Privacy Policy

Effective date: December 20, 2025
Last updated: December 20, 2025

This Privacy Policy explains how IThesion SIA ("MailWebhook," "we," "us," "our") collects, uses, and shares information when you use our website, apps, and services (collectively, the "Service").

If you have questions, contact us at privacy@mailwebhook.com.

1. Who we are

2. What this policy covers

This policy covers information we collect:

• From you directly (for example, account signup and support requests)
• Automatically when you use the Service (for example, logs and device data)
• From connected services you configure (for example, email mailbox providers, webhooks)

It does not cover third party services you link to or use with MailWebhook, such as your own webhook endpoints.

3. Information we collect

A. Account and profile information

• Name (optional), email address, password (stored as a secure hash), and account preferences.
• Organization and team information if you create or join a workspace.

B. Billing information (if you use paid plans)

• Billing contact details and transaction metadata.
• Payment card data is typically handled by our payment processor and is not stored by us in full. We may receive limited information like the last 4 digits, expiration month/year, and billing status.

C. Service configuration data

• Mailbox connection settings you provide (for example, server host, username, and other configuration parameters).
• Webhook endpoint URLs, headers you configure, routing rules, and delivery settings.
• API keys, signing keys, and secrets you generate or store in the Service (stored encrypted at rest where supported by the Service).

D. Customer Content (email data you send through MailWebhook)

Depending on how you use the Service, Customer Content may include:

• Email headers and metadata (for example, sender, recipient, subject, message IDs, timestamps)
• Email body content (plain text and HTML)
• Attachments and inline files
• Derived fields created by your transformations or parsing rules

You control what mailboxes are connected, what data is forwarded, and where it is delivered.

E. Usage, diagnostics, and log data

We collect information about how the Service is used, such as:

• IP address, device and browser type, app version, and general location inferred from IP
• Service logs (for example, request timestamps, error traces, delivery status codes, retry behavior)
• Security logs (for example, authentication events, rate limit events)

We do not intentionally log full email bodies or attachments for analytics. Limited snippets may appear in error contexts only when necessary for debugging, and we aim to redact sensitive fields.

F. Cookies and similar technologies

We use cookies and similar technologies for:

• Authentication and session management
• Security (for example, fraud prevention)
• Basic performance and reliability metrics

Where required, we provide cookie controls and honor applicable consent requirements.

4. How we use information

We use information to:

• Provide, operate, and maintain the Service (including ingesting emails, parsing, transforming, and delivering to your configured endpoints)
• Secure the Service (authentication, abuse prevention, and monitoring)
• Troubleshoot and improve reliability (for example, debugging delivery failures)
• Communicate with you (service notices, support responses, and administrative messages)
• Process payments and manage subscriptions (if applicable)
• Comply with legal obligations and enforce our terms

No sale of Customer Content: We do not sell Customer Content.

No advertising use of Customer Content: We do not use Customer Content for targeted advertising.

5. Legal bases for processing (EEA, UK, and similar regions)

Where GDPR or similar laws apply, our legal bases may include:

• Contract: providing the Service you requested
• Legitimate interests: maintaining security, preventing abuse, improving reliability, and customer support
• Consent: where required (for example, certain cookies or marketing communications)
• Legal obligation: compliance, lawful requests, and recordkeeping

For Customer Content, we typically process on your instructions as a processor.

6. How we share information

We may share information with:

A. Service providers (subprocessors)

We use vendors to help run the Service, such as:

• Hosting and infrastructure providers
• Logging, monitoring, and error tracking providers
• Email delivery providers (for account notifications)
• Payment processors (for billing)
• Customer support tools

These providers are authorized to process information only as needed to provide services to us, under contractual obligations.

B. Compliance and legal requests

We may disclose information if we believe disclosure is required to comply with law, enforce our agreements, or protect the rights, safety, and security of users and the public.

C. Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

D. Your instructions

We share Customer Content according to your configuration, for example by delivering payloads to the webhook endpoints you specify.

7. Data retention

We retain information only as long as necessary for the purposes described in this policy, including:

• Maintaining your account
• Providing the Service
• Complying with legal obligations
• Resolving disputes and enforcing agreements

8. Security

We use administrative, technical, and organizational measures designed to protect information, such as:

• Encryption in transit (TLS) where supported
• Encryption at rest for sensitive secrets where supported
• Access controls and least privilege practices
• Monitoring and abuse prevention

No method of transmission or storage is 100 percent secure. You are responsible for keeping your credentials, API keys, and webhook endpoints secure.

9. International data transfers

If you access the Service from outside the country where our servers are located, your information may be transferred and processed internationally. Where required, we use safeguards such as Standard Contractual Clauses or other lawful mechanisms.

10. Your rights and choices

Depending on your location, you may have rights to:

• Access, correct, or delete personal data
• Object to or restrict certain processing
• Port your data
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a supervisory authority

To exercise rights, email privacy@mailwebhook.com.

11. Children's privacy

The Service is not directed to children under 13 (or under 16 where applicable). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version with a revised "Last updated" date. If changes are material, we will provide additional notice as required by law.

13. Contact