Legal

Privacy Policy

This Privacy Policy explains how Mermail LLC collects, uses, shares, and protects information when you use Mermail's privacy-first email inboxes for AI agents.

Last Updated

July 2, 2026

Company

Mermail LLC
Mermail is designed for privacy-first mailbox workflows. Customers remain responsible for their own notices, consents, legal bases, and compliance obligations when they configure agents, mailboxes, integrations, and automations.

1. Scope

This Privacy Policy explains how Mermail LLC ("Mermail," "we," "our," or "us") collects, uses, shares, and protects information when you use the Mermail website, console, APIs, agent inboxes, and related services (the "Service").

Mermail provides privacy-first email inboxes and APIs for AI agents and software teams. This policy applies to information collected from account holders, workspace members, developers, visitors, and message participants whose information is processed through the Service.

2. Information We Collect

We may collect the following categories of information:

  • Account and profile information, such as name, email address, avatar, authentication identifiers, organization details, and workspace preferences.
  • Workspace and team information, such as workspace names, roles, invitations, membership settings, billing administrators, and usage limits.
  • Mailbox and message information, such as mailbox addresses, aliases, folders, labels, threads, message metadata, message bodies, attachments, drafts, outbound messages, delivery events, and suppression status.
  • Developer and integration information, such as API keys, OAuth client metadata, webhook URLs, custom domain settings, DNS configuration status, connected provider identifiers, and agent registration details.
  • AI workflow information, such as prompts, instructions, draft responses, tool calls, triage rules, automation settings, and related context that you choose to process through the Service.
  • Billing and subscription information, such as plan tier, subscription status, customer IDs, order references, payment-provider metadata, invoices, taxes, credits, and usage counters.
  • Usage, device, and analytics information, such as browser and device details, IP-derived approximate location, referral data, product interactions, logs, diagnostics, rate-limit events, and security events.
  • Support and communications information, such as messages you send to us, feedback, support requests, demo requests, and operational troubleshooting records.

3. Sources Of Information

We collect information directly from you, automatically, and from service providers.

  • Directly from you when you create an account, configure a workspace, create inboxes, connect integrations, send mail, or contact us.
  • From your organization or teammates when they invite you to a workspace or administer a shared account.
  • Automatically from your use of the Service, including application events, API activity, mailbox routing events, and security telemetry.
  • From service providers that support the Service, such as authentication, hosting, analytics, billing, email routing, and AI infrastructure providers.
  • From inbound and outbound email systems when messages are sent to, received by, or routed through Mermail-managed inboxes.

4. How We Use Information

We use information to operate, secure, and improve the Service, including to:

  • Authenticate users and manage accounts, workspaces, roles, and permissions.
  • Create, route, receive, store, search, display, draft, send, and organize email for authorized users and agents.
  • Operate APIs, webhooks, custom domains, connected inboxes, automation rules, and developer tooling.
  • Provide AI-assisted drafting, triage, summarization, and agent workflow features at your direction.
  • Enforce usage limits, rate limits, anti-abuse safeguards, deliverability protections, and security controls.
  • Process subscriptions, billing changes, customer portal requests, invoices, taxes, and plan entitlements.
  • Respond to support requests, debug incidents, monitor reliability, and improve product quality.
  • Detect, investigate, and prevent fraud, abuse, unauthorized access, spam, malware, phishing, and policy violations.
  • Comply with legal obligations and enforce our agreements and policies.

5. Customer Content And Mailbox Data

Customers decide what mailbox data, message content, attachments, prompts, instructions, and related materials they process through Mermail. For Customer Content, Mermail generally acts as a service provider or processor and processes that information on the customer's behalf to provide the Service.

Mermail also acts as an independent controller for limited business information we need to operate our company, such as account administration, billing, security, support, legal compliance, fraud prevention, website analytics, and product communications.

Mermail is designed around data minimization and privacy-first access controls. Mailbox contents are encrypted at rest in storage systems we control or configure for the Service, and decrypted access is limited to authorized workflows, users, agents, and service operations needed to provide the Service.

You are responsible for ensuring that you have the rights, notices, consents, and lawful bases required to process mailbox data and message participant information through the Service.

7. AI Features

Mermail may provide AI-assisted features for agent workflows, drafting, classification, summarization, task triage, and response generation.

When you use AI features, we may process prompts, mailbox context, message content, instructions, and generated outputs as needed to provide the requested feature. You are responsible for reviewing AI-generated output before sending, publishing, or relying on it.

8. Cookies, Analytics, And Similar Technologies

We may use cookies, browser storage, logs, analytics tools, and similar technologies to operate the website and console, understand product usage, measure reliability, secure accounts, and improve the Service.

