Privacy Policy
Last updated: 16 April 2026
Your privacy is important to us. This Privacy Policy explains how MailGraf Digital Ltd ("MailGraf", "we", "us") collects, uses, stores, shares and protects personal information when you visit our website at https://mailgraf.com or use our email marketing platform.
MailGraf Digital Ltd is a company registered in England and Wales (Company No. 13282175) with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
This policy applies to all visitors, customers and users of the MailGraf website and platform. It does not apply to third-party websites we may link to. If our site contains links to other websites, we encourage you to read their privacy policies before providing any personal information.
This policy is effective as of 16 April 2026.
1. Definitions
- "Personal information" means any information that can be used to identify you, directly or indirectly, such as your name, email address, IP address or device identifiers.
- "Customer" means an individual or organisation that creates a MailGraf account and uses our email marketing platform.
- "Subscriber" or "Contact" means a person whose email address or personal data is stored in a customer's contact list on the MailGraf platform. If you are a subscriber on one of our customers' lists, that customer is the data controller for your personal information. Please refer to their own privacy policy for details on how they handle your data.
- "Processing" means any operation performed on personal data, including collection, storage, use, transfer, modification and deletion.
2. Who is this policy addressed to?
This policy covers two distinct groups:
Website visitors and customers: If you visit our website, fill in a form, subscribe to our newsletter or create a MailGraf account, we are the Data Controller for your personal information. This policy explains how we handle that data.
Subscribers on our customers' email lists: If you receive emails from one of our customers through the MailGraf platform, the customer (not MailGraf) is the Data Controller for your personal data. MailGraf acts as a Data Processor on behalf of the customer. We process subscriber data only as instructed by the customer and in accordance with our Data Processing Agreement (DPA). We do not sell, rent or share your subscriber data with any third party for their own marketing purposes.
3. Information we collect
3.1 Information you voluntarily provide
We collect personal information when you interact with our website or services, including when you:
- Fill in a contact form or request a quote (name, email, phone number, company name, message)
- Subscribe to our newsletter (email address)
- Create a MailGraf account (name, email, company details)
- Contact us by email or through social media
3.2 Information collected automatically
When you visit our website, our servers and third-party services may automatically collect:
- Log data: IP address, browser type and version, operating system, pages visited, time and date of visit, time spent on each page, referring URL
- Device data: device type, screen resolution, unique device identifiers, approximate geographic location derived from IP address
- Cookie data: Please see our Cookie Policy for details on the cookies and tracking technologies we use
3.3 Information we do not collect
We do not directly collect or store credit card numbers or payment card data. All payment processing is handled by our payment providers, Stripe and PayPal. Both are PCI-DSS compliant and process card data on their own secure servers. For more information, please review Stripe's privacy policy and PayPal's privacy policy.
4. How we use your information
We collect and use personal information for the following purposes:
- To provide and operate the MailGraf platform and its features
- To respond to your enquiries and provide customer support
- To send you marketing and promotional communications (only with your consent; you may opt out at any time)
- To process payments and manage your account
- To monitor and improve the performance, security and usability of our website
- To comply with our legal obligations
We will not process your personal information in a manner that is incompatible with these purposes.
5. Our customers' subscriber data
When our customers use the MailGraf platform to send email campaigns, they upload subscriber lists and create email content. This subscriber data is processed by MailGraf on behalf of the customer as a Data Processor.
We do not sell, rent or share subscriber data. We process it solely to deliver the email marketing service as instructed by the customer.
Email tracking: When a customer sends a campaign through MailGraf, the platform may record whether a subscriber opened the email (using a tracking pixel) and which links were clicked. This data is reported back to the customer to help measure campaign performance. This tracking is carried out on behalf of the customer and is governed by the customer's own privacy policy and consent arrangements with their subscribers.
Data location: Subscriber data is processed and stored on infrastructure provided by Maileon (XQueue GmbH), located in Offenbach am Main, Germany. Germany is within the European Economic Area (EEA), and the transfer of personal data from the UK to the EEA is permitted under the UK GDPR adequacy decision.
6. Third-party services
We use the following third-party services to operate our website and platform. Each service may collect data as described in their own privacy policies.
6.1 Analytics and performance
| Service | Provider | Purpose | Data location |
|---|---|---|---|
| Google Analytics (GA4) | Google LLC | Website traffic analysis, user behaviour | USA |
| Microsoft Clarity | Microsoft Corporation | Session recordings, heatmaps, click tracking | USA |
| Clicky | Roxr Software Ltd | Real-time website analytics | USA |
| Umami | Umami Software Inc | Privacy-focused website analytics (cookie-free) | Cloud (USA) |
| Hotjar | Hotjar Ltd | Heatmaps, session recordings, user feedback | EU (Malta) |
6.2 Advertising and marketing
| Service | Provider | Purpose | Data location |
|---|---|---|---|
| Google Ads | Google LLC | Conversion tracking, remarketing | USA |
| HubSpot | HubSpot Inc | CRM, marketing automation, tracking | USA |
| Salespanel | Salespanel Inc | Visitor identification, lead scoring | USA |
6.3 Infrastructure and operations
| Service | Provider | Purpose | Data location |
|---|---|---|---|
| Maileon | XQueue GmbH | Email sending infrastructure, subscriber data processing | Germany |
| Teable | Teable Inc | Form submission data storage | USA |
| Stripe | Stripe Inc | Payment processing | USA / Ireland |
| PayPal | PayPal Holdings Inc | Payment processing | USA / EU |
| GetTerms | General Labs Pty Ltd | Cookie consent management | Australia |
Where data is transferred to countries outside the UK and EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions or other legally recognised transfer mechanisms.
