Privacy policy
Last updated: March 2025
This privacy policy describes how SendAs.me (hereinafter "we") collects, processes, and protects personal data in the context of using the sendas.me service, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection law.
1. Data controller
SendAs.me DPO/GDPR contact: support@sendas.me
2. Data collected and purposes
2.1 Publisher data (SendAs.me clients)
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Email address | Authentication, notifications, billing | Contract performance | Contract duration + 3 years |
| Name / company name | Billing, identification | Contract performance | Contract duration + 10 years (accounting obligation) |
| Billing data (Stripe) | Payment, receipts | Contract performance / Legal obligation | 10 years |
| Connection IP address | Security, fraud detection | Legitimate interest | 12 months |
| API access logs | Debugging, security | Legitimate interest | 90 days |
2.2 End-user data (your clients' clients)
As a data processor acting on behalf of publishers, SendAs.me processes the following data in the name and on behalf of the publisher:
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| OAuth tokens (encrypted) | Sending emails on behalf of the user | Contract performance with publisher | Until revocation + 30 days |
| Email metadata (sender, recipient, subject, status, timestamp) | Logs, debugging, audit | Contract performance with publisher | Publisher contract duration |
SendAs.me acts as a data processor within the meaning of Article 28 of the GDPR for end-user data. The publisher remains the data controller vis-à-vis their own users. A Data Processing Agreement (DPA) is available upon request and concluded with each publisher.
2.3 Navigation data (website)
| Data | Purpose | Legal basis | Duration |
|---|---|---|---|
| Technical cookies (session) | Website operation | Legitimate interest | Session |
| Anonymized analytics | Service improvement | Consent / Legitimate interest | 13 months |
3. Data recipients
Your data may be transmitted to the following sub-processors, acting exclusively on our instructions:
| Sub-processor | Role | Location |
|---|---|---|
| Stripe Inc. | Online payment | United States (Standard Contractual Clauses) |
| OVHcloud | Server hosting | France / EU |
| Google LLC | OAuth authentication (publisher flow) | United States (Standard Contractual Clauses) |
| Microsoft Corporation | OAuth authentication (publisher flow) | United States (Standard Contractual Clauses) |
No data is sold to third parties. No data is used for advertising purposes.
4. Transfers outside the European Union
Some sub-processors (Stripe, Google, Microsoft) are established in the United States. These transfers are governed by Standard Contractual Clauses approved by the European Commission, in accordance with Article 46 of the GDPR.
5. Data security
SendAs.me implements appropriate technical and organizational measures:
- Encryption at rest of OAuth tokens (Fernet / AES-128-CBC algorithm)
- Encryption in transit: TLS 1.2+ on all SMTP and HTTPS connections
- Access control: multi-factor authentication, limited-use API keys
- Data isolation: each publisher account is isolated from others
- Logging and alerts: detection of abnormal access
In the event of a data breach likely to pose a risk to your rights and freedoms, we undertake to notify you within 72 hours in accordance with Article 33 of the GDPR.
6. Your rights (for publishers)
In accordance with the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): obtain a copy of your data
- Right of rectification (Art. 16 GDPR): correct inaccurate data
- Right to erasure (Art. 17 GDPR): request deletion of your data, subject to legal retention obligations
- Right to restriction (Art. 18 GDPR): restrict processing in certain cases
- Right to data portability (Art. 20 GDPR): receive your data in a structured format
- Right to object (Art. 21 GDPR): object to certain processing based on legitimate interest
To exercise your rights, send your request by email to: support@sendas.me
We will respond within one month (extendable to three months in complex cases).
7. Rights of your clients' end users
If you are an end user of an application using SendAs.me, your rights are exercised directly with the software publisher you use. SendAs.me is unable to directly process rights requests from end users, as we are only the publisher's data processor.
8. Complaint to the supervisory authority
If you believe your rights are not being respected, you may lodge a complaint with your national data protection authority. In France, this is the CNIL:
- Website: www.cnil.fr
- Address: 3 place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07
9. Cookies
The sendas.me website uses only strictly necessary cookies for the operation of the service (session management, CSRF security). These cookies do not require prior consent.
No tracking or behavioral advertising cookies are used.
10. Changes to this policy
We reserve the right to modify this policy at any time. In the event of a material change, you will be notified by email (for publishers with an active account) or by a notice on the site. The date of the last update is indicated at the top of the document.
11. Contact
SendAs.me support@sendas.me