Some technologies are strictly necessary for authentication, security, routing, preferences, fraud prevention, and product operation. Where applicable law requires consent or opt-out controls for non-essential analytics, advertising, or similar technologies, we will use appropriate controls or limit those technologies as required.

Where possible, we limit analytics on authenticated product surfaces and avoid collecting raw message content for marketing analytics. Browser settings, privacy controls, and any consent tools we provide may affect how cookies and analytics technologies operate.

9. How We Share Information

We may share information in the following circumstances:

  • With service providers that help us run the Service, such as hosting, storage, authentication, analytics, billing, support, email routing, deliverability, security, and AI infrastructure providers.
  • With members of your workspace based on their role, permissions, and the features available within the product.
  • With administrators and personnel who need access for operations, support, fraud prevention, compliance, or security.
  • When required by law, legal process, court order, subpoena, or a valid governmental request.
  • In connection with a merger, financing, acquisition, restructuring, or sale of assets.
  • To protect rights, safety, property, the Service, our users, message recipients, or the public.

10. Service Providers, Subprocessors, And Integrations

The Service may rely on third-party providers for functions such as hosting, storage, authentication, billing, analytics, AI processing, email routing, deliverability, monitoring, and customer support. Our providers may change over time as the Service evolves.

If you connect third-party integrations or configure custom domains, your use of those integrations may also be subject to the applicable provider's terms and privacy practices.

Enterprise customers may request our current subprocessor information, Data Processing Addendum, and available transfer terms, including Standard Contractual Clauses where applicable, by contacting [email protected].

11. Data Retention

We retain information for as long as reasonably necessary to provide the Service, maintain security and operational records, comply with legal obligations, resolve disputes, enforce agreements, and support legitimate business needs.

Retention periods may differ depending on the type of data. For example, account records, billing records, security logs, mailbox metadata, message content, attachments, deleted-item backups, and support records may be retained for different periods based on product, security, operational, or legal requirements.

Customers may be able to delete or export certain mailbox data through the Service. Some information may remain in backups, audit logs, billing records, or security records for a limited period where permitted by law.

12. Security And Compliance Readiness

We use reasonable technical and organizational measures designed to protect information, including access controls, encryption in transit, encryption-at-rest patterns for sensitive data, logging, monitoring, rate limiting, and vendor review practices.

Mermail is built to support GDPR-ready customer workflows and SOC 2-ready vendor security reviews. This means we design our processes around data minimization, access control, auditability, incident response, confidentiality, availability, and privacy control expectations.

Unless we state otherwise in a signed agreement or published trust document, references to GDPR readiness or SOC 2 readiness do not mean that Mermail has completed a formal certification, attestation, or audit. Enterprise customers may request available security documentation under NDA.

No method of transmission or storage is completely secure, and we do not guarantee absolute security.

13. International Transfers

Mermail LLC is organized in the United States. We and our service providers may process information in the United States and other countries that may have data protection rules different from those in your jurisdiction.

Where applicable, we use appropriate safeguards for international transfers and support customers with reasonable information needed for their own compliance assessments. For transfers from the European Economic Area, United Kingdom, or Switzerland, these safeguards may include Standard Contractual Clauses, transfer addenda, or other lawful transfer mechanisms.

14. Your Choices And Rights

Depending on your location and applicable law, you may have rights to request access to, correction of, deletion of, portability of, or restriction of certain personal information.

You may also have the right to object to certain processing, withdraw consent where processing is based on consent, opt out of certain marketing communications, appeal certain privacy-rights decisions where applicable, or use an authorized agent where applicable law allows.

To make a request, contact us at [email protected]. We may need to verify your identity, authority, account ownership, or relationship to the relevant workspace before fulfilling a request. We will not discriminate against you for exercising privacy rights.

If your information is processed by a Mermail customer and Mermail acts as a processor or service provider, we may direct you to that customer so they can respond as the party that controls the relevant mailbox or workflow.

15. US State Privacy Notice

Some US state privacy laws provide additional rights, such as the right to know, access, correct, delete, obtain a portable copy of certain personal information, opt out of certain targeted advertising, sales, or sharing, and limit certain uses of sensitive personal information.

As of the effective date above, Mermail does not sell personal information for money. If we engage in activities that applicable law treats as a sale, sharing, targeted advertising, or use of sensitive personal information requiring an opt-out, we will provide the notices and controls required by law.

We use sensitive personal information only as reasonably necessary to provide, secure, maintain, and improve the Service, comply with law, and support customer-requested workflows.

16. Children's Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18 for our own independent business purposes.

17. Changes To This Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the Service, by email, or by updating the effective date above.

18. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact Mermail LLC at [email protected].

Looking for the agreement that governs use of the Service? Review our Terms of Service.