Legal
Privacy Policy
Last updated: May 24, 2026
The short version
We collect what we need to run the service — your account email, the prospects you upload, the emails you send, and basic usage data. We don't sell anything to anyone, ever. You can export or delete everything you've stored at any time.
This page is the legally-binding long version. We've kept it as plain as we can.
Who we are
"Xuna" or "we" refers to Xuna Cold Mailer, operated by the developer at the contact address below. "You" means the person or company that signs up for and uses our service at xuna.io or any subdomain.
What we collect
- Account information — your email address and name from Google when you sign in.
- Prospects you upload — names, email addresses, companies, industries, LinkedIn URLs, notes you add. These are stored to power your campaigns.
- Templates and sequences — content you write or import from our library.
- Sent emails and replies — subject, body, send timestamp, opens, clicks, replies, bounces, and reply text we receive on your behalf.
- Connected mailbox tokens — if you connect Gmail, we store an encrypted refresh token so we can send through your account. We never read your inbox.
- Payment information — handled by Razorpay. We see plan, status, and subscription identifiers; we never see card numbers.
- Usage data — features you use, AI personalisations consumed, emails sent, occasional error logs. Used to operate the service and stop abuse.
What we do with it
- Run the product you signed up for — sending emails, personalising them with AI, tracking opens/clicks/replies.
- Process payments and enforce plan limits.
- Send you transactional emails about your account, your campaigns, and material changes to this policy.
- Improve the product — usage patterns help us decide what to build next. We never use your email content to train AI models.
- Comply with legal obligations (responding to lawful requests, retaining records).
What we share with third parties
We use a small set of vendors to operate. Each one sees only what they need to do their job:
- Supabase
- Hosts our database. Stores your account, prospects, campaigns, etc. Located in your selected region.
- OpenAI
- Personalises emails. We send the relevant prospect data + template each time you click "AI personalise" or "Quick Send". OpenAI does not retain this data for training (we use their API with retention disabled).
- Resend
- Sends emails on your behalf when you use our shared sending domain. Sees recipient address, subject, body.
- When you connect Gmail, we use Google's Gmail API to send mail. Only the gmail.send scope — we cannot read or modify your inbox.
- Razorpay
- Processes payments. Sees your billing details. Their privacy policy applies to that data.
- Vercel
- Hosts our application servers and logs.
- Upstash
- Hosts the Redis queue we use to schedule outbound email.
We do not sell, rent, or share your data with anyone else. We do not use your data to advertise to you or to anyone else.
Your prospects' data
When you upload a prospect, they are your contact and your responsibility. You promise that you have a legitimate reason to contact them (existing relationship, public business contact, opt-in, etc.) and that your use of Xuna complies with your local anti-spam laws (CAN-SPAM in the US, GDPR in the EU, PECR in the UK, etc.).
We process prospect data on your behalf as a "processor" under GDPR. You are the "controller". We hold the data only to run the service for you and will delete it on your request.
Every email we send on your behalf includes an unsubscribe link. If a recipient unsubscribes, we mark them as such and prevent future sends to that address — even if you try.
Email tracking
By default, emails sent through Xuna's shared domain include a 1×1 tracking pixel and click-tracking on links so you can see opens and clicks. Emails sent through your own Gmail do not include the pixel (deliverability reasons), so opens are not tracked on those.
Recipients can see in their email client that an image was loaded; some email clients (Apple Mail Privacy Protection, Gmail with images blocked) will not fire the pixel.
Security
Connections are encrypted in transit (HTTPS / TLS). Refresh tokens for connected Gmail accounts are encrypted at rest using AES-256-GCM. Database access is restricted by Postgres row-level security — each user can only ever read their own rows.
No system is 100% secure. If we become aware of a breach affecting your data, we will notify affected users without undue delay and at minimum within 72 hours, in line with applicable law.
Data retention
- Active account data — kept as long as your account is open.
- Cancelled account — your data is retained for 30 days in case you reactivate, then permanently deleted.
- Email send logs — kept for 2 years for analytics and compliance.
- Payment records — kept for 7 years to comply with tax and accounting laws.
- Backups — purged within 30 days of deletion.
Your rights
Regardless of where you live, you can:
- See what data we have on you (the dashboard already shows most of it).
- Export your prospects and sent-email records as CSV at any time.
- Correct anything that's wrong.
- Delete your account, which deletes all associated data within 30 days.
- Object to specific processing — email us and we'll work it out.
EU/UK residents additionally have GDPR rights including the right to lodge a complaint with your supervisory authority. California residents have CCPA rights including the right to know what personal information we have and to ask us to delete it.
Children
Xuna is not directed at people under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, please email us and we will remove the account.
International data transfers
Our vendors operate globally. By using Xuna you consent to your data being processed in countries outside your own (typically the United States and the EU). Where required, we rely on Standard Contractual Clauses or equivalent safeguards.
Changes to this policy
If we materially change how we handle your data, we will email you and post an update here at least 14 days before the change takes effect. Continued use of Xuna after that constitutes acceptance.
Contact
Questions, requests, or complaints about privacy: hi@xuna.io. We aim to respond within 5 business days.