GDPR Compliance

SMTPCloud.io is fully committed to compliance with the General Data Protection Regulation (GDPR) and all applicable EU data protection laws.

1. Our GDPR Commitment

SMTPCloud.io is fully committed to compliance with the General Data Protection Regulation (GDPR) and all applicable EU data protection laws. As an EU-based company with infrastructure exclusively located within the European Union, we are GDPR-compliant by design.

What this means for you:

  • ✓ Your data is protected by the strongest data protection framework in the world
  • ✓ You have comprehensive rights over your personal information
  • ✓ We process data transparently with clear purposes
  • ✓ Your data never leaves the EU
  • ✓ We maintain strict security and privacy standards

Our approach: We believe privacy is a fundamental right, not a compliance checkbox. We've built our entire infrastructure and business practices around data protection principles from the ground up.

2. Legal Basis for Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

2.1 Contractual Necessity (Article 6(1)(b))

Processing necessary to perform our email infrastructure services:

  • Account creation and management
  • Email relay and delivery services
  • Technical support and troubleshooting
  • Billing and subscription management

2.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Service improvement and optimization
  • Security monitoring and fraud prevention
  • System performance and reliability monitoring
  • Business analytics (with your data protected)

We balance our legitimate interests against your rights and freedoms, ensuring no overriding privacy impact.

2.3 Legal Obligations (Article 6(1)(c))

Processing required by law:

  • Financial record-keeping (7 years for tax purposes)
  • Response to lawful requests from authorities
  • Compliance with anti-money laundering regulations

2.4 Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Marketing communications (opt-in only)
  • Optional analytics features
  • Third-party integrations

You can withdraw consent at any time without affecting other services.

3. Your Data Protection Rights

Under GDPR, you have comprehensive rights regarding your personal data. Here's what you can do:

3.1 Right to Access (Article 15)

What it is: Request a copy of all personal data we hold about you

What we provide:

  • Complete export of your account information
  • Email metadata records (last 90 days)
  • Usage statistics and logs
  • Support communication history
  • Data format: JSON or CSV (machine-readable)

How to request: Email privacy@smtpcloud.io with "Data Access Request" in the subject

Response time: Within 30 days, free of charge

3.2 Right to Rectification (Article 16)

What it is: Correct inaccurate or incomplete data

What you can update:

  • Account details (name, email, phone)
  • Business information (company name, address)
  • Billing information
  • Communication preferences

How to update:

  • Self-service via dashboard settings (instant)
  • Email support@smtpcloud.io for assistance
  • No documentation required for simple updates

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What it is: Request deletion of your personal data

What we delete:

  • Account information and credentials
  • Email metadata and logs
  • Usage statistics and analytics
  • Support communications
  • Configuration settings

What we retain (legal requirements):

  • Billing records (7 years for tax compliance)
  • Legal correspondence (if involved in disputes)
  • Anonymized statistics (no personal identification)

How to request: Email privacy@smtpcloud.io with "Deletion Request"

Processing time: 30 days, with confirmation email

Note: Account closure triggers automatic deletion after 30 days

3.4 Right to Restrict Processing (Article 18)

What it is: Limit how we process your data in specific situations

When applicable:

  • Disputing data accuracy (while we verify)
  • Processing is unlawful but you prefer restriction to deletion
  • We no longer need the data but you need it for legal claims
  • Objecting to processing (while we verify legitimate grounds)

Effect: We will store but not actively process restricted data (except with your consent or for legal reasons)

How to request: Email privacy@smtpcloud.io with details of your restriction request

3.5 Right to Data Portability (Article 20)

What it is: Receive your data in a portable format and transfer it to another provider

What we provide:

  • Structured data export (JSON/CSV format)
  • Email configuration settings
  • Domain and DNS records (for easy migration)
  • API documentation for automated transfers
  • Technical support for migration

What's included:

  • Account and business information
  • Email sending history and statistics
  • Configuration data (DKIM keys, domains, IP addresses)
  • Support ticket history

How to request: Email privacy@smtpcloud.io with "Data Portability Request"

