1. Introduction
RegMail ("we", "our", "the Service") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.
2. Data We Collect
2.1 Account Information
- Email address (used for account login and OTP verification)
- Password (stored as a bcrypt hash; we never store plain-text passwords)
2.2 Google Account Data
- Google email address (to identify which Google account is connected)
- OAuth refresh token (to maintain Gmail API access for sending emails)
- OAuth access token (temporary, refreshed automatically)
We do not access your Gmail inbox, contacts, calendar, Google Drive, or any other Google service. We only request the minimum scope necessary to send emails on your behalf (gmail.send).
2.3 API Keys
- API key values (generated by the Service)
- API key names (chosen by you)
- Last usage timestamp
2.4 Email Content
When you send an email through our API, we process the recipient address, subject, and body content in transit to forward the request to the Gmail API. We do not store, log, or retain the content of any emails sent through the Service.
2.5 OTP Verification
- OTP codes are generated for account verification and login
- Codes expire after 10 minutes and are marked as used after verification
- We store OTP records temporarily for security auditing purposes
3. How We Use Your Data
- To authenticate you and manage your account
- To send emails on your behalf via the Gmail API
- To send OTP verification codes to your email
- To validate API keys on incoming requests
- To maintain and improve the Service
We do not sell, rent, share, or trade your personal data with third parties for marketing or advertising purposes.
4. Data Storage and Security
- Account data is stored in a PostgreSQL database hosted on Neon (cloud database provider)
- Passwords are hashed with bcrypt before storage
- Google OAuth tokens are stored encrypted at rest in the database
- All communication between the Service and your browser is encrypted via HTTPS
- API keys are generated using cryptographically secure random bytes
6. Data Retention
- Account data is retained as long as your account is active
- OTP records are retained for 30 days for security auditing, then deleted
- Email content is never stored and only processed in transit
- Upon account deletion, all associated data (profile, API keys, Google tokens) is permanently removed
7. Your Rights
You have the right to:
- Access - Request a copy of your personal data
- Rectification - Request correction of inaccurate data
- Deletion - Request deletion of your account and all associated data
- Revoke Google Access - Disconnect your Google account at any time via the dashboard or through Google Account Settings
- API Key Management - Create, view, or delete API keys at any time
- Data Portability - Request your data in a machine-readable format
8. Cookies
RegMail does not use tracking cookies, analytics cookies, or advertising cookies. Authentication is handled via JWT tokens stored in your browser's local storage. No third-party tracking scripts are loaded.
9. Children's Privacy
The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We recommend reviewing this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us through the Service dashboard or by email at the address provided on our website.