MCP-native for Cursor, Claude Code, and Windsurf
Posthawk
Legal

Privacy Policy

Last updated — May 2, 2026

Who this applies to

This Privacy Policy describes how Posthawk ("I", "me", or "my") handles personal data when you use the email infrastructure platform. Posthawk is operated by Sukses360, a company registered in the United Kingdom — Sukses360 is the data controller for personal data I process on the cloud edition. Posthawk is offered in two modes: a managed cloud service hosted by me at app.posthawk.dev, and a self-hosted edition that you run on your own infrastructure. Where the policy differs by mode, I say so explicitly. If you self-host, you are the data controller for the personal data inside your deployment; I have no access to it.

What I collect

When you create an account, I collect your name, email address, and authentication credentials (password hashed via Supabase Auth, or an OAuth identifier). When you add a sending domain, I store the domain name, DNS verification records, and an internal key pair for DKIM. When you send mail through the cloud, I process the recipient list, sender identity, subject, headers, and body so that the worker can dispatch the message via AWS SES. I retain a record of every send (a row in email_logs) along with delivery, bounce, complaint, open, and click events. If you opt into the in-dashboard AI assistant, the prompt content you submit is forwarded to the model provider via OpenRouter. If you pay for a plan, Stripe stores the billing details on its own infrastructure (I never see card numbers).

How I use it

  • To run the platform — authenticate you, route your sends through SES, deliver webhooks, render the dashboard.
  • To enforce plan limits and detect abuse (bounce thresholds, complaint thresholds, suppression list).
  • To bill you, via Stripe, for paid plans and add-ons.
  • To respond when you email support, sales, or abuse.
  • To send transactional service emails — login alerts, billing receipts, plan-change confirmations. I do not market to you without consent.

Where it lives (cloud edition)

Account data, workspace data, contacts, templates, and email logs sit in a managed Postgres database hosted by Supabase in Frankfurt (EU). The worker that dispatches mail runs on Hetzner Cloud in Nuremberg (EU). Outbound mail is delivered through AWS SES in either us-east-1 (US East, N. Virginia) or eu-north-1 (EU North, Stockholm) — the region is locked at domain creation. Inbound receiving runs through AWS SES eu-west-1 (Ireland) because eu-north-1 does not support inbound. The marketing site, dashboard, and docs are hosted by Vercel on a global edge network. Where data crosses borders to a US-based subprocessor, the transfer relies on EU Standard Contractual Clauses or the EU-U.S. Data Privacy Framework as applicable.

How long I keep it

  • Account, workspace, and billing records are kept while your account is active and for up to 90 days after closure (longer where law requires it for tax / accounting).
  • Email logs and event records are retained per plan: Free 3 days, Pro 15 days, Scale 30 days. Self-hosted users set their own retention.
  • Suppression list entries (hard bounces, complaints, soft-bounce-suppressed addresses) are kept indefinitely so I do not re-send to addresses that hurt deliverability — even after you cancel.
  • API request logs are kept for 30 days for security and abuse review.
  • Stripe holds billing records per its own retention rules.

How it is protected

Postgres data sits behind Supabase's AES-256 disk-level encryption with row-level security on every table. API keys are bcrypt-hashed at creation and shown to you exactly once. Webhook secrets and tokens live in plaintext columns inside the same encrypted database, gated by RLS — only the workspace that created them can read them. Connections use TLS 1.2 or higher. Outbound SES traffic enforces TLS. The worker, dashboard, and SMTP relay run inside the Hetzner perimeter; secrets pass through environment variables, never committed to source. Two-factor authentication (TOTP) is available for every account.

Subprocessors

I use a small set of third parties to operate the cloud: Supabase (database), Hetzner (worker compute), AWS (SES + SNS for mail), Vercel (web hosting), Cloudflare (DNS, Turnstile, inbound routing), Stripe (billing), OpenRouter (AI assistant gateway), and Mails.so (optional email validation). The complete list with locations and what each one receives is at /subprocessors. I notify customers of new or replaced subprocessors at least 30 days before they handle production data, except where the change is required to address an active security incident.

View the full subprocessor list →

Your rights (GDPR / UK GDPR / CCPA)

  • Access — get a copy of the personal data I hold about you.
  • Rectification — correct anything that is wrong.
  • Erasure — delete your account and the data inside it (some retained for billing / legal reasons as noted above).
  • Portability — export your contacts, templates, and email logs in a machine-readable format.
  • Restriction and objection — pause my processing or object to specific uses.
  • Withdraw consent — for anything I process on a consent basis (e.g. analytics cookies on the marketing site).
  • Lodge a complaint — with your local data-protection authority if you are unhappy with how I have handled a request.

How to exercise them

Email privacy@posthawk.dev with the request and the email address on the account. I respond within 30 days. For erasure, deleting your account from the dashboard already wipes most data immediately; the email and its bcrypt hash linger for a short window inside Supabase Auth before tombstoning. Self-hosted users handle their own DSAR responses — I have no copy of your data to act on.

Children

Posthawk is not intended for, marketed to, or knowingly used by children under 16 in the EEA / UK or under 13 in the US. I do not knowingly collect personal data from children. If you believe a child has created an account, email privacy@posthawk.dev and I will close it.

Cookies and analytics

The marketing site uses cookies for two things only: a strictly necessary consent-preference cookie, and — only after you click "Accept" on the banner — Google Analytics 4 and Umami for aggregate visitor analytics. The dashboard uses session cookies set by Supabase Auth (strictly necessary). I do not run advertising trackers, remarketing pixels, or session-replay recorders. Full breakdown at /cookies.

Breach notification

If I detect a personal-data breach that is likely to result in a risk to your rights and freedoms, I will notify the responsible supervisory authority within 72 hours and notify affected account owners by email without undue delay, with the information GDPR Article 34 requires.

Changes to this policy

I may update this Privacy Policy as the platform evolves. Material changes will be announced by email to active account owners at least 14 days before they take effect, except where the change is required to comply with a new legal obligation. The "Last updated" date at the top of this page always reflects the current version.

Contact

Privacy questions, data-subject requests, or concerns about how I handle your information — privacy@posthawk.dev. General support — support@posthawk.dev. Abuse reports — abuse@posthawk.dev.

Cookie Preferences

I use analytics cookies to understand how you use the site and improve your experience. Privacy Policy