BusinessMailer ("we", "us", "our") operates the branded email delivery platform available at businessmailer.org. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By creating an account or using the service you agree to this policy.
1. User accounts
When you register we collect your email address, a hashed password, and an optional display name. We use this information to authenticate you, secure your account, send transactional messages (password reset, receipts, service notices) and provide customer support.
2. Email sending
When you send an email through BusinessMailer we process the recipient address, subject, message body, sender display name, chosen sending domain, and delivery metadata (timestamps, message identifiers, provider responses). We retain sent-email logs so you can review your history, so we can detect abuse, and so we can honor recipient complaints.
3. Connected email accounts
You may optionally connect a personal mailbox (Gmail via OAuth, or any provider via SMTP) to send from your own address. For Gmail we store an OAuth refresh token issued to us with the gmail.send scope only — we cannot read, list, delete or modify your mail. For SMTP accounts we store the SMTP host, port, username and password you provide. All refresh tokens and SMTP passwords are encrypted at rest using AES-GCM before being written to our database and are only decrypted server-side to send a message you initiated. You can disconnect any account at any time, which permanently deletes the stored credentials.
4. AI assistant integrations (MCP)
You may optionally connect an AI assistant (ChatGPT, Claude, or another MCP-compatible client) to your BusinessMailer account through our OAuth 2.1 authorization server. When you do, the assistant receives a scoped access token that lets it call the same tools you already have (list senders, check quota, send an email, etc.) on your behalf. We log every tool invocation to your AI Activity page so you can audit exactly what was done. You can revoke access at any time from AI Integrations. We do not share your data with model providers except as needed to answer the specific request you made.
5. Data we collect automatically
We record standard server logs (IP address, user agent, request path, response status, timestamp) for security, rate limiting and abuse prevention. We do not sell this information.
6. Security
Data in transit is protected with TLS. Sensitive credentials (refresh tokens, SMTP passwords) are encrypted at rest with AES-GCM using a server-only key. Access to production systems is restricted to authorized personnel. Row-Level Security policies ensure users can only read and write their own records.
7. Cookies
We use strictly necessary cookies and local storage to keep you signed in and to remember UI preferences. We do not use third-party advertising cookies.
8. Third-party providers
- Supabase — database, authentication, storage.
- Resend — outbound delivery for emails sent through our verified domains (
businessmailer.org,paypalbusiness.live). - Paystack — subscription and top-up payments (we never see your card details).
- Google — Gmail API for users who connect a Gmail account via OAuth. See our Google API Limited Use Compliance statement for details on how Google user data is handled.
- Cloudflare — application hosting and DDoS protection.
- Lovable AI Gateway — model access for optional AI features (subject/message refinement, deliverability optimizer).
8a. Google API Limited Use
BusinessMailer's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. BusinessMailer does not use Google Workspace user data to develop, improve, or train generalized or foundational AI or machine learning models, and we do not transfer Google user data to third parties for those purposes. Read the full statement on our Google API Limited Use Compliance page.
9. Your rights
You may access, correct, export or delete your data at any time from your profile page, or by contacting us at the address below. Deleting your account permanently removes your profile, connected accounts, and stored credentials; sent-email logs may be retained in anonymized form for abuse prevention.
10. Children
BusinessMailer is not directed to children under 13 and we do not knowingly collect personal information from them.
11. Changes
We may update this policy from time to time. Material changes will be announced in-app. Continued use after an update constitutes acceptance.
12. Contact
Questions or requests: inbox@businessmailer.org.