7. Legal bases for processing (UK GDPR)
We process personal information only when we have a lawful basis to do so. Our legal bases include:
Consent: Where you have given us clear consent to process your personal information for a specific purpose, such as subscribing to our newsletter or accepting cookies. You may withdraw consent at any time by using the unsubscribe link in our emails, adjusting your cookie preferences, or contacting us.
Performance of a contract: Where processing is necessary to fulfil a contract with you or to take steps at your request before entering into a contract. For example, when you create an account and use the platform, or when you contact us with an enquiry.
Legitimate interests: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights. Our legitimate interests include operating and improving the Service, understanding our audience, marketing our services, and protecting our legal rights.
Compliance with the law: Where we are required by law to process or retain your personal information, such as for tax, accounting or regulatory obligations.
8. Data retention
We keep your personal information only for as long as necessary to fulfil the purposes described in this policy. Our retention periods are:
| Data type | Retention period |
|---|---|
| Active customer account data | Duration of the account plus 14 days after closure |
| Contact form submissions | 24 months from submission, then deleted |
| Newsletter subscriber data | Until you unsubscribe, then deleted within 30 days |
| Invoices and billing records | 7 years (as required by UK tax law) |
| Server logs and analytics data | 26 months (GA4 default), other services vary |
| Suppression lists (bounced/unsubscribed) | Retained to prevent re-sending to addresses that have opted out or hard-bounced; this is a data-minimisation measure that protects both the subscriber and the sender's reputation |
When your data is no longer required, we will delete it or anonymise it so that it can no longer identify you.
9. Cookies and tracking technologies
We use cookies and similar technologies on our website. For full details on the types of cookies we use, their purposes and how to manage your preferences, please see our Cookie Policy.
Non-essential cookies (including analytics, advertising and functionality cookies) are only placed on your device after you have given your explicit consent through our cookie banner. Essential cookies required for the basic operation of the website do not require consent.
We use GetTerms as our Cookie Consent Management Platform (CMP). You can review and update your cookie preferences at any time using the cookie settings accessible from the banner on our website.
10. Security of your personal information
We protect personal information using commercially reasonable technical and organisational measures, including:
- Encrypted data transmission (TLS/HTTPS)
- Access controls and authentication
- Regular security monitoring
- CSA-certified sending infrastructure (via Maileon)
While we take every reasonable precaution, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
You are responsible for maintaining the confidentiality of your account credentials and for all activity under your account.
11. International data transfers
Personal information we collect may be stored and processed in the United Kingdom, the European Economic Area and the United States. Our website is hosted on servers located in Germany (Hetzner Online GmbH). Subscriber data is processed on infrastructure provided by Maileon (XQueue GmbH), also located in Germany. Both are within the EEA. Some third-party services listed in Section 6 process data in the United States and other locations.
For transfers from the UK to the EEA, the UK government has issued an adequacy decision recognising that the EEA provides an essentially equivalent level of data protection.
For transfers to the United States and other countries outside the UK/EEA, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, and where applicable the UK Extension to the EU-US Data Privacy Framework (the UK-US data bridge). We review the transfer mechanisms in place for each third-party service periodically to ensure continued compliance.
12. Your rights under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:
Right of access: You may request a copy of the personal information we hold about you by submitting a Data Subject Access Request (DSAR). We will respond without undue delay and within one month. In complex or high-volume cases, we may extend this period by up to two additional months, and we will inform you of the reason for the extension within the initial one-month period.
Right to rectification: If you believe any information we hold about you is inaccurate or incomplete, you may request that we correct or update it.
Right to erasure: You may request that we delete your personal information. We will comply unless we have a legal obligation to retain it (for example, billing records required by tax law).
Right to restrict processing: You may request that we restrict how we process your personal information in certain circumstances, such as while we verify the accuracy of your data.
Right to object: You have the right to object to processing based on our legitimate interests. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds.
Right to data portability: You may request a copy of your personal data in a structured, machine-readable format (such as CSV).
Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at our contact form.
13. Children's privacy
Our Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such data, we will take steps to delete it promptly.
14. Marketing communications
We may send you marketing emails about our services, tips and updates if you have opted in to receive them (for example, through our newsletter signup form).
You may opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in any marketing email we send you
- Contacting us at our contact form
Opting out of marketing communications will not affect essential service-related messages (such as account notifications, security alerts or billing communications).
15. Data breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
16. Business transfers
If MailGraf or its assets are acquired, merged with another entity, or enter bankruptcy, personal information may be transferred as part of that transaction. We will notify you before your personal information becomes subject to a different privacy policy.
17. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our practices, services or legal requirements. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you by email.
We encourage you to review this policy periodically.
18. Complaints
If you believe we have breached your data protection rights, please contact us first so we can address your concern:
MailGraf Digital Ltd Contact us (please include "Privacy Request" in your message)
MailGraf Digital Ltd is registered with the Information Commissioner's Office (ICO). Registration reference: ZB250899
If you are not satisfied with our response, you have the right to lodge a complaint with the ICO:
Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Website: www.ico.org.uk
