Privacy Policy
Last updated: March 2026
Data Controller
The data controller for this service is [Company Name], [Street Address], [Postal Code] Vienna, Austria. You can reach our privacy team at privacy@postkit.eu.
What Data We Collect
We collect the minimum data necessary to provide and improve our service:
- Account data — your name, email address, and billing information when you create an account.
- Email metadata — sender address, recipient address, subject lines, and timestamps for emails sent through our API. We do not store email body content after delivery.
- Usage analytics — API call volume, feature usage, and error rates to operate and improve the service.
- Technical data — IP addresses, browser type, and device information when you access the dashboard.
Legal Basis for Processing
We process your personal data under the following legal bases:
- GDPR Article 6(1)(b) — Contract performance — processing necessary to provide the Postkit service you signed up for.
- GDPR Article 6(1)(f) — Legitimate interests — processing necessary for security, fraud prevention, and service improvement.
- GDPR Article 6(1)(a) — Consent — for optional marketing communications. You can withdraw consent at any time.
Where Your Data Lives
All data is stored and processed exclusively within the European Union. Our infrastructure runs in Hetzner data centers in Vienna and Frankfurt, Germany. We do not transfer data outside the EU. We do not use US cloud providers (no AWS, no Google Cloud, no Azure).
Sub-processors
We use the following sub-processors to provide our service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure (servers, networking) | Germany |
| Stripe Payments Europe, Ltd. | Payment processing | EU |
| Hetzner Object Storage | Email attachments and file storage | Germany |
Data Retention
- Account data — retained for the duration of your account plus 30 days after deletion.
- Email metadata — retained for 30 days, then permanently deleted.
- Logs — retained for 14 days.
- Billing records — retained as required by Austrian tax law (7 years per § 132 BAO).
Your Rights
Under the GDPR, you have the right to:
- Access your personal data and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your personal data ("right to be forgotten").
- Port your data to another service in a machine-readable format.
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@postkit.eu. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at.
Cookies
We use essential cookies only, strictly necessary for the functioning of the dashboard (session authentication). We do not use tracking cookies, advertising cookies, or third-party analytics scripts.
Data Processing Agreement
If you process personal data through the Postkit email API (e.g., sending emails containing personal data of your end users), a Data Processing Agreement governs our relationship as processor. Our standard DPA is available at /dpa.
Changes
We may update this privacy policy from time to time. For material changes, we will notify you via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.