Format options: JSON, CSV, or API access

Response time: Within 30 days

3.6 Right to Object (Article 21)

What it is: Object to processing based on legitimate interests or for direct marketing

What you can object to:

  • Marketing communications (opt-out anytime)
  • Optional analytics and usage tracking
  • Automated reputation monitoring
  • Newsletter and product updates

Effect: We will stop processing for that purpose unless we have compelling legitimate grounds

How to object:

  • Marketing: Use unsubscribe link in emails or dashboard settings
  • Other processing: Email privacy@smtpcloud.io with your objection

3.7 Rights Related to Automated Decision-Making (Article 22)

Our position: We do NOT use automated decision-making or profiling that produces legal effects or similarly significant impacts.

What we don't do:

  • No automated account suspensions (human review required)
  • No AI-based pricing or service tier decisions
  • No profiling for marketing or other purposes
  • No automated creditworthiness assessments

Human oversight: All significant decisions about your account involve human review.

4. How to Exercise Your Rights

Simple Process

1

Contact Us

Email: privacy@smtpcloud.io

Subject: [Type of Request] - [Your Name]

2

Verify Identity

We'll send a verification link to your registered email address for security

3

We Process Your Request

  • • Initial response: Within 2 business days
  • • Full completion: Within 30 days
  • • Complex requests: Up to 90 days (with explanation)
4

Receive Confirmation

You'll get email confirmation when your request is completed

No Cost

All requests are free of charge. We may charge a reasonable fee only for manifestly unfounded or excessive requests, or additional copies beyond the first one.

No Penalty

Exercising your rights will not affect your service or pricing. Your data protection rights are unconditional.

5. Data Processing Agreement (DPA)

For Business Clients

As a B2B service, SMTPCloud.io acts as a data processor when you send emails through our infrastructure. We offer a comprehensive Data Processing Agreement (DPA) that:

Covers:

  • Roles and responsibilities (Controller vs. Processor)
  • Data processing purposes and duration
  • Security measures and sub-processors
  • Data breach notification procedures
  • Audit rights and compliance verification
  • Standard Contractual Clauses (if needed)

Available for:

  • All business clients (included in service)
  • Enterprise tier (customized DPA available)
  • Agencies managing multiple clients

How to request: Email support@smtpcloud.io with "DPA Request"

Turnaround: Standard DPA within 5 business days, custom DPA within 15 business days

6. Data Breach Notification

Our Commitment

In the event of a personal data breach, we follow strict GDPR notification requirements:

Timeline:

  • Internal detection: Real-time monitoring with automated alerts
  • Investigation: Within 24 hours of detection
  • Authority notification: Within 72 hours (if high risk)
  • User notification: Within 72 hours (if high risk to your rights)

What we tell you:

  • Nature of the breach (what happened)
  • Categories and approximate number of affected data
  • Likely consequences
  • Measures taken to address the breach
  • Recommended actions you should take
  • Contact point for more information

Communication method:

  • Email to registered account address
  • Dashboard notification
  • Website announcement (if widespread)

Prevention Measures

We maintain robust security to prevent breaches:

  • 24/7 automated monitoring with real-time alerts
  • Regular security audits and penetration testing
  • Multi-layer security architecture
  • Encrypted data storage and transmission
  • Access controls and audit logging
  • Incident response plan (tested quarterly)

7. Cross-Border Data Transfers

EU-Only Infrastructure

Good news: We do NOT transfer your data outside the EU.

Our primary and backup infrastructure is hosted in secure, ISO 27001 certified data centers located exclusively within the European Union. We ensure all data processing activities remain within the EEA.

Your benefit: Your data always benefits from EU data protection standards. No Standard Contractual Clauses needed, no adequacy decisions required.

Service to non-EU clients: While we serve clients globally (APAC, LATAM), all data processing occurs in the EU. This provides superior data protection even for clients outside Europe.

8. Sub-Processors

We work with carefully vetted sub-processors, all subject to GDPR compliance. We maintain an up-to-date list of these providers, which is available upon request or as part of our Data Processing Agreement (DPA).

