// legal

Privacy Policy

Last updated: January 1, 2026

1. Who We Are

MailPilot, Inc. (“MailPilot”, “we”, “us”, or “our”) operates the email deliverability platform available at mailpilots.in and app.mailpilots.in.mailpilots.in and app.mailpilots.in. Our platform helps businesses improve email deliverability by warming up mailboxes, monitoring inbox placement, running spam pre-flight checks, and authenticating sending domains.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it. It applies to all users of our website, application, and API.

2. Data We Collect

We collect only the data necessary to deliver and improve our services:

  • Account information: Your name, work email address, and a bcrypt-hashed password (we never store plaintext passwords). If you sign up via OAuth, we receive only the name and email your provider shares.
  • Connected mailbox credentials: SMTP/IMAP credentials and OAuth tokens for the mailboxes you connect to MailPilot. These are stored encrypted at rest using AES-256 and are never exposed to other users or third parties.
  • Warmup email history: Metadata about the warmup emails sent on your behalf - timestamps, volume, reply rates, and engagement signals. We do not store the full content of warmup emails beyond what is needed to compute reputation metrics.
  • Placement data: Inbox, spam, and promotion folder placement results from our seed network, linked to your connected sending domains.
  • Usage logs: Server-side logs including IP addresses, HTTP request metadata, timestamps, and error traces. Logs are retained for 30 days for debugging and security purposes.
  • Billing information: Subscription tier and billing history. Card details are handled exclusively by our payment processors (Stripe / Razorpay) and are never stored on MailPilot servers.

3. How We Use Your Data

Your data is used exclusively for the following purposes:

  • Providing the service: Executing warmup schedules, delivering spam pre-flight reports, monitoring placement, and surfacing deliverability insights in your dashboard.
  • Improving our algorithms: Aggregated and anonymised engagement signals help us tune warmup velocity models. Individual email content is never used for this purpose.
  • Transactional communications: Sending account-related emails - onboarding, billing receipts, incident alerts, and password resets. We do not send marketing email without explicit opt-in.
  • Security and fraud prevention: Detecting abuse, rate-limiting, and protecting the integrity of our shared sending infrastructure.

4. What We Do Not Do

  • We do not sell, rent, or broker your data to any third party, ever.
  • We do not use the content of your emails or your contacts’ data to train AI or machine learning models.
  • We do not share your data with advertisers or data brokers.
  • We do not share data with third parties beyond the infrastructure providers required to operate the service: Vercel (hosting), Supabase (database), and Redis / Upstash (job queues). Each provider is bound by a Data Processing Agreement.

5. Data Retention

Account data - including connected mailbox credentials, warmup history, and placement records - is retained for as long as your account is active. If you close your account, all personal data is permanently deleted within 30 days. Anonymised aggregate metrics (e.g., global placement rate trends) may be retained indefinitely as they contain no personal information.

Server logs are retained for 30 days. Billing records may be retained longer where required by applicable financial regulations.

6. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent data protection law, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data. We will action this within 30 days and confirm in writing.
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (e.g., marketing emails), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@mailpilots.in. We will respond within 30 days.

7. Cookies

We use one first-party cookie: mp_session, a session authentication cookie that is HttpOnly, Secure, and expires after 7 days. It contains no personally identifiable information beyond an encrypted session identifier.

We do not use analytics cookies, tracking pixels, or third-party advertising cookies. See our Cookie Policy for full details.

8. Security

We take appropriate technical and organisational measures to protect your data:

  • All data at rest is encrypted using AES-256.
  • All data in transit is protected by TLS 1.2+.
  • Passwords are hashed with bcrypt (cost factor 12). Plaintext passwords are never stored or logged.
  • Mailbox credentials are stored in an isolated, encrypted secrets store with access limited to the warmup engine service account.

If you discover a security vulnerability, please disclose it responsibly at security@mailpilots.in.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify account holders by email and update the “Last updated” date at the top of this page. Continued use of the service after the effective date constitutes acceptance of the revised policy.

10. Contact Us

For privacy-related questions, data subject requests, or to report a concern, contact our privacy team at privacy@mailpilots.in. MailPilot, Inc. is the data controller for personal data processed under this policy.

Send like the inbox is yours.

Join the waitlist and lock in founding-member pricing.

Join the waitlistBook a demo