S
SendMind← Back to home

Privacy Policy

Last updated: April 19, 2026

This Privacy Policy explains what personal data SendMind (“we”, “our”, “us”) collects, how we use it, who we share it with, and the rights you have over it. It applies to account holders who sign up for SendMind, and to the recipients of marketing emails sent through the service. We are committed to compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the U.S. CAN-SPAM Act.

1. Data We Collect

From account holders:

  • Account data: name, email address, hashed password, business name.
  • Brand voice data you provide during onboarding (tone, audience description, sender name).
  • Billing data: payment details and billing address handled by Stripe (we never see full card numbers).
  • Usage data: pages visited, features used, IP address, user agent, timestamps.

From email recipients (your contacts):

  • Contact data you upload (email address, first name, source tag).
  • Engagement events captured when our pixel and link wrappers fire (open events, click events, unsubscribe events, device type, timestamp).

2. How We Use Data

  • To operate the service: authentication, generating email drafts, delivering email, recording analytics.
  • To improve the service: aggregate analytics, performance monitoring, debugging.
  • To communicate: account notices, billing receipts, security alerts, and (with consent) product updates.
  • To enforce our Terms of Service and prevent abuse.

We do not sell personal data. We do not use contact data uploaded by account holders for any purpose other than delivering email and analytics on behalf of that account holder.

3. Email Marketing Specifics & CAN-SPAM

Every marketing email sent through SendMind includes the sender’s identity, a clear one-click unsubscribe link, and a physical mailing address as required by the CAN-SPAM Act (15 U.S.C. § 7704). Unsubscribe requests are honored immediately and the contact is moved to a suppression list that account holders cannot send to. Account holders are responsible for the lawful collection of consent from their contacts and for honoring jurisdiction-specific rules (such as GDPR’s requirement of explicit opt-in).

4. Contact Data Handling

When an account holder uploads contact data, SendMind acts as a data processor under GDPR; the account holder is the data controller. We store contact data only as long as the account holder retains it in their list, plus a short backup retention window. Account holders are responsible for responding to data subject requests from their contacts (we will assist as required by law).

5. Your Rights

Depending on your jurisdiction (GDPR, CCPA, and similar laws), you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (“right to be forgotten”).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@sendmind.io. We will respond within 30 days.

6. Data Deletion

Account holders can delete their account at any time from the settings page; this removes the account and associated contact lists, brand voice, and email history from production within 30 days. Backups containing the data are purged within 90 days. Aggregate analytics that cannot be tied back to an individual may be retained indefinitely.

7. Cookies

We use a small number of strictly necessary cookies and local-storage entries to keep you signed in (the sendmind_token JWT). We do not use third-party advertising cookies. Marketing emails sent through SendMind use a 1x1 tracking pixel and wrapped click links; recipients can disable image loading in their email client to block the pixel.

8. Third-Party Services

SendMind relies on the following processors:

  • Stripe — payment processing. Card data is sent directly from your browser to Stripe; we receive only a token.
  • Resend — outbound email delivery (transactional and marketing).
  • Anthropic — large language model (Claude) used to generate email drafts. Prompts may include brand voice and product data.
  • Railway — application hosting and managed PostgreSQL.
  • Google — optional sign-in via Google OAuth.

Each of these vendors has their own privacy policy and data processing terms. We have chosen vendors that contractually commit to GDPR-compliant processing.

9. International Transfers

Our infrastructure is hosted in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses where required for transfers from the EEA, UK, or Switzerland.

10. Security

Passwords are hashed with bcrypt. Connections to the service use TLS. Authentication tokens are signed JWTs scoped to the account. We restrict production database access to a small number of named operators. No system is perfectly secure; please use a strong, unique password and enable any account safeguards we offer.

11. Children

SendMind is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe we have collected such data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. The “Last updated” date at the top of this page reflects the latest revision.

13. Contact

For privacy questions or to exercise your rights, contact privacy@sendmind.io.

© 2026 SendMind. All rights reserved.