Privacy Policy

Last updated: June 2026

This policy describes how MailAgent (“we”) handles information when you use webmailagent.com, the hosted API at api.webmailagent.com, or related console pages. Self-hosted deployments under the MIT license are operated by you — this policy applies to the hosted service we run.

What we collect

• Account & API data — team name, API key hashes, scoped key metadata, plan tier, usage counters.
• Temporary inbox content — email messages delivered to disposable addresses you create (subject, body, headers, attachments within plan limits) until deleted or expired.
• Audit & operations — API actions your keys perform (timestamps, resource ids, IP-derived rate-limit keys) per audit retention.
• Enterprise secrets — Resend API keys you provide are encrypted at rest; we do not log plaintext keys.
• Website analytics — Google Analytics on the marketing site (page views, coarse device/browser data). Docs and console pages may load the same tag when embedded from the landing setup.

Why we use it

• Provide temporary inboxes, OTP/magic-link extraction, MCP tools, and console features.
• Enforce plan limits, rate limits, and abuse prevention.
• Operate enterprise features (custom domains, dedicated Resend, outbound send).
• Improve reliability and understand aggregate product usage.

Who receives data

We use infrastructure providers that process data on our behalf:

• Cloudflare — Workers, R2 (raw MIME / attachments), KV (rate limits).
• Neon — Postgres (teams, inboxes, audit, domains metadata).
• Resend — inbound/outbound email for hosted and per-team enterprise mail.
• Auth0 — optional OIDC browser login for MCP (identity tokens only; no mailbox content).
• Google Analytics — marketing analytics as described above.

We do not sell personal data.

Retention

• Inboxes & messages — until you delete the inbox or messages age out per plan/TTL.
• Audit events — configurable retention (default 90 days); see AUDIT_RETENTION_DAYS in self-host docs.
• API keys — until revoked.

Your choices

• Delete inboxes and team keys via API or dashboard.
• Self-host with no hosted data transfer: Integrate guide.
• Request access, correction, or deletion of hosted account data: hello@webmailagent.com.

Security

See Security & compliance and SECURITY.md for vulnerability reporting.

Changes

We may update this page; material changes will be reflected in the “Last updated” date.

Contact: hello@webmailagent.com