Privacy Policy
Last updated: December 12, 2025
Quick Links
1. Introduction
GetMailer ("we", "our", or "us") is operated by Getia AS, a company registered in Norway (Organization Number: 926 610 198). We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Norwegian data protection laws.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email API service. It applies to all users of GetMailer, including both our customers (who send emails through our platform) and the recipients of those emails.
Data Controller: Getia AS
Address: Mollergata 6, 8, 0179 Oslo, Norway
Privacy Contact: [email protected]
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address (required for account creation and communication)
- Name (optional, for personalization)
- Password (stored securely using industry-standard hashing)
- Payment information (processed securely through Stripe - we do not store full card details)
- Company/organization name (optional)
2.2 Email Data
As an email service provider, we process:
- Sender and recipient email addresses
- Email subject lines and content (transmitted for delivery only)
- Email metadata (timestamps, message IDs, delivery status)
- Attachments (transmitted for delivery only)
Important: Email content is processed transiently for delivery purposes only. We do not read, analyze, or sell the content of your emails.
2.3 Audience/Contact Data
If you use our audience management features, we store:
- Contact email addresses
- Names and custom fields you choose to store
- Subscription status and preferences
- Engagement data (opens, clicks, unsubscribes)
2.4 Usage Data
We automatically collect:
- API request logs (endpoints accessed, timestamps, response codes)
- Delivery statistics (sent, delivered, bounced, complained)
- IP addresses (for security and fraud prevention)
- Browser/device information when accessing our dashboard
3. Legal Basis for Processing (GDPR Article 6)
We process personal data under the following lawful bases:
Contract Performance (Article 6(1)(b))
Processing necessary to provide our email delivery service, manage your account, process payments, and fulfill our contractual obligations.
Legitimate Interests (Article 6(1)(f))
Processing for service improvement, security, fraud prevention, and analytics. We balance our interests against your rights and freedoms.
Legal Obligation (Article 6(1)(c))
Processing required to comply with anti-spam laws, tax obligations, and legal requests from authorities.
Consent (Article 6(1)(a))
For marketing communications and optional features. You may withdraw consent at any time without affecting prior processing.
4. How We Use Your Information
- Service Delivery: To send, deliver, and track emails on your behalf
- Account Management: To create, maintain, and secure your account
- Billing: To process payments and send invoices
- Support: To respond to inquiries and provide technical assistance
- Compliance: To enforce anti-spam policies and prevent abuse
- Analytics: To provide delivery statistics and engagement metrics
- Security: To detect and prevent fraud, abuse, and security threats
- Improvement: To analyze usage patterns and improve our service
5. Your Rights Under GDPR
As a data subject, you have the following rights:
Right of Access (Article 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restriction (Article 18)
Request limitation of processing in certain circumstances.
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing.
How to Exercise Your Rights
Submit a request through our Data Subject Request Portal or email us at [email protected]. We will respond within 30 days as required by GDPR. If your request is complex, we may extend this by an additional 60 days with notice.
6. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:
- Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
- Standard Contractual Clauses: EU-approved contractual terms with our processors
- Supplementary Measures: Additional technical and organizational measures where required
Our Sub-Processors
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services | Email infrastructure (SES) | EU (Ireland) | EU Region |
| Stripe | Payment processing | US/EU | SCCs + DPF |
| Vercel | Application hosting | US/EU | SCCs |
| Railway | Database hosting | US | SCCs |
7. Data Retention
We retain personal data only for as long as necessary:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision |
| Email content | Transient (delivery only) | Email delivery |
| Email metadata | 90 days | Analytics & debugging |
| Delivery logs | 30 days | Troubleshooting |
| Suppression list | Indefinite | Legal compliance (anti-spam) |
| Consent records | 7 years after withdrawal | Legal compliance (proof) |
| Security logs | 1 year | Security & fraud prevention |
| Billing records | 7 years | Tax/accounting requirements |
8. Data Security
We implement comprehensive security measures including:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Access Controls: Role-based access, multi-factor authentication
- Infrastructure: SOC 2 Type II compliant hosting, regular security audits
- Monitoring: 24/7 security monitoring, intrusion detection
- Password Security: Bcrypt hashing with salting
- API Security: Rate limiting, API key rotation, request signing
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33-34.
10. Children's Privacy
GetMailer is a business service not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice on our service at least 30 days before changes take effect. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. For Norway, this is:
Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum
0105 Oslo, Norway
Website: www.datatilsynet.no
13. Contact Us
For any privacy-related questions or to exercise your rights:
Getia AS
Mollergata 6, 8
0179 Oslo, Norway
Privacy Email: [email protected]
Data Subject Requests: Submit a Request
14. For Email Recipients
If you received an email sent through GetMailer and have questions about your data:
- The sender (our customer) is typically the data controller for your email address
- Contact the sender directly for questions about why they emailed you
- Use the unsubscribe link in the email to stop receiving messages from that sender
- Contact us at [email protected] for questions about GetMailer's processing