S
Sendersy
Home

Privacy Policy

Last updated: 2026-05-18

This Privacy Policy explains how Sendersy collects, uses, stores, and protects personal data, and how data subjects can exercise their rights. It complies with Federal Law No. 152-ФЗ «On Personal Data» of the Russian Federation and with Regulation (EU) 2016/679 (the GDPR) for data subjects located in the EU/EEA. UK GDPR rights are honoured on the same terms.

1. Data controller (operator)

  • Name: Spiridonov Dmitry Vadimovich (Individual Entrepreneur registered in the Russian Federation)
  • OGRNIP: 324762700012347
  • INN: 760806658219
  • Email for data-protection matters: support@sendersy.com
  • Postal address: available on written request to support@sendersy.com.

The Provider acts as data controller in respect of data about Customers (Account holders) and as data processoron behalf of Customers in respect of email recipient data they upload or process through the Service.

2. Categories of data subjects and data we process

2.1 Customer Account data

  • Email address; password hash (argon2id, 19 MiB memory cost); display name; preferred locale.
  • Workspace name; Organisation slug; creation date.
  • API key prefixes and hashes (the original key is shown once on creation and never stored).
  • Sender domains, DKIM keypairs, verification statuses.
  • Billing email (if different from login email); selected Plan.

2.2 Operational and engagement data

  • Email send logs: from / to addresses, subject, tags, timestamps, delivery status, bounce/complaint flags.
  • Engagement events: opens and clicks with truncated IP address, user-agent, timestamp.
  • Suppression list: addresses that bounced or unsubscribed.
  • Audit log: sensitive Account actions (login, API-key creation, settings changes) with IP and user-agent.

2.3 Technical data

  • IP address (truncated to /24 IPv4 or /48 IPv6 in analytics; full IP in security audit log).
  • Session cookies (HTTPS, HttpOnly, Secure, SameSite=Lax).
  • Browser user-agent string.

The Provider uses Yandex.Metrika (counter 109290717) for aggregated traffic and advertising-conversion analytics across the site. The Metrika tag loads on all pages. We do not use behavioural advertising or social-tracking pixels, and no personal data is sold or shared with advertisers. You can opt out at the provider level via Yandex's settings or by blocking the mc.yandex.ru script.

3. Purposes and legal bases of processing

PurposeLegal basis (GDPR)Legal basis (152-ФЗ)
Operate the Service and perform the agreementArt. 6(1)(b) — contractСт. 6 ч.1 п.5 — исполнение договора
Secure the Service, prevent abuse, audit logArt. 6(1)(f) — legitimate interestСт. 6 ч.1 п.7 — законные интересы оператора
Send transactional account messages (verify-email, password reset, billing)Art. 6(1)(b) — contractСт. 6 ч.1 п.5 — исполнение договора
Comply with tax, accounting, AML lawsArt. 6(1)(c) — legal obligationСт. 6 ч.1 п.2 — обязанности по закону
Product-improvement analytics (aggregated)Art. 6(1)(f) — legitimate interestСт. 6 ч.1 п.7 — законные интересы
Marketing communicationsArt. 6(1)(a) — consentСт. 9 — согласие субъекта

Consent given for marketing may be withdrawn at any time via the unsubscribe link in our emails or by contacting support@sendersy.com.

4. Sources of data

All personal data is collected directly from the data subject — either by Customer registration / use of the Service, or from email recipients via engagement tracking. We do not buy or scrape data.

5. Sub-processors and recipients

  • Infrastructure: VPS providers in Stockholm (Sweden, EU) and Tallinn (Estonia, EU).
  • SMTP backbone: Self-hosted Postal on our infrastructure.
  • Inbound mail: Self-hosted Mailcow on our infrastructure.
  • Payments: Stripe Payments Europe Ltd. (Ireland) for non-RU customers; ЮKassa (Yandex.Checkout, Russia) for RU customers. Card data is processed by the payment provider — we receive only a non-reversible payment token.
  • DNS verification: resolved via independent public DNS resolvers (Quad9 9.9.9.9, Google 8.8.8.8) — no Cloudflare, no personal data is transmitted, only the hostname being verified.

We do not transfer personal data to advertising or social-tracking vendors.

6. Cross-border transfers

Where Customer or recipient data is hosted on EU infrastructure, the Provider relies on the EU adequacy framework or — for transfers from the EU to the Russian Federation when applicable — on Standard Contractual Clauses (Commission Decision 2021/914) and on the consent of the data subject pursuant to ст. 12 of 152-ФЗ.

7. Retention

  • Email send logs: 30 days (paid Plans) / 7 days (Free).
  • Engagement events: 90 days, then aggregated.
  • Suppression list: indefinitely (until the Customer removes an entry) — required to honour unsubscribes.
  • Audit log: 12 months.
  • Account data: until the Account is deleted by the Customer, then permanently erased within 30 days, except where retention is required by tax law (financial documents — 4 years).
  • Inbox messages stored on Mailcow: retained according to the Customer's mailbox quota and explicit user actions (move to Trash, delete).

8. Data subject rights

Subjects in the EU/EEA, UK, and the Russian Federation may exercise the following rights:

  • Access to personal data (GDPR Art. 15, 152-ФЗ ст. 14): export available from Dashboard → Settings → Danger zone → Export, or on request.
  • Rectification (Art. 16, ст. 14 ч. 1 пп. 4–5): editable in Dashboard → Settings.
  • Erasure («right to be forgotten», Art. 17, ст. 21): delete the Account in Dashboard → Settings → Danger zone, or write to support@sendersy.com.
  • Restriction of processing (Art. 18).
  • Portability (Art. 20): exports are machine-readable JSON.
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time without affecting prior lawful processing (Art. 7(3), 152-ФЗ ст. 9 ч. 2).
  • Complaint to a supervisory authority: in Russia — Roskomnadzor (rkn.gov.ru); in the EU — local DPA; in the UK — ICO.

Requests are answered within 30 days. Identity verification may be required.

9. Security measures

  • Passwords hashed with argon2id (memory-hard, 19 MiB cost, 32-byte output).
  • API keys hashed with argon2id; the original key is shown once and never stored.
  • Mailbox passwords for the in-app inbox encrypted at rest with AES-256-GCM using HKDF-derived keys from AUTH_SECRET.
  • All transport over TLS 1.2+ with HSTS preload; CSP, X-Content-Type-Options, X-Frame-Options, Permissions-Policy headers enforced.
  • Webhook payloads signed with HMAC-SHA256.
  • Rate limits, idempotency keys, SSRF protections, optional IP allowlists.
  • Backups encrypted; access to production restricted by SSH key + 2FA where supported.
  • Internal audit log of sensitive actions (logins, API-key creation, settings changes).

10. Automated decision-making

The Provider does not use personal data for automated decision-making with legal or significant effects on the data subject (GDPR Art. 22). Abuse detection uses statistical heuristics, but final suspension decisions are taken with human review.

11. Children

The Service is not directed to persons under 16 years of age in the EU/EEA (and under 14 in the Russian Federation). We do not knowingly collect data from minors. If you become aware that a minor has provided us with personal data, please contact support@sendersy.com; we will delete it promptly.

12. Roskomnadzor registration

The Provider is registered with the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) as an operator of personal data, in accordance with art. 22 of Federal Law 152-ФЗ.

13. Changes

Material changes to this Policy are notified by email at least 14 days in advance. The current version is always at sendersy.com/legal/privacy with the effective date below.

14. Contact

Questions about data protection, privacy, or abuse reports: support@sendersy.com

Effective from 2026-05-18.