Skip to content

Privacy Policy

Last updated: March 27, 2026

1. Data Controller

PostStack is operated by MICCI (CVR: 45587452, Fyrretoften 31, 7100 Vejle, Denmark). MICCI ("we", "us", "our") is the data controller responsible for your personal data. For questions about this policy, contact us at privacy@poststack.dev.

2. Information We Collect

2.1 Account Information

  • Name and email address (provided at registration)
  • Password hash (if using email/password authentication)
  • GitHub account ID, profile name, and avatar URL (if using GitHub authentication)
  • Two-factor authentication configuration and hashed backup codes (if enabled)
  • Team membership, role, and team invite history
  • Timezone preference

2.2 Service Configuration Data

  • Domain names and DNS configuration (SPF, DKIM, DMARC records)
  • API keys (stored as cryptographic hashes; the plaintext key is shown once at creation and never stored)
  • Webhook endpoint URLs and HMAC signing secrets
  • Email templates and broadcast configurations
  • Contact lists, segment definitions, and subscription topics
  • Workflow automation definitions (triggers, conditions, and steps)
  • Dedicated IP address assignments and warmup status

2.3 Email Content and Metadata (Outbound)

When you send emails through PostStack, we process and temporarily store:

  • Email content (subject, HTML body, text body, custom headers)
  • File attachments (content and metadata)
  • Sender and recipient addresses (To, CC, BCC)
  • Delivery status and event history (queued, sent, delivered, bounced, complained, failed)
  • Message headers and SMTP metadata
  • Tags and idempotency keys you assign to messages

2.4 Inbound Email Data

If you enable inbound email processing for a domain, PostStack receives and stores:

  • Full email content (subject, HTML body, text body, headers)
  • Sender and recipient addresses
  • File attachments (stored on disk with filename, content type, and size metadata)
  • SMTP envelope data (MAIL FROM, RCPT TO)

Inbound emails from unknown senders are processed if the recipient domain has inbound processing enabled. The sender is not separately notified that PostStack is processing the message.

2.5 Contact Data and Custom Properties

  • Contact records: email address, first name, last name, and status
  • Custom properties: you may store arbitrary data about contacts (text, numbers, dates, booleans, or select values) using custom property definitions. You are responsible for ensuring you have a lawful basis to store this data and that it does not include special-category data without appropriate safeguards.
  • Subscription preferences: opt-in/opt-out status per subscription topic
  • Segment membership (derived from rules or manual assignment)

2.6 Tracking and Analytics Data

If you enable open or click tracking for your emails, PostStack collects data about your recipients:

  • Open tracking: We embed a small transparent 1x1 pixel image in emails. When a recipient loads this image, we record the open event along with the timestamp, IP address, and User-Agent string (browser, operating system, and device type).
  • Click tracking: Links in your emails may be rewritten to pass through our redirect service. When a recipient clicks a tracked link, we record the click event, original URL, timestamp, IP address, and User-Agent string before redirecting to the destination.

You control whether tracking is enabled on a per-email or per-domain basis. We do not track recipients beyond the scope of your emails. Tracking data is retained according to your plan's log retention period.

2.7 Suppression and Bounce Data

  • Email addresses that hard-bounce, generate spam complaints, or unsubscribe are automatically added to a suppression list
  • Suppression entries include the email address, reason (hard_bounce, complaint, unsubscribe, or manual), and timestamp
  • Suppression data is retained indefinitely while your account is active to protect deliverability and prevent re-sending to invalid or unsubscribed addresses

2.8 Automatically Collected Data

  • IP addresses (for session security, rate limiting, and audit logs)
  • User-Agent strings (browser and device information)
  • Session tokens, creation timestamps, and expiration times
  • API request metadata (endpoint, method, response status)

2.9 Audit Logs

We log significant account actions for security and compliance purposes, including:

  • Actions logged: user login, registration, password changes, 2FA changes, domain operations, email sending, contact imports, team member changes, API key creation, and workflow activation
  • Each log entry records: user ID, team ID, action type, resource affected, IP address, and timestamp
  • Audit logs are accessible to team administrators and retained for 90 days

3. How We Use Your Information

  • Service delivery: Processing and delivering outbound emails, receiving inbound emails, managing domains, running workflow automations, and providing analytics
  • Authentication and security: Verifying your identity, managing sessions, preventing unauthorized access, and detecting abuse
  • Billing: Tracking usage (emails sent, delivered, bounced) to enforce plan limits and calculate overage charges
  • Service communications: Sending transactional emails about your account (welcome emails, password resets, billing notices, security alerts)
  • Abuse prevention: Monitoring for spam, phishing, and other prohibited uses to maintain deliverability for all users
  • Deliverability management: Checking sending IP addresses against public blocklists, managing IP reputation and warmup schedules, and processing bounce notifications
  • Webhook delivery: Sending email event notifications (delivery, open, click, bounce, complaint) to your configured webhook endpoints. These payloads include recipient email addresses, event metadata, and IP/User-Agent data from tracking events.
  • Service improvement: Analyzing aggregate usage patterns to improve performance and reliability

We do not use your email content for advertising, profiling, or any purpose other than delivering it on your behalf.

