Privacy Policy

Last updated: May 3, 2026

This Privacy Policy explains how Smailor and EpicBots (collectively, "we", "us", or "our") collect, use, disclose, and protect personal data in connection with our website, applications, and the Smailor service (the "Service").

We may be reached at the contact details in our Legal notice and, for privacy matters, at [[email protected]] (replace with your real contact).

By using the Service, you acknowledge that you have read this notice. If you are in the EEA, UK, or Switzerland, and where the GDPR or equivalent law applies, additional rights and obligations apply as described in Section 5.

1. Scope: who this applies to

This policy covers:

• Account owners and end users who use Smailor in an organization, and
• Visitors of our public website (e.g. marketing, login, and registration pages),

unless a separate controller–processor agreement (e.g. a Data processing agreement, DPA) governs the processing of personal data for which you are the controller and we act on your instructions (e.g. your helpdesk customers’ data inside tickets).

Children. The Service is not directed to individuals under 16 (or a higher age where the law of your country of residence requires it). We do not knowingly process children’s data for these purposes. If you believe we have, please contact us.

2. What we collect

We may process the following categories, depending on how you use the Service.

2.1 Account and identity

• Email address, name, and authentication data (e.g. password hash, OAuth identifiers with Google or Discord, session tokens)
• At signup, where we collect them for account creation and eligibility, age and gender (as provided by you); registration IP address stored with the account to enforce reasonable signup limits from a single network and for security reviews
• A normalized variant of your address on certain major mail domains (local-part rules such as removing dots before @ or ignoring plus-tags) used to correlate related aliases for abuse prevention
• Role, group, and permission data you configure

2.2 Service content

• Emails, tickets, attachments, template text, auto-reply and AI-assisted content when you use such features, and API payloads and webhook events, to the extent they contain personal data of your users, your customers, or third parties.

2.3 Billing and payments (paid plans)

• Billing contact, invoicing and address as needed, plan and usage data
• We use payment providers; we do not store full payment card numbers on our servers. Card data is handled by the payment processor under their terms.

2.4 Technical and usage data

• IP address at registration (see Section 2.1) and, where applicable, on login or other interactions; approximate location (derived where we use IP for fraud, security, or tax), user agent, device and browser type, log and error data, timestamps
• Diagnostics to operate and secure the Service, including abuse detection

Signup bot protection. When Cloudflare Turnstile is configured on our deployment, completing password-based signup includes a short verification mediated by Cloudflare (cookies may apply — see Cookie policy). We send the resulting single-use token server-side for validation and do not treat that flow as substitute legal consent for non-essential marketing. (OAuth signup paths use the identity provider instead.) Legal bases (GDPR Art. 6(1)(b) and (f)) mirror other security measures; you may object where applicable (Art. 21) after discussing proportionality.

Historical note. Older builds may still display deprecated columns (fingerprint_hash) for staff review tools; we no longer accept forgeable browser fingerprints from signup forms.

2.5 Cookies and similar tools

• Essential cookies and local storage to log you in and keep sessions secure
• If we use analytics or marketing tools that are non-essential, we will seek consent where required (e.g. European ePrivacy and similar rules) and as described in our Cookie policy

3. How we use personal data

We process data on the following legal bases (GDPR Art. 6 where applicable): contract (providing the Service to you), legitimate interests (e.g. security, product improvement, and fraud prevention, balanced against your rights), legal obligation (e.g. accounting, tax, or regulatory requests), and, where we ask for it, consent (e.g. some cookies or newsletters).

Automated decision-making: We do not use fully automated decision-making with legal or similar significant effect on you without human review where the law requires it, except limited security and fraud checks (e.g. blocking a login attempt as suspicious), which you may contest by contacting us.

AI and suggestions. AI-assisted drafting and classification features run on a self-hosted model (Qwen 2.5, 1.5 B) hosted on our own infrastructure in Germany. No data is sent to any third-party AI provider. You are responsible for verifying outputs before you rely on them.

4. Sharing and processors

We do not sell your personal data. We may share with:

• Service providers (processors): e.g. hosting, email, payment, logging, and infrastructure, who process data on our instructions and under agreements
• Professional advisers, courts, and regulators, as required
• Corporate reorganization, if the Service or assets are transferred, with notice where the law requires

International transfers. If we transfer data outside the EEA/UK/Switzerland, we use Standard Contractual Clauses, UK addenda, or other mechanisms the law approves, and supplementary measures where needed for transfer after TIA-style assessment.

5. Data subject rights (EEA, UK, and similar)

If the law of your jurisdiction grants you the following, you may:

• Access, rectify, delete, and port your data, object to certain processing, restrict processing, and, where the law grants, withdraw consent (without affecting lawfulness before withdrawal)
• Lodge a complaint with a data protection authority, e.g. in the EEA your local DPA, or in the UK the ICO
• Name a DPR in the EU, if we require one under the Art. 27 GDPR, as listed in our Legal notice (if applicable)

Requests may be made through [[email protected]]. We may need to verify your identity before we disclose or change information.

California and other U.S. state privacy laws. If you are a California resident, you may have access, deletion, and opt-out of sale or sharing rights. We do not sell personal information in the sense of California’s CCPA/CPRA without offering the rights the law requires. If we use a Global Privacy Control signal where we honor it, we will describe that in a U.S. addendum. Update this section to match your practices and jurisdictions as you have U.S. users.

6. Retention

We keep data for as long as your account is active and as needed to provide the Service, and then in de-identified, aggregated, or limited form where permitted, for:

• Legal, accounting, and evidence purposes (statutes and fraud may require longer)
• Dispute resolution and TOS enforcement for a reasonable period after termination of the Service (often 3–6 years depending on the type of data and the jurisdiction)

You can export and request deletion in settings where that feature exists; we may retain an anonymized or redacted copy in rare cases the law allows for the security and integrity of backups.

Logs and security events are retained for a limited, security-appropriate period (for example 12–24 months) unless the law or an ongoing inquiry requires longer retention.

7. Security

We use technical and organizational measures (for example encryption in transit, access controls, and monitoring) appropriate to the risk, but no system is fully secure. Use 2FA and strong passwords if we offer them.

8. Changes to this policy

We will post the updated policy on the website and change the last updated date. Material changes may be announced in the product or by email. Continued use after the effective date may be treated as acceptance where the law allows. Where consent is required, we will seek it.

9. Contact

For privacy questions, contact [email protected] and see the Legal notice for postal and company details.