Privacy Policy

ZidiMail ("we", "us", "our") operates the transactional email platform at zidimails.com and its associated API. This Privacy Policy explains how we collect, use, store, and share information when you use our services.

Account information

When you register, we collect your name, email address, and a hashed password. We do not store your plain-text password.

Organization data

We store your organization name, verified sending domains, API keys (hashed — raw key shown only once at creation), webhook endpoint URLs and signing secrets used for delivery verification, and billing subscription references.

Email delivery data

We log metadata for every email you send through the API: sender address, recipient addresses, subject line, message ID, delivery status, and timestamps. Message bodies are processed to deliver mail and are not retained as long-term storage beyond what the delivery pipeline requires.

Event data

Delivery events (bounces, complaints, opens, clicks) reported by the mail infrastructure are stored and linked to the corresponding email record when applicable.

Usage data

We collect aggregate counts of emails sent per day and month for billing and limit enforcement. We also collect standard server logs (IP address, request path, response code, timestamp) for security and debugging.

Payment data

Billing is handled by PayPal. We store only a subscription reference ID returned by PayPal. We never see or store your full payment method details (card numbers, bank account numbers, etc.).

• To provide, operate, and improve the Service;
• To authenticate your account and verify your identity;
• To enforce sending limits, billing, and acceptable use policies;
• To send transactional emails you trigger (password resets, email verification, billing notifications);
• To detect and prevent fraud, abuse, and security incidents;
• To respond to support requests;
• To comply with legal obligations.

We do not use your data for advertising. We do not sell your data to third parties.

Addresses that hard-bounce or file spam complaints are added to a per-organization suppression list (ZidiGuard). This list is used solely to protect your sender reputation and prevent delivery attempts to bad addresses. You can view and manage suppressions from your dashboard.

We share data only in these limited circumstances:

• Infrastructure providers: See our Subprocessors page for vendors such as AWS (email delivery), Mailgun (domain and messaging infrastructure where used), database hosting, and Redis (queues and rate limiting) — under appropriate agreements.
• Payment processor: PayPal processes subscription payments. We share only what PayPal needs to initiate and manage your subscription.
• Legal requirements: We may disclose data if required by law, court order, or to protect the rights and safety of ZidiMail or others.

We retain account data for as long as your account is active. Email delivery logs and events are retained for up to 90 days by default unless a longer period is required for security, abuse investigation, or legal compliance. Suppression records may be retained to protect sending reputation. Billing records are retained as required by applicable law. When you delete your account, your personal data is removed within 30 days, subject to legal retention requirements.

We use a small number of cookies and similar technologies as described in our Cookie Policy. In particular, the dashboard sets a session cookie (zm_token) after login so the application can authenticate API requests from the browser. Treat this token like a password: do not expose it in client-side code paths you do not trust.

We protect your data using industry-standard measures: HTTPS for connections, bcrypt-hashed passwords, hashed API keys, and encrypted connections to our database. No system is perfectly secure; we encourage you to use a strong, unique password and to notify us immediately of any suspected breach.

Depending on your location, you may have the right to:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Request deletion of your data ("right to be forgotten");
• Export your data in a portable format;
• Object to or restrict certain processing.

To exercise any of these rights, contact us at privacy@zidimails.com. We will respond within 30 days.

The Service is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

Your information may be processed in countries where we or our subprocessors operate. We use appropriate safeguards (such as standard contractual clauses where required) when transferring personal data across borders.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or a prominent notice in the dashboard. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy questions or requests, contact us at privacy@zidimails.com.