Privacy Policy

The controller within the meaning of Art. 4(7) GDPR is:

PROXALY OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia
Registration number: 16726093
VAT ID: EE102611229
Email: info@proxaly.com
Managing Director: Daniel Held

A data protection officer has not been appointed, as the requirements under Art. 37 GDPR are not met.

We process personal data of our users to the extent necessary for the provision of our email sending service „emlyx“ (hereinafter „Service“). The Service encompasses the domains emlyx.eu, app.emlyx.eu, and webmail.emlyx.eu.

In the following, we inform you pursuant to Art. 13 GDPR about the nature, scope, and purpose of the processing of personal data within our Service.

We process personal data on the basis of the following legal grounds:

• Art. 6(1)(a) GDPR (Consent) – Where you have given us consent to process your data, e.g., for optional open tracking and click tracking.
• Art. 6(1)(b) GDPR (Performance of a contract) – Where the processing is necessary for the performance of our contract with you, in particular for registration, provision of the Service, and email sending.
• Art. 6(1)(c) GDPR (Legal obligation) – Where the processing is necessary for compliance with a legal obligation, e.g., tax retention obligations.
• Art. 6(1)(f) GDPR (Legitimate interest) – Where the processing is necessary for the purposes of our legitimate interests, in particular for ensuring IT security, logging, and abuse detection.

4.1 Registration and User Account

During registration, we collect and process the following data:

• Name
• Email address
• Password (stored exclusively as a bcrypt hash; the plaintext password is not stored)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Creation and management of your user account, authentication.

4.2 Project Data

For the setup of projects, we process:

• Domain and subdomain
• API token (stored with AES-256 encryption)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Provision of the email sending service, assignment of emails to projects.

4.3 Email Data

When sending emails through our Service, we process:

• Sender address
• Recipient address
• Subject
• Email content (HTML body)
• Delivery status (e.g., delivered, failed, bounce)
• Sending timestamp

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Execution of email sending, delivery logging, troubleshooting.

4.4 Webmail Contacts

In the webmail client, you can create contacts. In doing so, we process:

• Name
• Email address
• Notes (optional)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Management of your contacts in the webmail client.

4.5 Signatures

You can create and save email signatures. In doing so, we process the HTML signature text.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Provision of the signature feature in the webmail client.

4.6 Open Tracking and Click Tracking (Optional)

If you activate this feature, the following data is collected:

• Open tracking: A tracking pixel embedded in the email records whether and when the recipient opened the email.
• Click tracking: Links in the email are rewritten to record whether and when the recipient clicked on a link.

Legal basis: Art. 6(1)(a) GDPR (consent). This feature is disabled by default and must be consciously activated by the user.
Purpose: Statistical analysis of email sending.
Note: As a user of our Service, you are solely responsible for obtaining the necessary data protection consent from email recipients if you activate open or click tracking.

4.7 Server Log Files

Each time our Service is accessed, the following data is automatically logged:

• IP address of the accessing device
• Date and time of access
• Accessed URL
• HTTP status code
• Amount of data transferred
• Browser type and operating system (user agent)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Legitimate interest: Ensuring IT security, detection and prevention of attacks, troubleshooting.
Retention period: Log files are automatically deleted after 14 days.

For the processing of paid subscriptions, we use the payment service provider Stripe.

Stripe, Inc.
354 Oyster Point Blvd, South San Francisco, CA 94080, USA

Payment data (e.g., credit card number, expiration date) is collected and processed exclusively by Stripe. We do not store any payment data on our servers. We only receive confirmation information from Stripe about the payment status and an anonymized reference (e.g., the last four digits of your card).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Purpose: Processing of payments for paid plans.

Stripe is certified under the EU-US Data Privacy Framework (DPF). For more information about data protection at Stripe, please visit: stripe.com/privacy.

To provide our Service, we use the following third-party providers as processors pursuant to Art. 28 GDPR:

6.1 Resend – Email Delivery

Resend, Inc.
2261 Market Street #5039, San Francisco, CA 94114, USA

Purpose: Technical delivery of emails sent through our Service.
Data transferred: Sender, recipient, subject, email content, delivery status.
Legal basis for transfer: Art. 28 GDPR (data processing) in conjunction with Art. 6(1)(b) GDPR.
Third-country transfer: Resend is certified under the EU-US Data Privacy Framework (DPF) (adequacy decision pursuant to Art. 45 GDPR). Additionally, EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place as a safeguard.

