Privacy policy

last updated: July 6, 2026 · plain-English summaries are part of the policy, not decoration

1 · What we collect

tl;dr — your account email, your billing info (via Stripe), and the test email and SMS you point at us

Account data: the email addresses on your workspace — the one you sign up with and any team members you invite — and session metadata. Billing data: handled by Stripe; we store only your Stripe customer ID. Message content: the emails your systems send to your MailFixture inboxes — headers, bodies, attachments, and the values we extract from them — and the SMS your systems send to your MailFixture phone numbers. Usage data: API request logs (endpoint, timestamp, key prefix, status) retained up to 30 days for debugging and abuse prevention.

2 · What we don't do with it

tl;dr — no selling, no ads, no training models on your email. ever.

We do not sell or rent any of your data. We do not use message content for advertising, profiling, or training machine-learning models — extraction runs deterministic parsers, not your data as fuel. We read message content only when you open a support ticket that requires it, and we tell you when we did.

3 · Retention and deletion

tl;dr — messages age out per your plan (3–30 days), then they're gone. actually gone.

Messages — email and SMS alike — are hard-deleted when your plan's retention window ends (Free 3 days, Solo 14 days, Team and Scale 30 days), when their inbox or phone number is deleted, or when you delete them — whichever comes first. Deletion removes rows and stored blobs, including backups within 30 days. Closing your account deletes all message content within 72 hours; billing records are kept as long as tax law makes us.

4 · Subprocessors

tl;dr — seven, and we'll email you 30 days before adding an eighth
PROVIDERPURPOSELOCATION
netcupHosting, storage, mail ingestionUS
StripePayments, invoicingUS
ResendTransactional account email (magic links, notices)US
TelnyxPhone-number provisioning, inbound SMS carriageUS
CloudflareObject storage (R2) for large raw messages and backups; bot protection (Turnstile) on the sign-in and signup pagesUS / global
PlausibleCookieless website analyticsEU
AhrefsCookieless website analytics (public site)SG / global

5 · GDPR & your rights

tl;dr — we're the processor for message content; export or erase on request

For message content, you are the controller and we are the processor; if you need a DPA, email us and we'll sort it out. For your account data, we are the controller. You can access, export, correct, or erase your data by emailing privacy@mailfixture.com; we respond within 30 days, usually much faster.

6 · Cookies

tl;dr — one session cookie in the app. no banner because there's nothing to consent to.

The dashboard sets a single first-party session cookie to keep you signed in. The site sets none — analytics (Plausible, and Ahrefs on the public site) are cookieless and collect no personal data, and the bot check on the sign-in and signup pages (Cloudflare Turnstile) is likewise cookieless. No cross-site trackers anywhere.

7 · Changes & contact

Material changes get 30 days' email notice and a diff of exactly what changed. Questions: privacy@mailfixture.com.