Privacy Policy

Last updated: March 23, 2026

Effective Date: March 23, 2026

This Privacy Policy describes how Artnode SARL ("Artnode," "Artmail," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use the Artmail platform at artmail.io, including our APIs, SDKs, and related services (the "Service").

Artnode SARL is a company incorporated under the laws of Morocco, with registered offices at Boulevard Mohammed VI N297, Ifrane 53000, Morocco.

1. Roles and Responsibilities

1.1 When We Are the Controller

Artmail acts as the data controller for personal data we collect directly from you as a Customer, including your account information, billing data, usage analytics, and support communications.

1.2 When We Are the Processor

Artmail acts as the data processor for personal data you upload or transmit through the Service, including your contact lists, subscriber data, and email recipient information. In this role, we process your data solely on your instructions and in accordance with our Data Processing Agreement.

1.3 Your Responsibilities as a Controller

When you use Artmail to send emails, you are the data controller for your Recipients' personal data. You are responsible for obtaining valid consent, honoring unsubscribe requests, and complying with applicable data protection laws.

2. Data We Collect

2.1 Account Data

When you create an Account, we collect:

Full name
Email address
Password (stored as a cryptographic hash; we never store plaintext passwords)
Timezone preference
Avatar (optional)

2.2 Billing Data

When you subscribe to a paid Plan, we collect:

PayPal account email
PayPal subscription ID
Transaction history and payment amounts

We do not store credit card numbers, bank account details, or full PayPal account credentials. Payment processing is handled entirely by PayPal.

2.3 Sending Configuration Data

Depending on your setup, we may collect and store:

Managed Sending: Domain verification records, sender identity information (sender name, email address, reply-to address).
BYOS: Your Amazon SES Access Key ID and Secret Access Key, AWS region, and related configuration. These credentials are encrypted at rest using AES-256-GCM before storage.
BYOK: Your third-party AI provider API key (e.g., Anthropic, OpenAI), encrypted at rest using AES-256-GCM.

2.4 Contact and Subscriber Data (Processor Role)

When you import or collect subscriber data, the following may be stored within the Service:

Email addresses
Names
Custom fields and tags you define
Subscription status and consent records
Engagement data (opens, clicks, bounces)
E-commerce data synced from integrations (order history, customer lifetime value)

2.5 Integration Data

When you connect third-party services, we may receive:

Shopify: Store domain, customer data, order history, product catalog, abandoned checkouts, and related e-commerce data, as authorized by your Shopify permissions.
Other integrations: Data as defined by the specific integration's scope and your authorization.

OAuth access tokens and API credentials for integrations are encrypted at rest.

2.6 Usage and Analytics Data

We automatically collect:

Pages visited and features used within the Service
Email campaign performance metrics (sends, opens, clicks, bounces, complaints)
AI feature usage (generation types, credit consumption; not the content of your prompts or outputs)
Browser type, device type, and operating system
IP address and approximate geographic location
Timestamps of actions

2.7 AI Interaction Data

When you use AI-powered features, we process:

Your prompts and instructions
Generated outputs (email content, subject lines, templates)
Session metadata (generation type, model used, token count)

Prompts and outputs are stored within your Account for version history and session continuity. See Section 5 for details on AI data practices.

2.8 Support Communications

When you contact us, we collect the content of your communications, including email messages and any attachments.

3. How We Use Your Data

We use the data we collect for the following purposes:

3.1 Providing the Service

Operating and maintaining the platform
Sending emails on your behalf through Managed Sending or BYOS
Processing AI generation requests
Syncing data from connected integrations
Rendering analytics and deliverability dashboards

3.2 Billing and Account Management

Processing subscription payments through PayPal
Tracking AI credit usage and plan limits
Communicating billing changes, invoices, and payment failures

3.3 Service Improvement

Analyzing aggregate, anonymized usage patterns to improve features
Identifying and resolving bugs, performance issues, and security vulnerabilities
Developing new features based on aggregate usage trends

3.4 Security and Compliance

Detecting and preventing fraud, abuse, and unauthorized access
Enforcing our Terms of Service and Acceptable Use Policy
Monitoring sending practices to protect shared sending infrastructure
Complying with legal obligations

3.5 Communications

Sending transactional emails (verification, password reset, billing alerts)
Sending product updates and feature announcements (you may opt out)
Responding to support requests

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or a jurisdiction that requires a legal basis for processing personal data, we rely on the following:

Purpose	Legal Basis
Providing the Service	Performance of contract (Art. 6(1)(b) GDPR)
Billing and payment processing	Performance of contract
Security and fraud prevention	Legitimate interest (Art. 6(1)(f) GDPR)
Service improvement (aggregated)	Legitimate interest
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)
Product communications	Consent (Art. 6(1)(a) GDPR)
Support communications	Performance of contract / Legitimate interest

5. AI Data Practices

5.1 No Training on Your Data

Artmail does not use your Customer Data, email content, contact lists, prompts, or AI-generated outputs to train general-purpose AI models.

