Privacy Policy

Last updated: June 30, 2026

This Privacy Policy explains how Positor Group LLC (“Positor Group,” “we,” “us,” or “our”) collects, uses, and protects your information when you use Mailtidy (the “Service”). By using the Service, you agree to this Policy.

1. Information we collect

• Account information. The email address and password you use to create your Mailtidy account.
• Connected mailbox credentials. The server settings and credentials you provide so we can access the mailboxes you choose to connect.
• Email content. Messages and related metadata retrieved from your connected mailboxes so the Service can display them to you.
• Billing information. A billing record and subscription status. Payment card details are collected and stored by our payment provider, Stripe, not by us.
• Usage data. Basic technical information such as log data and device or browser information needed to operate and secure the Service.

2. Our role: who controls your data

Mailtidy plays two different roles depending on the data involved:

• For your account, billing, and usage data, we are the data controller. We decide why and how this information is processed in order to run the Service.
• For the contents of the mailboxes you connect, we act as a data processor on your behalf. You remain the controller of your own mail. We access and display it only to provide the unified inbox you asked for, and we act on your instructions — for example, when you read, archive, delete, or send a message. We do not use the contents of your mail for any purpose of our own, and no automated profiling or artificial-intelligence model is ever applied to it.

Our payment provider, Stripe, acts as an independent controller of the payment-card and transaction data you provide to it; please see Stripe’s privacy policy for how it handles that information.

3. Legal bases for processing (EEA and UK users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Performance of a contract. To create your account, connect your mailboxes, display your mail, and provide and bill for the Service.
• Legitimate interests. To secure the Service, prevent abuse, and keep basic operational logs — balanced against your rights and freedoms.
• Legal obligation. To meet tax, accounting, and other legal record-keeping requirements.
• Consent. Where we specifically ask for it for a particular purpose (such as optional communications). You can withdraw consent at any time.

4. How we use your information

We use your information to:

• provide, maintain, and improve the Service;
• connect to your mailboxes and display your mail in a unified inbox;
• secure your account and prevent abuse; and
• communicate with you about the Service.

We do not sell your personal information or the contents of your email, and we never feed your mail to an artificial-intelligence model.

5. How we protect your information

Mailbox credentials are encrypted at rest using AES-256-GCM envelope encryption and are never stored in plain text. Access to your data is restricted to your authenticated account. Connections to your email providers use encrypted (TLS) transport. No method of storage or transmission is completely secure, but we take reasonable measures to protect your information.

6. Service providers and sub-processors

We share information only with the service providers who help us operate the Service, and only as needed to provide it. These providers process data under written data processing agreements that require them to protect it and to act on our instructions. Our current sub-processors are:

• Supabase, Inc. — database, authentication, file storage, and realtime infrastructure. Data is hosted in the European Union (Frankfurt, Germany).
• Hetzner Online GmbH — application server and compute hosting, located in Nuremberg, Germany.
• Stripe, Inc. — payment processing and subscription billing. Card details are entered directly with Stripe and are not stored on our servers.
• Cloudflare, Inc. — DNS for our domain. Cloudflare does not receive the contents of your mail.

We may also disclose information if required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets. We will update this list before adding or changing a sub-processor.

7. Where your information is stored and international transfers

Your data is stored on servers located in the European Union. Some of the providers above are organisations established in the United States. Where personal data is transferred outside the EEA or the UK, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses and their UK equivalent — together with the data processing agreements described above.

8. Data retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your account data and connected-mailbox credentials, except where we are required to retain certain information by law.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent where processing is based on it. You can disconnect any mailbox or delete your account at any time. To exercise these rights, contact us at the address below; we respond within the time limits required by law.

If you are in the EEA or the UK and believe we have not handled your data properly, you also have the right to lodge a complaint with your local data protection supervisory authority.

10. Data breaches

We maintain procedures to detect, investigate, and respond to security incidents. Where a personal-data breach is likely to affect your rights, we will notify the relevant supervisory authority and, where required, affected users, within the timeframes set by law.

11. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will take reasonable steps to notify you. Your continued use of the Service after the changes take effect constitutes acceptance of the revised Policy.

13. Governing law

This Policy is governed by the laws of the State of New York, without regard to its conflict-of-laws principles. Nothing in this section deprives you of the protection of the mandatory consumer or data-protection laws of your country of residence.

14. Contact

Questions about this Policy or your data? Contact Positor Group LLC at privacy@mailtidy.net.