Legal

Privacy Policy

Effective date: 1 January 2025 · Last updated: 17 June 2026

1. Who we are

JS2Mail is an email dispatch API operated by Atlas Network Teknolojileri A.Ş. Our registered address and contact details are available at hello@js2mail.dev. We are the data controller for account and billing data, and act as a data processor for email content you send through our API.

2. What data we collect

Account data
Name, email address, password hash. Required to identify you and secure your account.
Mailbox credentials
OAuth refresh tokens or SMTP credentials you connect. Encrypted at rest with AES-256-GCM. Never logged in plaintext.
Send logs
Timestamp, recipient domain, status (delivered / failed / queued), message ID. Retained 30 days on free plans, 90 days on paid plans.
Message content
Passed through to your connected mailbox provider and immediately discarded. We do not store body text or attachments.
Billing data
Handled entirely by Stripe. We store only a Stripe customer ID — no raw card numbers.
Usage metrics
Request counts, error rates, latency. Aggregated and anonymised after 90 days.

3. How we use your data

  • To authenticate you and secure your account.
  • To dispatch emails through your connected mailbox on your instruction.
  • To detect abuse, enforce rate limits, and protect the platform.
  • To send transactional emails (receipts, password resets, quota warnings). No marketing without explicit opt-in.

3a. Form endpoint data (contact forms)

When a website visitor submits a form that posts to a JS2Mail /f/ endpoint, the submitted fields (typically name, email address, and message) pass through our servers.

Who is the data controller?
The website owner who created the form endpoint. They determine what fields to collect and how the data is used. JS2Mail acts solely as a data processor on their instruction.
What do we do with the data?
We validate the submission, apply spam filtering, and forward it to the website owner's connected mailbox. We do not use form data for our own purposes, analytics, or marketing.
How long is it retained?
Submission metadata (timestamp, status, sender IP hash) is retained in send logs for 30 days on free plans and 90 days on paid plans — the same as API sends. The message body is not stored after delivery.
Spam filter (honeypot)
We inspect a hidden honeypot field to reject automated submissions. No machine-learning profiling of content is performed.
KVKK / GDPR responsibility
Website owners are responsible for informing their own visitors that form data is processed by JS2Mail as a sub-processor. A one-line disclosure in the site's own privacy policy is sufficient: "Form submissions are processed by JS2Mail (js2mail.dev) and forwarded to our inbox."

4. Data sharing

We do not sell your data. We share it only with:

  • Your mailbox provider (Google, Microsoft, your SMTP host) — to dispatch the mail you requested.
  • Stripe — for payment processing.
  • Hetzner / AWS — infrastructure hosting in the EU (Frankfurt).
  • Law enforcement — only when required by a valid legal order.

4a. Google & Microsoft API limited use

When you connect a Gmail or Microsoft 365 mailbox, JS2Mail requests OAuth access to that mailbox solely to operate the features you ask for. JS2Mail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The equivalent commitments apply to data received through the Microsoft Graph API.

Scopes we request
Google: gmail.send + gmail.readonly. Microsoft: Mail.Send + Mail.Read (plus openid/email/offline_access for sign-in and token refresh). We request the minimum needed for the two functions below.
Send (gmail.send / Mail.Send)
Used only to deliver the specific messages you dispatch through the API or dashboard, on your explicit instruction. We never send mail you did not initiate.
Read (gmail.readonly / Mail.Read)
Used only to detect bounce / non-delivery reports (NDRs) that arrive in your connected mailbox, so we can mark the matching send as bounced. We do not read, index, profile, store, or human-review the rest of your mailbox.
No ads, no training
We do not use mailbox data for advertising, and we do not use it to train, fine-tune, or develop generalised AI / ML models.
No human access
No human reads your mailbox data except (a) with your explicit consent, (b) for security/abuse investigation, (c) to comply with applicable law, or (d) where the data is aggregated and anonymised. Message bodies are discarded immediately after delivery; only bounce status is retained, alongside the send-log retention windows in §2.
Transfer
Mailbox data is not transferred to third parties except your own mailbox provider to deliver the mail, as required by law, or as part of a merger/acquisition with equivalent protections.

You can revoke JS2Mail's access at any time from Google Account → Security → Third-party access or Microsoft Account → Privacy, or by deleting the mailbox in Dashboard → Connections.

5. Your rights (GDPR)

If you are in the EU or UK you have the right to access, correct, port, or delete your data. You can exercise these rights from Dashboard → Settings → Data, or by emailing privacy@js2mail.dev. We respond within 72 hours and fulfil requests within 30 days.

6. Cookies

We use a single session cookie for authentication and a js2mail.theme key in localStorage for your dark/light preference. No third-party tracking or advertising cookies.

7. Changes to this policy

Material changes will be emailed to account holders at least 14 days before taking effect. Minor clarifications (grammar, formatting) may be updated without notice.

Questions? Email privacy@js2mail.dev