5.2 Third-Party AI Providers

AI features are powered by third-party providers, currently including Anthropic (Claude). When you use AI features:

Your prompts are sent to the AI provider to generate a response.
Artmail uses API access that is excluded from the provider's model training (per Anthropic's API Terms: data submitted via the API is not used to train models).
If you use BYOK, your prompts are sent using your own API key and are subject to your agreement with the provider.

5.3 AI Session Storage

Prompts and generated content are stored within your Account for session history and version management. You may delete AI sessions through the dashboard.

6. Data Sharing and Disclosure

6.1 We Do Not Sell Your Data

Artnode SARL does not sell, rent, or trade your personal data or your Customer Data to third parties.

6.2 Service Providers (Sub-processors)

We share data with trusted service providers who assist in operating the Service. These sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures. See our Subprocessors page for the current list.

Key sub-processors include:

Amazon Web Services (AWS): Email sending (SES), infrastructure
Neon: Database hosting (PostgreSQL)
Upstash: Redis caching and job queue (QStash)
Cloudflare: CDN, R2 object storage
Anthropic: AI model provider
Replicate: Image generation
PayPal: Payment processing
Vercel: Application hosting

6.3 Integrations You Authorize

When you connect integrations (Shopify, etc.), data flows between Artmail and the third-party platform as necessary to provide the integration. This data sharing is initiated and controlled by you.

6.4 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Artnode, our users, or the public.

6.5 Business Transfers

In the event of a merger, acquisition, or asset sale involving Artnode SARL, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.

7. Data Security

7.1 Encryption

At rest: Sensitive credentials (SES keys, BYOK API keys, OAuth tokens) are encrypted using AES-256-GCM with unique initialization vectors.
In transit: All data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher.
Passwords: Stored as salted cryptographic hashes; never in plaintext.

7.2 Access Controls

Access to Customer Data within Artmail's systems is restricted to authorized personnel on a need-to-know basis. Administrative access requires multi-factor authentication.

7.3 Infrastructure Security

The Service runs on infrastructure provided by SOC 2–compliant cloud providers. Database connections are encrypted and isolated per tenant.

7.4 Incident Response

In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR).

8. Data Retention

Data Type	Retention Period
Account data	Duration of Account + 30 days after deletion
Billing records	7 years (legal/tax requirement)
Email campaign analytics	Duration of Account
Contact/subscriber data	Until you delete or Account closure + 30 days
AI session data	Until you delete or Account closure + 30 days
SES/BYOK credentials	Until you disconnect or Account closure
Server logs	90 days
Support communications	3 years or duration of Account

After the retention period, data is permanently deleted or irreversibly anonymized.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Access

You may request a copy of the personal data we hold about you.

9.2 Rectification

You may request correction of inaccurate or incomplete personal data.

9.3 Erasure

You may request deletion of your personal data, subject to legal retention requirements.

9.4 Restriction

You may request that we restrict processing of your personal data in certain circumstances.

9.5 Portability

You may request a machine-readable copy of your personal data.

9.6 Objection

You may object to processing based on legitimate interest.

9.7 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

9.8 Exercising Your Rights

To exercise any of these rights, contact us at contact@artmail.io. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

9.9 Supervisory Authority

If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority.

10. International Data Transfers

Artnode SARL is based in Morocco. Your data may be processed in countries outside your jurisdiction, including the United States (AWS, Vercel, Anthropic) and other countries where our sub-processors operate.

Where data is transferred outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Sub-processor compliance with recognized frameworks
Contractual data protection obligations

11. Cookies and Tracking

11.1 Essential Cookies

We use essential cookies for authentication, session management, and security. These are necessary for the Service to function.

11.2 Analytics

We may use analytics tools to understand aggregate usage patterns. Analytics data is collected in anonymized or pseudonymized form where possible.

11.3 No Third-Party Advertising

Artmail does not serve third-party advertisements or use advertising tracking cookies.

11.4 Email Tracking

When you send emails through Artmail, open and click tracking may be enabled by default. Your Recipients can disable image loading in their email client to prevent open tracking. You may disable tracking on a per-campaign basis.

12. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at contact@artmail.io and we will delete it promptly.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to Know: You may request details about the categories and specific pieces of personal data we collect.
Right to Delete: You may request deletion of your personal data.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
No Sale of Data: We do not sell personal information as defined by the CCPA.

To exercise CCPA rights, contact us at contact@artmail.io.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision.

15. Contact Us

For privacy-related questions, requests, or complaints:

Artnode SARL
Boulevard Mohammed VI N297
Ifrane 53000, Morocco

Email: contact@artmail.io
Alternative: contact@artnode.com

By using Artmail, you acknowledge that you have read and understood this Privacy Policy.