All sub-processors are contractually bound to protect your data and process it only according to our instructions.

Sub-Processor Guarantees

All sub-processors must:

  • Sign Data Processing Agreements
  • Implement appropriate security measures
  • Process data only for specified purposes
  • Not engage further sub-processors without approval
  • Support your data protection rights

Notification: We will notify you 30 days before adding new sub-processors, giving you the right to object.

9. Data Retention Periods

We retain data only as long as necessary:

Retention Schedule

Data TypeRetention PeriodReason
Account informationWhile account active + 30 daysService provision
Email metadata90 daysDelivery troubleshooting
Usage statistics12 monthsService improvement
Support communications24 monthsService quality
Billing records7 yearsLegal requirement
Security logs12 monthsSecurity monitoring
Anonymized analyticsIndefinitelyNo personal data

After retention period: Data is permanently deleted from all systems and backups.

Early deletion: You can request deletion anytime (except legally required records).

10. Contact Our Privacy Team

Privacy Questions & Rights Requests:

Email: privacy@smtpcloud.io

Response time: 2 business days (initial), 30 days (full resolution)

General Support:

Email: support@smtpcloud.io

Website: https://smtpcloud.io/contact

What to Include in Your Request

  1. Subject line: Type of request (Access, Deletion, etc.)
  2. Your information: Name, email address, account ID (if applicable)
  3. Specific request: What you want us to do
  4. Verification: We'll send a verification link for security

11. Complaints and Escalation

If You're Not Satisfied

1

Contact us directly

Email privacy@smtpcloud.io - we resolve most issues quickly

2

Formal complaint

If unresolved, you can lodge a formal complaint with us for escalation

3

Supervisory authority

You have the right to complain to your local data protection authority

EU Supervisory Authorities: Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

Your rights: Lodging a complaint does not affect your ability to seek other legal remedies.

12. Privacy by Design & Default

Our Approach

SMTPCloud.io is built with privacy as a core principle:

Privacy by Design:

  • Data minimization: We collect only what's necessary
  • Purpose limitation: Data used only for stated purposes
  • Storage limitation: Automatic deletion after retention periods
  • Multi-tenant isolation: Strict separation between clients
  • No email content reading: Metadata processing only

Privacy by Default:

  • Minimal data collection out-of-the-box
  • Opt-in for marketing (not opt-out)
  • Secure settings as default
  • Automatic encryption enabled
  • Session timeouts and security features

13. Regular Compliance Reviews

We continuously maintain and improve our GDPR compliance:

Quarterly:

  • Internal privacy audits
  • Security vulnerability assessments
  • Sub-processor compliance reviews
  • Incident response drills

Annually:

  • Comprehensive GDPR compliance audit
  • Privacy policy and documentation updates
  • Staff privacy training refreshers
  • Third-party security assessment

Ongoing:

  • Monitoring of regulatory changes
  • Incorporation of new GDPR guidance
  • Technology and process improvements

14. GDPR Compliance Summary

EU-based infrastructure - All data processing in EU
Data Protection Impact Assessment - Completed and maintained
Privacy by design - Built into our architecture
Clear legal basis - For all processing activities
Comprehensive rights - Easy to exercise
DPA available - For all business clients
Breach notification - 72-hour commitment
No cross-border transfers - EU-only processing
Sub-processor compliance - All GDPR-compliant
Regular audits - Ongoing compliance verification
Staff training - Privacy-aware team
Documentation - Complete processing records

15. Resources

Learn More

Stay Informed

We publish updates about our privacy practices and GDPR compliance on our blog and send important notifications via email.

Contact Our Data Protection Officer

Have questions about GDPR compliance or need to exercise your data rights? Our DPO is here to help.

Email: privacy@smtpcloud.io

Response Time: Within 2 business days (initial), 30 days (full resolution)

Email Privacy TeamContact Support

SMTPCloud.io - Privacy-First Email Infrastructure

Questions? Contact privacy@smtpcloud.io

Last updated: November 6, 2025