seven16 email
Draft pending legal review. This document is provided as a working v1. Final terms may differ. For questions, contact legal@seven16email.com.

Privacy Policy

Last updated: May 26, 2026

This Privacy Policy explains how Seven16 Group (“we,” “us”) collects, uses, and shares information through Seven16 Email (the “Service”). It covers two distinct relationships:

  • Account holders — businesses and individuals who sign up to use the Service. We are the controller of your personal information.
  • Recipients — people whose email addresses our account holders upload to send messages to. Our account holders are the controllers of recipient data; we are a processor acting on their behalf.

1. Information we collect

From account holders

  • Account details: name, email, role, password hash (only if using password auth — we default to Google OAuth and magic-link).
  • Organization details: company name, address (for CAN-SPAM compliance), brand assets, persona/vertical, timezone.
  • Billing details: handled by our payment processor; we store only the last four digits of your card and your billing plan tier.
  • Usage logs: IP address, browser type, pages viewed, actions taken — used for security, abuse detection, and product analytics.

From recipients (uploaded by account holders)

  • Contact details (name, email, phone, company, title).
  • Custom fields the account holder defines.
  • Engagement data: opens, clicks, bounces, complaints, unsubscribes, replies — collected from email service providers (Resend) and our tracking pixels/redirect links.

2. How we use the information

  • To operate the Service: send your messages, render your campaigns, surface reporting, enforce suppression and unsubscribe rules.
  • To bill you for the plan and overages you elect.
  • To protect the Service and our infrastructure: detect abuse, throttle high-bounce senders, prevent fraud.
  • To send you transactional and account-related messages (verification, billing receipts, security notices, important product changes). You cannot opt out of these.
  • To send you marketing emails about the Service, only if you opt in.

We do not sell personal information. We do not use recipient data to train AI models without explicit account-holder consent.

3. Sub-processors

We rely on the following sub-processors to deliver the Service. Each is bound by a data-processing agreement and processes data only on our documented instructions.

  • Supabase — primary database, authentication.
  • Vercel — application hosting, edge network.
  • Resend — email delivery infrastructure.
  • Cloudflare — DNS, DDoS protection, CDN.
  • Sentry — error monitoring (with PII scrubbing enabled).
  • Stripe (when billing is enabled) — payment processing.
  • Google (when used) — OAuth identity provider.

4. Data retention

  • Account data: retained for the life of your account plus 30 days after termination, then deleted (subject to any legal hold).
  • Contact and engagement data: retained while you remain a customer. You may delete contacts and bulk-clear engagement history at any time via the Service.
  • Suppression list: retained indefinitely as long as your account is active, to honor unsubscribe and bounce signals across campaigns. Required by CAN-SPAM.
  • Webhook events / raw provider payloads: retained for 90 days for replay and audit purposes.
  • Logs and traces: retained for 30 days.
  • Billing records: retained for 7 years per tax law.

5. Your rights

If you are an account holder

You can access, correct, or export your account and organization data at any time via the Service. To delete your account, contact privacy@seven16email.com.

If you are a recipient

You can unsubscribe from any marketing message via the unsubscribe link in every email. To request access to, correction of, or deletion of your data, contact the sender of the message directly — they are the controller of the data. You may also contact us at privacy@seven16email.com and we will route your request to the appropriate account holder within 5 business days.

Jurisdiction-specific rights

  • California (CCPA / CPRA): you have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • EEA / UK (GDPR / UK-GDPR): you have rights of access, rectification, erasure, restriction, portability, and objection. Our lawful basis for processing is contractual necessity for account holders and the legitimate interest of our account holders for recipients (subject to their lawful basis).
  • Other US states: we honor equivalent rights under Virginia, Colorado, Connecticut, Utah, and Texas privacy laws.

6. International transfers

Our infrastructure is primarily located in the United States. By using the Service, you consent to the transfer of your data to the US. For transfers from the EEA / UK, we rely on Standard Contractual Clauses and equivalent safeguards.

7. Security

We use industry-standard safeguards including encryption in transit (TLS 1.2+), encryption at rest, role-based access control, per-tenant database row-level security, signature-verified webhooks, and HMAC-signed unsubscribe tokens. No system is perfectly secure; we recommend you enable two-factor authentication, restrict API keys to the minimum scope, and review your team-member list regularly.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children.

9. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app banner. The “Last updated” date at the top reflects the most recent change.

10. Contact

Privacy questions, access requests, or complaints: privacy@seven16email.com.