Privacy Policy

Mailbird is an early-stage product — these policies will evolve. Last updated April 2026.

1. Who we are

Mailbird ("we," "us") is an email infrastructure product built in Europe. You can reach us at support@mailbird.io.

This policy explains what information we collect when you use Mailbird, how we use it, and the choices you have. It applies to mailbird.io and the application at app.mailbird.io.

2. Information we collect

We deliberately collect as little as possible. Specifically:

• Account information. Your email address, hashed password, and any name you provide. Required to authenticate you and contact you about the service.
• Billing information. Handled entirely by our payment processor, Polar.sh. We receive a subscription status, an invoice ID, and the email address used for billing — we do not see or store your card details.
• Server connection details. If you connect a VPS, we store its IP address, SSH port, SSH username, and an encrypted SSH credential (key or password). The credential is encrypted at rest with a Fernet key that we hold; we use it only to provision and manage the mail server you have connected.
• Operational metadata. Email send/receive metadata — message IDs, recipient addresses, timestamps, delivery status — to populate your dashboard and webhooks. We do not collect or store the body of your email messages. Email content lives on your VPS.
• Support communications. Anything you send us by email is retained for as long as needed to help you, and then archived or deleted on request.
• Logs. Standard web server logs (IP, user agent, request path, timestamp) for debugging and abuse prevention. Retained for 30 days.

3. How we use information

• To operate the service: authenticate you, provision your VPS, surface your sending and receiving activity in the dashboard.
• To bill you: pass a subscription identifier to Polar.sh and receive back a status.
• To support you: respond to questions, investigate problems, communicate service updates that materially affect you.
• To prevent abuse: detect spam, fraud, and policy violations under our Acceptable Use Policy.
• To comply with law: respond to valid legal requests where we have a legal obligation to do so.

We do not sell your data. We do not show third-party ads inside the Mailbird application, and we do not share customer data with third parties for their own marketing purposes.

We do run paid advertising to promote Mailbird (currently Google Ads). Both mailbird.io and app.mailbird.io load Google's gtag.js so we can measure which campaigns drive sign-ups and run remarketing to people who've visited Mailbird. Cookie details and opt-out links live in our Cookie Policy.

4. Data storage and security

Account data is stored in Supabase (PostgreSQL) in the EU. SSH credentials and SMTP passwords are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256). Connections to our application use TLS 1.2+ exclusively.

Email content does not pass through our servers. Your mail server runs on your VPS; we manage configuration but do not relay mail.

5. Subprocessors and third parties

We use a small set of subprocessors to operate Mailbird:

• Supabase — application database and authentication. Data is hosted in the EU.
• Polar.sh — subscription billing and customer portal. They process payment information directly; we receive only the result.
• Google (Google Ads) — campaign measurement and remarketing via gtag.js on both mailbird.io and app.mailbird.io. Google receives standard pageview metadata (URL, referrer, user agent, IP) and sets cookies as described in our Cookie Policy. Google acts as an independent controller for the ad-attribution and remarketing data it collects.
• Cloud infrastructure — the application server and the marketing site are hosted with European-region cloud providers; the current list is available on request.

If you require a Data Processing Agreement, contact us at support@mailbird.io.

6. Your rights

If you are in the EU, UK, or another jurisdiction with similar privacy laws, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Request deletion ("right to be forgotten") subject to our legal obligations to retain certain records.
• Receive a portable copy of your account data.
• Object to or restrict certain processing activities.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@mailbird.io. We aim to respond within 30 days.

7. International data transfers

Where personal data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) or equivalent legal mechanisms. Contact us at support@mailbird.io for details.

8. Children's data

Mailbird is not intended for users under 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have, please contact us so we can delete it.

9. Changes to this policy

We will update this page when our practices change. Material changes will be communicated by email to active account holders at least 30 days before they take effect.

10. Contact

Questions about this policy or our handling of your data: support@mailbird.io.