More information: resend.com/legal/dpa.

6.2 Stripe – Payment Processing

Stripe, Inc.
354 Oyster Point Blvd, South San Francisco, CA 94080, USA

Purpose: Processing of payments for paid subscriptions.
Data transferred: Payment data (collected directly by Stripe), email address, name.
Legal basis for transfer: Art. 6(1)(b) GDPR (performance of a contract).
Third-country transfer: Stripe is certified under the EU-US Data Privacy Framework (DPF) (adequacy decision pursuant to Art. 45 GDPR). Additionally, EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place as a safeguard.

More information: stripe.com/privacy.

6.3 Hetzner – Hosting

Hetzner Online GmbH
Industriestr. 25, 91710 Gunzenhausen, Germany

Purpose: Provision of the server infrastructure for our Service.
Data transferred: All data processed in connection with the use of the Service is stored on Hetzner servers in Germany.
Legal basis: Art. 28 GDPR (data processing) in conjunction with Art. 6(1)(b) GDPR.
Third-country transfer: None. The servers are located in Germany (EU).

More information: hetzner.com/de/legal/privacy-policy.

In the course of providing the Service, personal data is transferred to recipients in the USA (Resend, Stripe). The transfer is based on the adequacy decision of the European Commission for the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR.

Both service providers are certified under the DPF and have committed to complying with the DPF principles. The certification can be verified at dataprivacyframework.gov/list.

Additionally, we have agreed on EU Standard Contractual Clauses (Standard Contractual Clauses, SCC) pursuant to Art. 46(2)(c) GDPR with both service providers. These serve as an additional safeguard in the event that the adequacy decision is revoked or restricted.

Our Service uses exclusively technically necessary cookies. Consent is not required for these (§ 25(2) No. 2 TDDDG).

Legal basis: § 25(2) No. 2 TDDDG (technical necessity) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in the security and functionality of the Service).

We do not use analytics cookies, advertising cookies, or tracking cookies. No Google Analytics or comparable analytics service is used.

We store personal data only for as long as necessary for the respective processing purpose or as required by statutory retention obligations.

After expiry of the respective retention period, data is automatically deleted or anonymized, unless statutory retention obligations prevent deletion.

You have the following rights under the GDPR:

• Right of access (Art. 15 GDPR): You have the right to obtain information about the personal data stored about you.
• Right to rectification (Art. 16 GDPR): You have the right to have inaccurate or incomplete personal data rectified.
• Right to erasure (Art. 17 GDPR): You have the right to request the erasure of your personal data, provided the conditions of Art. 17 GDPR are met.
• Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing of your personal data.
• Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you have the right to withdraw that consent at any time with effect for the future. The lawfulness of processing carried out before the withdrawal remains unaffected.

To exercise your rights, you can contact us at any time: info@proxaly.com.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you infringes the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

Andmekaitse Inspektsioon (Estonian Data Protection Authority)
Väike-Ameerika 19, 10129 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: www.aki.ee

You may also contact the data protection supervisory authority of your habitual residence or place of work.

The provision of your name, email address, and a password is required for registration and use of our Service. Without this information, we cannot conclude the contract with you and cannot provide the Service.

The activation of open tracking and click tracking is voluntary and not required for the use of the Service.

Automated decision-making, including profiling, pursuant to Art. 22 GDPR does not take place.

To the extent that you use our Service for processing personal data of third parties (e.g., email addresses of your customers or website visitors), you act as a controller within the meaning of Art. 4(7) GDPR. We act as a processor pursuant to Art. 28 GDPR in this regard.

The details of data processing are set out in the Data Processing Agreement (DPA) available at emlyx.eu/dpa, which becomes part of the contract upon registration.

Our Service uses SSL or TLS encryption for security purposes and to protect the transmission of confidential content. You can recognize an encrypted connection by the browser address bar changing from „http://“ to „https://“ and the lock icon in your browser bar.

We reserve the right to update this Privacy Policy to adapt it to changed legal requirements or in the event of changes to the Service and data processing. The current version is always available at emlyx.eu/privacy.