Privacy Policy

The data controller for personal data described in this Policy is Lunea Labs, the operator of LuneaMail. For any privacy question, request, or complaint you can reach us at privacy@luneamail.com. If you are located in the EEA or the UK and would like to contact our representative, write to the same address with “EU/UK representative” in the subject line.

When our customers use LuneaMail to send email to their own recipients, the customer is the controller of that recipient data and LuneaMail acts as a processor on their behalf, under our Data Processing Addendum (DPA).

We use personal data only where we have a lawful basis, and only for the purposes set out below:

• Provide the Services — create your account, authenticate sessions, render workspaces, send campaigns on your instructions, return analytics. Basis: performance of contract.
• Secure & operate the platform — fraud and abuse prevention, rate limiting, log review, deliverability protection, capacity planning. Basis: legitimate interests in running a safe, reliable platform.
• Billing & legal compliance — process payments, calculate taxes, retain records required by law. Basis: contract and legal obligation.
• Customer support — respond to your requests and incidents. Basis: contract and legitimate interests.
• Product improvement — aggregated and pseudonymized analytics to improve features. We do not train AI models on customer content, and we do not permit our AI sub-processors to train their general models on customer content.
• Product communications — service announcements, security notices, and (only with separate consent or where permitted) optional marketing emails about new features. You can unsubscribe from marketing at any time.

We will never sell your personal data, and we will never share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

Where the GDPR applies, we rely on the following Article 6 bases: (a) performance of a contract for account, workspace, and sending features; (b) compliance with a legal obligation for tax, financial, and law-enforcement records; (c) legitimate interests for product security, deliverability protection, anti-abuse, and product analytics — balanced against your rights and freedoms; (d) consent for optional marketing communications and any non-essential cookies we may introduce in future. When LuneaMail acts as a processor on behalf of a customer (Article 28), the customer is responsible for identifying the lawful basis for processing their recipients’ data.

We disclose personal data only to: (i) authorized members of your workspace; (ii) our sub-processors listed below; (iii) professional advisors (lawyers, auditors) under confidentiality; (iv) authorities where we are legally compelled, and only to the minimum extent required; and (v) an acquirer in connection with a corporate transaction, subject to equivalent protections.

Each sub-processor is bound by a written contract that imposes equivalent data-protection obligations. We will update this list before adding or replacing a sub-processor that processes customer personal data.

Personal data may be processed in the United States and other countries where our sub-processors operate. Where we transfer personal data out of the EEA, the UK, or Switzerland we rely on an approved adequacy decision where available; otherwise we use the European Commission’s Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and the Swiss FDPIC-approved version, supplemented by appropriate technical and organizational measures (encryption in transit, encryption at rest, access controls, and transfer-impact assessments).

• Account & workspace data: for the life of your account and up to 90 days after account closure, after which we delete or anonymize it, except where a longer period is required by law.
• Customer content (contacts, templates, campaigns): retained while your account is active. When a workspace is deleted, related data is removed via cascading deletion within 30 days.
• Send events (open/click/bounce/complaint): retained for up to 24 months for analytics and deliverability protection, after which they are aggregated.
• Suppression list: retained indefinitely (and even after account closure where required) to honor unsubscribes and protect recipients.
• Billing & tax records: retained for the period required by applicable financial regulations (typically 7 years).
• Security logs: retained for up to 12 months.

Depending on where you live, you may have the right to access, rectify, erase, restrict or object to processing, withdraw consent, and receive a portable copy of your personal data. Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other U.S. states with comprehensive privacy laws have equivalent rights, including the right to know, the right to delete, the right to correct, and the right to opt-out of sale or sharing (which we do not engage in).

To exercise these rights, email privacy@luneamail.com from the address associated with your account. We will respond within the period required by applicable law (typically 30 days, extendable for complex requests). Where LuneaMail is a processor acting on behalf of a customer (for instance, you are an email recipient of one of our customers), please contact the customer directly; we will assist them in responding to you.

You have the right to lodge a complaint with a supervisory authority, including the data protection authority of your country of residence.

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, accidental loss, and unlawful processing. These include TLS encryption in transit, AES-256 encryption at rest for sensitive fields such as SMTP credentials, bcrypt password hashing, least-privilege access controls, environment isolation, audit logging, vendor due diligence, regular dependency updates, and incident response procedures. No method of transmission or storage is 100% secure; in the unlikely event of a personal data breach affecting your information, we will notify you and any applicable supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with applicable law.

The Services are not directed to children under 16 (or the age of digital consent in your jurisdiction, where higher). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

The Services include AI-assisted features that suggest subject lines, segments, and content. These are assistive: a human always reviews and decides whether to use the output. We do not make decisions that produce legal or similarly significant effects about you using solely automated processing within the meaning of Article 22 GDPR. We do not use customer content, recipient data, or AI prompts to train our own or our sub-processors’ general-purpose models.

In the prior 12 months we have collected the categories of personal information described in Section 2 (identifiers, commercial information, internet/network activity, professional information, and inferences). We collect it for the business purposes in Section 3 and we share it only with the sub-processors in Section 5 as “service providers” under the CCPA. We do not sell personal information and we do not share it for cross-context behavioral advertising. We do not knowingly process the sensitive personal information of California residents for purposes other than those permitted without an opt-out under § 7027 CCPA Regulations. To submit a verifiable consumer request or to designate an authorized agent, email privacy@luneamail.com. We will not discriminate against you for exercising your rights.

We may update this Policy from time to time. When we make material changes, we will update the “Effective” date above and, where appropriate, notify you by email or in-product banner before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance.

Questions or requests? Email privacy@luneamail.com. For security disclosures please use security@luneamail.com.