Privacy Policy — AtPigeon

1. Who is responsible

The data controller is AtPigeon BV, Keizersgracht 421-A, 1016 GC Amsterdam, the Netherlands. You can contact us at [email protected] for any privacy question or to exercise the rights below.

When we host mailboxes for an organisation, that organisation is the controller of the message content; AtPigeon acts as a processor for them. When you sign up directly as an individual, we are the controller. The DPA we offer to organisation customers is available on request.

2. What we collect

Account data: name, email, password hash, language preference, account role.
Domain & mailbox data: domains you connect, DNS check results, mailboxes and aliases you create, app passwords (hashed), session metadata.
Mail content: the body, attachments, headers and envelope of messages you send and receive, stored as .eml files plus PostgreSQL metadata. We do not read this content; we store it so you can.
Billing data: plan, cycle, billing email, invoice history. Card details are handled by Paddle — we never see them.
Operational logs: IP address, user-agent, timestamps for sign-ins, SMTP/IMAP connections, admin changes. Kept for security and abuse-fighting.
Support data: messages you send to [email protected] and our replies.

3. Why we use it (legal bases)

To deliver the service — receive, route, store and serve your mail. Legal basis: contract.
To keep the service running — fight spam, abuse and fraud, monitor uptime, debug. Legal basis: legitimate interests.
To bill you — process payments and issue invoices. Legal basis: contract and legal obligation (tax records).
To talk to you — respond to support, send transactional notices (security alerts, expiry warnings, invoices). Legal basis: contract.
To meet the law — respond to lawful requests, keep records we’re legally required to keep. Legal basis: legal obligation.

We do not sell your data. We do not run advertising. We do not profile you for marketing.

4. Sub-processors we use

We rely on a small number of vendors to run the service. They process data on our behalf, under contract:

Hetzner Online GmbH (Germany): primary hosting and storage of mail and database — EU.
Cloudflare, Inc.: DNS, edge protection and TLS termination for the public site and APIs.
Paddle.com Market Limited: merchant of record — checkout, payments, tax, invoicing.
Postmark (ActiveCampaign): delivery of transactional emails (sign-up, security, billing).

An up-to-date sub-processor list is available on request. We notify customers of new sub-processors at least 30 days before they go live.

5. Where your data lives

Mail bodies, metadata and account data are stored in the European Union. Some operational tooling (logs, error reports, payment processing) may transfer personal data outside the EU; in those cases we rely on the EU Standard Contractual Clauses or an equivalent safeguard.

6. How long we keep it

Mailbox content: kept until you delete it. Deleted messages stay in Trash for the period set on your domain (default 30 days), then are permanently removed.
Closed domains: 30-day grace period after closure, then full deletion.
Operational logs: up to 12 months.
Billing records: kept as long as Dutch tax law requires (currently 7 years).
Support tickets: up to 24 months after closure.

7. Your rights

Under the GDPR, you can ask us to:

give you a copy of the personal data we hold about you (right of access);
correct inaccurate data (right to rectification);
delete your data (right to erasure), unless we’re legally required to keep it;
restrict processing while a complaint is being investigated;
receive your data in a portable format (right to data portability);
object to processing based on legitimate interests.

Email [email protected] and we’ll respond within one month. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your EU country of residence.

8. Security

We encrypt data in transit (TLS 1.2+, MTA-STS, DANE where the recipient supports it) and at rest (AES-256 on storage volumes, with per-mailbox keys for server-side encryption). Passwords are hashed with bcrypt. We run least-privilege access for staff and audit privileged actions. See the Security page for more.

9. Cookies & tracking

On the public marketing site we set no third-party tracking cookies. Inside the apps we set strictly necessary cookies for authentication and CSRF protection only. We don’t use Google Analytics or similar trackers.

10. Children

AtPigeon is not directed at children under 16. If you believe a child has signed up, contact us and we will delete the account.

11. Changes to this policy

We will post any update with a new effective date. For material changes we’ll email account owners at least 30 days before the change takes effect.

12. Contact

Privacy questions: [email protected]. Postal: AtPigeon BV, Keizersgracht 421-A, 1016 GC Amsterdam, the Netherlands.