Senderkit

Legal

Privacy Policy

Last updated: February 11, 2026

1. Who we are

Senderkit is an email marketing platform. This policy explains how we collect, use, and protect your personal data when you use our service.

Data Protection Contact: privacy@senderkit.hatched.digital

2. Data we collect

Account data
Email address, password (securely hashed) — collected at signup
Subscriber data
Email addresses, names, tags — uploaded or collected by you via signup forms
Engagement data
Email opens, link clicks, timestamps — via tracking pixels and redirect links
Billing data
Payment method and invoices — processed by Stripe. We never see or store card numbers
Usage data
Feature usage, send counts, AI generation requests — for billing and service operation

3. How we use your data

  • Service delivery — sending emails, managing subscribers, generating content
  • Billing — processing payments, tracking usage against plan limits
  • Service improvement — aggregate usage patterns (never individual content)
  • Legal compliance — responding to lawful requests, preventing abuse

4. Lawful basis for processing

Account management
Contract performance (Art. 6(1)(b))
Email sending
Contract performance (Art. 6(1)(b))
Payment processing
Contract performance (Art. 6(1)(b))
AI content generation
Consent (Art. 6(1)(a))
Service analytics
Legitimate interest (Art. 6(1)(f))
Abuse prevention
Legitimate interest (Art. 6(1)(f))

5. Where your data lives

All customer data is stored in Sydney, Australia (ap-southeast-2). This includes your account data, subscriber lists, email content, and engagement metrics.

Database
Neon Postgres — Sydney
Authentication
Self-hosted (bcrypt + JWT) — Sydney
Email delivery
Elastic Email — US/EU
Payments
Stripe — US (DPF certified)
AI generation
Anthropic Claude — US (no PII transmitted)

Where data crosses borders (e.g., payment processing via Stripe), we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

6. Your rights

Under applicable privacy laws, you have the right to:

Access
Download all your data via Settings → Export Data
Rectification
Edit your data in account settings at any time
Erasure
Delete your account and all data via Settings → Delete Account
Portability
Export your data as machine-readable JSON
Restriction
Request processing limits — contact privacy@senderkit.hatched.digital
Objection
Object to legitimate-interest processing — contact privacy@senderkit.hatched.digital

We respond to all rights requests within 30 days. For California residents (CCPA): we do not sell personal information and do not use it for cross-context behavioural advertising.

7. Cookies

We use minimal, essential cookies only:

Name
Purpose
Duration
Type
session
Authentication
Session
Essential
cookie-consent
Your cookie preference
1 year
Essential

We do not use analytics cookies, advertising cookies, or third-party tracking.

8. Data retention

Account data
While account is active. Deleted within 30 days of closure.
Subscriber data
While account is active. Individual contacts deletable anytime.
Email content
Retained for your reference. Deleted with account.
Engagement data
24 months, then anonymized.
Audit logs
5 years (legal requirement).

9. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security enforcing strict tenant data isolation
  • Database access restricted to VPC with network-level controls
  • API rate limiting on all endpoints
  • No plain-text password storage (bcrypt hashing with secure JWT authentication)

10. Children's privacy

Senderkit is not intended for individuals under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy from time to time. Material changes are communicated via email or in-app notification at least 30 days before taking effect.

See also: Terms of Service · Data Processing Agreement