Privacy Policy

1. Who we are

SecureSMTP is a WordPress email-delivery and forms platform operated by Technologia FZE, a company registered in Sharjah Research, Technology and Innovation Park (SRTIP), Sharjah, United Arab Emirates, since June 2023. References to “we,” “us,” or “SecureSMTP” in this Policy mean Technologia FZE.

For privacy questions or to exercise your rights, email support@securessmtp.com.

2. Data we collect

We collect data in three categories:

(a) Account data — name, email, password hash (for email/password sign-in), Google account identifiers (for “Sign in with Google”), and optional profile preferences.

(b) Billing data — payment methods are handled by Stripe; we store only the Stripe customer ID, subscription ID, plan tier, and billing cycle. We never see or store card numbers, CVVs, or bank account details.

(c) Service data — content of emails routed through our relay (subject, body, recipients), form submissions delivered through SecureSMTP Forms, your WordPress site URL, the IP addresses of your form submitters, and technical metadata (user agent, request timestamps, log identifiers).

(d) Cookies and similar technologies — see our Cookie Policy.

3. Legal basis for processing

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU/UK General Data Protection Regulation, and the California Consumer Privacy Act, we rely on the following bases:

• Contract performance — to operate the service you signed up for, including routing your emails, delivering form submissions, billing, and customer support.
• Legitimate interest — fraud prevention, abuse detection (including AI-assisted content scanning of outbound mail), service security, and improving our infrastructure.
• Legal obligation — UAE tax records, anti-spam law compliance, lawful requests from authorities.
• Consent — marketing communications (you can withdraw consent at any time).

4. How we use your data

• Operate the service: route emails through our relay, deliver form submissions, store mail-log entries, render dashboards.
• Bill you accurately via Stripe.
• Detect and prevent abuse: our AI-layered abuse scanning applies content heuristics and Anthropic Claude classification to outbound email before delivery.
• Provide customer support.
• Comply with legal obligations.

We do NOT train any AI model on customer data. Anthropic Claude is used only for transient per-message classification; outputs are stored as classification labels (e.g. “legitimate” / “suspicious” / “spam”), not as training data.

We do NOT sell personal data.

5. Subprocessors

SecureSMTP uses the following subprocessors to deliver the service. By using SecureSMTP, you authorize the transfer of personal data to these processors as needed.

• Stripe, Inc. (United States / Ireland) — payment processing and subscription billing.
• Resend (United States) — transactional email delivery infrastructure.
• Anthropic, PBC (United States) — AI spam classification via Claude API.
• Google LLC (United States) — “Sign in with Google” OAuth for users who choose Google sign-in.
• Cloudflare, Inc. (United States) — DNS and Turnstile bot-protection on form submissions.
• Hostinger International Ltd. (Singapore region for current deployment) — VPS hosting infrastructure.
• PostgreSQL (self-hosted on Hostinger VPS) — customer data store.

We notify customers of subprocessor changes at least 30 days in advance via email or in-product notice.

6. International data transfers

SecureSMTP operates from the United Arab Emirates. Our subprocessors are located in the United States, Ireland, and Singapore. We rely on Standard Contractual Clauses (where required by GDPR) and equivalent safeguards under the UAE PDPL for these transfers.

7. Data retention

• Account data: retained until you delete your account, plus 30 days for backup expiration.
• Email log entries (per relayed message): 30 days on Free, 90 days on Starter, 365 days on Pro, 1,095 days (3 years) on Business and Enterprise.
• Form submissions: retained per your plan tier until you delete them or close your account.
• Billing records: 7 years per UAE tax law (Federal Decree-Law No. 7 of 2017 on Tax Procedures).
• Audit logs and security logs: 12 months.

8. Your rights

Depending on your jurisdiction, you may have rights including:

• Access to your personal data.
• Correction of inaccurate data.
• Deletion of your data (subject to legal retention requirements).
• Portability of your data in a machine-readable format.
• Restriction or objection to certain processing.
• Withdrawal of consent for any consent-based processing.
• Lodging a complaint with your supervisory authority (UAE Data Office, your national data protection authority in the EU/UK, or the California Attorney General).

To exercise any of these rights, email support@securessmtp.com. We respond within 30 days.

9. Security

We protect data in transit and at rest:

• TLS 1.2 or higher for all connections to our service.
• Encryption at rest on the underlying VPS storage.
• Role-based access controls; only authorized personnel access production systems.
• DKIM signing on outbound email from your verified custom domain (Pro and above).
• Hashed and salted password storage using industry-standard algorithms.
• Continuous monitoring of authentication events and abuse signals.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately.

10. Children

SecureSMTP is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, email us and we will delete it.

11. Changes to this Policy

We may update this Policy as our service evolves. Material changes will be announced by email to account holders at least 30 days before taking effect. The current version always lives at this URL with the “Effective” date at the top.

12. Contact

Questions, requests, or complaints? Email support@securessmtp.com.

Postal: Technologia FZE, Sharjah Research, Technology and Innovation Park (SRTIP), Sharjah, United Arab Emirates.