over TLS. Sensitive credentials (SMTP passwords, OAuth tokens, API keys) are encrypted at rest using AES-256 before storage. Access to production data is restricted to authorised personnel only.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated by email or via an in-app notice. Continued use of the platform after notice constitutes acceptance of the updated policy.

10. Contact

Questions about this policy: contact.cyberarcmsp@gmail.com

Terms of Service → Compliance Overview → Cookie Policy →