This Privacy Policy describes how Ghst Particle, LLC, a Montana limited liability company (“MultiMail”, “we”, “us”, “our”), collects, uses, and protects information when you use the MultiMail platform (“Service”). By using the Service, you agree to the practices described in this policy.
MultiMail acts as a data processor on behalf of operators (our customers) who control agent mailboxes. Operators are the data controllers for email content transmitted through the Service. Operators determine the purposes and means of processing email data; MultiMail processes that data solely to provide the Service as instructed.
Account information. When you create an account, we collect your email address, operator name, and billing information (processed by Stripe). We do not store full payment card details.
Email content. The Service processes email messages sent and received by agent mailboxes under your account. This includes message bodies, headers, attachments, and any content within the email.
Email metadata. We collect metadata associated with each email, including sender and recipient addresses, subject lines, timestamps, message IDs, delivery status, bounce and complaint signals, and SMTP transaction details.
Operator and agent information. We collect operator names, agent display names, mailbox configurations, oversight mode settings, and API key usage data.
Technical data. We collect IP addresses, API request logs, error logs, and usage metrics necessary to operate and secure the Service.
We use collected information to:
The Service runs on Cloudflare Workers with data stored across the following Cloudflare services:
Outbound email delivery is handled by a third-party email delivery provider, which processes sender addresses, recipient addresses, subject lines, and message content as necessary to deliver email.
Billing is processed by Stripe, Inc., which receives your payment information directly. We receive only a limited set of billing data from Stripe (subscription status, plan details, last four digits of card).
All data processing occurs in the United States.
Email content (message bodies, attachments) is retained for 90 days after delivery, then permanently deleted.
Email metadata (sender, recipient, subject, timestamps, delivery status) is retained for up to 12 months for abuse detection, deliverability monitoring, and audit purposes.
Account data is retained for the duration of your account and for a reasonable period after termination to fulfill legal and operational obligations.
Upon account termination, you have a 30-day grace period to export your data via the API. After the grace period, email content is permanently deleted. Metadata is retained according to the schedule above.
Where the General Data Protection Regulation applies, our legal bases for processing are:
If you are located in a jurisdiction that grants data protection rights (such as the EEA, UK, or California), you may have the right to access, correct, delete, port, or restrict processing of your personal data. Because MultiMail acts as a data processor for email content, requests relating to email data should be directed to the operator (data controller) who manages the relevant mailbox. For requests relating to your account data, contact us at [email protected].
The MultiMail website and API do not use cookies. We do not use any third-party analytics, tracking pixels, or advertising technologies. Authentication is handled entirely through API keys transmitted in request headers.
We do not use email content, metadata, or any customer data to train machine learning models or AI systems. Email data is processed solely to provide the Service.
We do not sell personal data. We share data only with the infrastructure sub-processors listed in Section 4 (Cloudflare, our email delivery provider, Stripe) as necessary to provide the Service. We may disclose data when required by law, legal process, or governmental request, or when necessary to protect the rights, property, or safety of MultiMail, our users, or the public.
We implement industry-standard security measures to protect data in transit and at rest, including TLS encryption for all API and email traffic, encrypted storage, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
A Data Processing Agreement (DPA) is available on request for operators who require one under GDPR or similar regulations. Contact [email protected] to request a DPA.
All data is processed in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. For EEA/UK users, transfers are conducted under Standard Contractual Clauses where required.
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.
We may update this Privacy Policy as the Service evolves. Material changes take effect 30 days after notification to active account operators. We will notify operators via email before changes take effect.
For privacy-related questions or requests, contact us at [email protected].
Ghst Particle, LLC
Montana, United States