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Contract performance: Processing necessary to provide the Service you signed up for (Article 6(1)(b) GDPR)
  • Legitimate interests: Security, fraud prevention, abuse monitoring, deliverability management, and service improvement (Article 6(1)(f) GDPR)
  • Legal obligation: Compliance with applicable laws, including tax and financial record-keeping (Article 6(1)(c) GDPR)

5. Data Processing on Your Behalf

When you use PostStack to send emails to your end users, store contact data, or process inbound emails, we act as a data processor on your behalf. You remain the data controller for your recipients' and contacts' personal data. You are responsible for:

  • Ensuring you have a lawful basis to send emails to your recipients
  • Ensuring any custom contact properties you store comply with applicable data protection laws
  • Informing your recipients about tracking (open/click) if required by applicable law
  • Honoring data subject requests from your recipients (access, deletion, etc.)

If you require a formal Data Processing Agreement (DPA), contact us at privacy@poststack.dev.

6. Data Retention

  • Outbound email content and logs: Retained based on your plan's log retention period (14 to 90 days), then permanently deleted
  • Inbound email content and attachments: Retained based on your plan's log retention period, then permanently deleted
  • Tracking events (opens/clicks): Retained for the same period as the associated email log
  • Account data: Retained for the duration of your account and deleted within 30 days of account closure
  • Contact data and custom properties: Retained while your account is active. Deleted within 30 days of account closure.
  • Suppression lists: Retained indefinitely while your account is active to prevent re-sending to bounced or unsubscribed addresses. Deleted within 30 days of account closure.
  • Billing records: Retained as required by Danish tax law (up to 5 years after the end of the financial year)
  • Audit logs: Retained for 90 days, then permanently deleted
  • Session data: Sessions expire after 24 hours. Expired sessions are periodically purged from the database.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS for all HTTP and SMTP connections)
  • Secure password hashing (Argon2id with per-user salts)
  • HMAC-signed webhooks for payload integrity verification
  • API key hashing (SHA-256; keys are never stored in plaintext)
  • 2FA backup codes stored as SHA-256 hashes (one-time use, cannot be recovered)
  • Session-based authentication with automatic 24-hour expiry
  • Rate limiting and brute-force protection on all auth endpoints
  • DKIM signing for outbound email authentication
  • CSRF protection on state-changing operations; OAuth state parameter validation

8. Third-Party Services and Sub-Processors

We share data with the following third-party services as necessary to provide the Service:

  • Stripe (payment processing): Receives your billing information, subscription details, and aggregated usage metrics (email volume). See Stripe's Privacy Policy.
  • GitHub (authentication): If you use GitHub sign-in, GitHub provides us with your profile name, verified email address, avatar URL, and account ID. See GitHub's Privacy Statement.
  • Hetzner Cloud (infrastructure): Used to provision dedicated IP addresses. Hetzner receives IP configuration data (IP address, PTR records, DNS zone information). See Hetzner's Privacy Policy.
  • DNS blocklist services (deliverability): We periodically check sending IP addresses against public DNS-based blocklists (Spamhaus, Barracuda, SpamCop) to monitor deliverability. These checks reveal the IP address to the blocklist operator via DNS lookup.
  • DNS providers (DNS push): If you use automated DNS setup, your domain name and email authentication records (DKIM public key, SPF, DMARC) are sent to your DNS provider's API.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

9. Webhook Data Disclosure

When you configure webhook endpoints, PostStack sends HTTP POST requests to your specified URLs containing email event data. These payloads may include:

  • Recipient and sender email addresses
  • Email subject and event type (sent, delivered, opened, bounced, etc.)
  • IP addresses and User-Agent strings (for open and click tracking events)
  • Bounce and complaint details

Webhook payloads are signed with HMAC for integrity verification. You are responsible for securing your webhook endpoints and handling the received data in accordance with applicable data protection laws. Delivery attempts and response metadata are logged for troubleshooting purposes.

10. International Data Transfers

Your data is processed and stored in the European Union. If data is transferred outside the EU/EEA (e.g., to Stripe in the United States), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V (e.g., Standard Contractual Clauses or adequacy decisions).

11. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request that we limit processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@poststack.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

12. Cookies

PostStack uses only essential cookies required for the Service to function:

  • Session cookie: An HTTP-only, secure cookie used for authentication. It expires after 24 hours and cannot be read by client-side scripts.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No consent banner is required because we only use strictly necessary cookies as defined by the ePrivacy Directive.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34).

14. Children's Privacy

PostStack is a business-to-business service not directed at individuals under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the dashboard at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact

For privacy-related inquiries, data subject requests, or to request a Data Processing Agreement (DPA):

PostStack v/ MICCI
Fyrretoften 31, 7100 Vejle, Denmark
CVR: 45587452
Email: privacy@poststack.dev
Phone: +45 42 22 30 83
Supervisory authority: Datatilsynet (datatilsynet.dk)

See also: Terms of Service