Privacy Policy

Last updated: 13 June 2026

This policy explains what data Mailjar ("Mailjar", "we", "us") collects, why, where it lives, and your rights over it. Mailjar is a receive-only inbound-email capture service: it accepts mail sent to addresses on domains you connect, parses it, and makes it available to you over a web inbox and an API. We've tried to keep this readable rather than lawyerly.

1. Who we are

Mailjar is operated by the Mailjar team. For any privacy question, or to exercise the rights below, contact [email protected].

2. What we process

• Account data. When you sign in with Google, we receive your email address (and that you signed in). We use it to identify your account and scope your data. We don't get your Google password.
• Captured email. Mail sent to your Mailjar addresses — envelope, headers, subject, text and HTML bodies, attachments — and the values we extract from it (e.g. OTPs, links, sender/recipient). This content may include personal data of the people who emailed you. For that content you are the data controller and Mailjar acts as your processor (see §8).
• Usage data. API keys (stored hashed), API/MCP request metadata, and basic operational logs used to run and secure the service.
• Integration data. Only if you set it up: a Telegram chat ID you link, or webhook URLs you configure for delivery.

3. Why we process it (legal bases)

• To provide the service — capturing, parsing and serving your mail (performance of a contract).
• To keep it secure and working — abuse prevention, debugging, capacity (legitimate interests).
• Optional integrations — Telegram/webhook delivery you explicitly configure (consent).

4. Where it's processed

Mail and account data are processed and stored in the European Union (Google Cloud, region europe-west4, the Netherlands). The marketing site is served via Cloudflare's global CDN.

5. Sub-processors

We rely on a small set of providers to run Mailjar:

• Google Cloud (EU) — hosting, database and object storage for captured mail.
• Google Cloud Vertex AI (EU) — used as a fallback to extract values (e.g. an OTP) when the regex fast-path can't. Processed in-region; not used to train Google's models.
• Google Identity Services — sign-in.
• Cloudflare — DNS and hosting for this marketing site.
• Telegram / your webhook endpoints — only if you connect them, and only to deliver your notifications.

6. How long we keep it

• Captured messages are deleted automatically after about 30 days.
• Inactive addresses are released after about 90 days with no incoming mail.
• Account & usage data are kept while your account is active and deleted on request.

7. What we don't do

We don't sell your data. We don't use the content of your email to train AI models or for advertising. We share data only with the sub-processors above, and only as needed to run the service or comply with the law.

8. Controller / processor

For your account data, Mailjar is the controller. For the content of the mail you capture, you are the controller and Mailjar is your processor: we process it on your instructions to provide the service, apply the retention above, and don't use it for our own purposes. If you need a data-processing agreement, email [email protected].

9. Security

Traffic is encrypted in transit (TLS). Data is stored in the EU with access controls. Addresses are private and exclusive — there are no public, guessable inboxes. Email HTML is rendered in a sandboxed, script-disabled frame with remote content blocked. No system is perfectly secure, but we design for least exposure.

10. Your rights

Under the GDPR you can request access to, correction of, deletion of, restriction of, or a portable copy of your data, and you can object to certain processing. Email [email protected] and we'll act on it. You also have the right to lodge a complaint with your local data-protection supervisory authority.

11. Children

Mailjar is a developer tool and isn't directed at children under 16.

12. Changes

Mailjar is in beta and evolving; we may update this policy. Material changes will be reflected in the "last updated" date, and we'll give notice where appropriate.

Questions? [email protected].