Privacy Policy
Last updated: July 2026
MailFlows ("we", "us", "the Service") is a cold email outreach platform operated by Daniel (Tom-James Daniel), based in Nigeria. This policy explains what information we collect, how we use it, and the choices you have. By using MailFlows, you agree to the practices described here.
1. Information We Collect
We collect information you provide directly, information generated by your use of the Service, and information from third parties you choose to connect.
- Account information: your name and email address when you register.
- Gmail account access: if you connect a Gmail account, we store OAuth access and refresh tokens so MailFlows can send and check for replies to emails on your behalf. We do not receive or store your Gmail password.
- Contacts and campaign data: email addresses, names, and company details you add manually, paste in bulk, or find using our built-in web scraper, along with the campaigns and messages you create.
- Sent emails and replies: copies of emails sent through the Service and genuine replies received to them, retained for 90 days and then automatically and permanently deleted.
- Payment information: plan and transaction records (amount, currency, status). Card details are handled directly by our payment processor, Paystack — we never see or store your full card number.
- Usage data: basic technical data such as login timestamps and feature usage, used to maintain and improve the Service.
2. How We Use Your Information
- To operate the Service: sending emails through your connected Gmail account, detecting replies, managing contacts and campaigns.
- To verify the deliverability of email addresses before you send to them.
- To process payments and manage your subscription plan.
- To send you account-related emails (welcome, confirmation, password reset) and, if you opt in, product updates.
- To provide customer support, including through our AI-assisted FAQ chat.
- To detect abuse and protect the security of the Service and its users.
3. Google User Data
MailFlows's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect your Gmail account, MailFlows requests permission to:
- Send email on your behalf (
gmail.send) — used only to send the emails you compose or approve through MailFlows.
- Read your Gmail (
gmail.readonly) — used only to detect genuine replies to emails sent through MailFlows. We do not read, store, or otherwise access any other email in your inbox.
Gmail data accessed this way is used solely to power these features, is transmitted securely, and is never sold, used for advertising, or shared with third parties except as strictly necessary to provide the Service (e.g. our hosting and database providers, listed below). You can revoke MailFlows's access to your Gmail account at any time from your Google Account permissions page, or by disconnecting it inside MailFlows.
4. Third-Party Service Providers
We use the following providers to operate MailFlows. Each processes data only as needed to provide their respective service to us:
- Supabase — database hosting and authentication.
- Railway — backend application hosting.
- Cloudflare — frontend hosting and domain/DNS.
- Google (Gmail API) — sending and reading email, as described above.
- Paystack — payment processing.
- Tavily — powers our web-based email scraper, which searches company websites for publicly published business contact emails.
- Reoon and Hunter.io — email address verification.
- Resend — delivery of account and transactional emails.
- Google Gemini — powers optional AI features (email drafting assistance and the FAQ support chat). Prompts sent to these features may be processed by Google's AI systems.
5. Data Retention
- Sent emails and replies are stored for 90 days, then automatically and permanently deleted.
- Contacts, campaigns, and account information are retained until you delete them or close your account.
- Gmail OAuth tokens are retained while your account remains connected, and deleted when you disconnect it.
- You may request full deletion of your account and associated data at any time by contacting us (below).
6. Your Rights
You can access, correct, export, or delete your contacts, campaigns, and account data directly within the app, or by contacting us. If you are located in a jurisdiction with data protection laws (such as the EU/UK GDPR or Nigeria's NDPA), you have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing.
7. Security
We use industry-standard measures to protect your data, including encrypted connections (HTTPS/TLS) and access-controlled databases. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. Children's Privacy
MailFlows is not directed at children under 18 and we do not knowingly collect data from them.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date above. Continued use of MailFlows after changes take effect constitutes acceptance of the revised policy.
10. Contact Us
Questions about this policy or your data can be sent to support@mailflows.org.