MailStream

Legal

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes how Sponge Labs LLC ("MailStream," "we," "us") collects, uses, discloses, and protects information in connection with the MailStream websites, applications, APIs, and related services (the "Service"). By using the Service, you agree to this Policy together with our Terms of Service.

1. Scope

This Policy applies to visitors to our marketing sites, registered users, API consumers, and anyone who otherwise interacts with us in relation to the Service. If you are a customer processing personal data on behalf of others (for example your end customers or employees), our Data Processing Addendum may also apply.

2. Information we collect

  • Account and billing data: name, company, email, phone, billing address, payment-related metadata (card type and last digits when processed by a payment provider).
  • Service usage and diagnostics: log data, IP address, device and browser type, approximate location derived from IP, timestamps, pages viewed, API request metadata, error reports, and security signals.
  • Customer content for fulfillment: mailing lists, recipient names and addresses, creative assets, job settings, and messages you submit to produce and deliver mail. This often includes personal data about recipients you choose to mail.
  • Communications: content of emails, chat, or support tickets you send us.
  • Referrals and integrations: information from connected tools when you authorize integrations (for example CRM or automation platforms).

3. How we use information

We use information to:

  • Provide, operate, secure, and improve the Service;
  • Process payments and fulfill print and postal orders;
  • Verify addresses and comply with postal and carrier requirements;
  • Provide support and respond to requests;
  • Send service-related notices and, where permitted, marketing (you may opt out of marketing);
  • Detect, prevent, and investigate fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our agreements;
  • Analyze usage in aggregate or de-identified form.

4. Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR or UK GDPR applies, we rely on one or more of: performance of a contract; legitimate interests (for example securing the Service, understanding product usage, and direct marketing to business contacts where appropriate); consent where required; and legal obligation. You may object to processing based on legitimate interests as described below.

5. How we share information

We share information with:

  • Service providers and subprocessors who assist with hosting, printing, postage, presort, address verification, analytics, customer support, email delivery, and payment processing, bound by confidentiality and data-processing terms where applicable;
  • Carriers and postal authorities as required to deliver mail;
  • Professional advisors (lawyers, accountants) under confidentiality;
  • Authorities when required by law, legal process, or to protect rights, safety, and security.

We may disclose or transfer information in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality arrangements.

6. International transfers

We may process information in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards (for example standard contractual clauses approved by relevant regulators) for cross-border transfers.

7. Retention

We retain information for as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Fulfillment records may be retained for accounting, postal compliance, and dispute resolution. Marketing preferences are honored until you change them.

8. Security

We implement administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, or alteration. No method of transmission over the Internet is completely secure.

9. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, or to data portability. You may also withdraw consent where processing is consent-based. To exercise rights, contact hello@mailstream.app. We will respond in line with applicable law. You may lodge a complaint with your local supervisory authority.

Marketing emails include an unsubscribe link. Service-related messages may continue where necessary.

10. Cookies and similar technologies

We and our partners may use cookies, pixels, and local storage for essential operation, preferences, analytics, and (where allowed) advertising. You can control cookies through your browser settings; some features may not work if cookies are disabled.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. Contact us if you believe we have collected a child's information in error.

12. U.S. state privacy notices

Residents of certain U.S. states may have additional rights regarding personal information under local laws (for example access, deletion, correction, opt-out of sale or sharing, and appeal). We do not "sell" personal information in the conventional sense of exchanging data for money; we may use cookies or pixels that constitute "sharing" for cross-context behavioral advertising under some laws where you can opt out via browser controls and industry tools. To submit a request, email hello@mailstream.app with your state of residence and a description of your request. We will verify your identity before responding.

13. Changes to this Policy

We may update this Policy from time to time. We will post the revised version here and update the "Last updated" date. Where changes are material, we will provide additional notice as appropriate.

Privacy inquiries: hello@mailstream.app.