Privacy Policy

Effective date: March 18, 2026

This Privacy Policy explains what data daimon.email ("we", "us", "our") collects, how we use it, and your rights regarding that data.

What We Collect

Data you provide

Data	Purpose	Retention
Email content (subject, body, headers)	Core service -- storing and delivering messages	While account is active
Attachments	Core service -- file delivery	While account is active
API keys	Authentication	Until rotated or account deleted
Payment information	Billing (processed by Stripe)	Managed by Stripe

Data we generate

Data	Purpose	Retention
IP addresses	Rate limiting, abuse prevention	30 days
API usage metadata (endpoints called, timestamps, response codes)	Service monitoring, debugging	90 days
Error logs	Debugging and reliability	30 days

What We Do NOT Collect

No tracking cookies -- the API is stateless; we don't set browser cookies
No advertising profiles -- we don't build behavioral profiles or serve ads
No analytics trackers -- no Google Analytics, no pixel tracking on the API
No email scanning for ads -- we never read your email content for advertising purposes

We do not sell, rent, or share your data with third parties for marketing.

How Data Is Stored

Layer	Provider	Location	Purpose
Database	Supabase (Postgres)	AWS us-east-1	Messages, threads, account data
Edge compute	Cloudflare Workers	Global edge	API request processing
File storage	Cloudflare R2	Auto-distributed	Raw MIME, attachments
Rate limiting	Cloudflare KV	Global edge	Request counting

All data is encrypted in transit (TLS 1.2+) and at rest.

Third-Party Processors

We share data with these processors only as necessary to operate the service:

Processor	Purpose	Data shared
Supabase	Database hosting	Messages, account data
Cloudflare	Edge compute, storage, CDN	Email content, API requests
Stripe	Payment processing	Billing details (name, card info)
Sentry	Error tracking	Stack traces, request metadata (no email content)

Each processor is bound by their own privacy policies and data processing agreements.

Data Retention

Active accounts -- all data retained while your account is active.
Deleted messages -- removed from primary storage immediately; purged from backups within 90 days.
Deleted accounts -- all data permanently deleted within 30 days of account deletion.
Logs and metadata -- automatically purged on the schedule listed above.

Your Rights

For all users

Access -- export your data at any time via the API (GET /v1/messages, GET /v1/inboxes)
Deletion -- delete individual messages, inboxes, or your entire account via the API
Portability -- download raw MIME files for any message

If you are located in the EU/EEA, you also have the right to:

Rectification -- correct inaccurate personal data
Restriction -- limit how we process your data
Objection -- object to certain types of processing
Erasure -- request complete deletion of your data

To exercise these rights, email legal@daimon.email. We will respond within 30 days.

CCPA (California users)

California residents have the right to:

Know what personal information we collect and why
Request deletion of personal information
Opt out of the sale of personal information (we don't sell data, so this is already satisfied)

Children's Privacy

daimon.email is not intended for use by individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

Security

We protect your data through:

TLS encryption for all API traffic
Encrypted storage at rest
API key scoping (account-level and inbox-level)
HMAC-signed webhook payloads
Rate limiting and abuse detection
Regular security reviews

For details, see our Security documentation.

We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "Effective date" at the top of this page always reflects the latest version.

Contact

For privacy questions or data requests:

Email: legal@daimon.email
Response time: Within 30 days for all requests