Privacy Policy

This Privacy Policy (“Policy”) explains how Egressif LLC (“Egressif”, “we”, “us”, or “our”) handles personal data in connection with (a) our public website and business communications and (b) our professional Services that configure and operate email infrastructure for clients (the “Services”). This Policy is intended to align with our master agreement(s) with you, including any statement of work or order form (collectively, the “Agreement”). By visiting our website or engaging us for the Services, you acknowledge this Policy.

1) Scope, Audience, and Roles

1.1 Business scope; no marketing spam. Our Services are provided exclusively to business customers for business communications. We do not support consumer-directed use, and we do not knowingly collect data regarding consumers or minors in connection with Client email. We do not welcome use of the Services for marketing “blasts,” lead-gen spam, or any unsolicited outreach. Unsolicited bulk/automated email and similar abuse are prohibited.

1.2 Controller vs. Processor. For our public website and our own sales, billing, vendor, and security records, Egressif acts as an independent Controller. For the Services, Egressif acts as a Processor / infrastructure operator on the Client’s documented instructions. The Client is the Controller and sender for any emails transmitted using third-party platforms the Client operates.

1.3 Contact. Egressif LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA · [email protected]

2) What We Do, and Do Not, Process

2.1 Infrastructure only. At your direction we perform domain onboarding and verification, authentication (SPF/DKIM/DMARC), mailbox provisioning (if expressly authorized), routing/settings, API-key and webhook administration, access to aggregate logs/metrics, and account/quota/status checks with supported platforms.

2.2 No message content. We do not read, ingest, or store email message bodies, mailbox contents, or the substance of Client communications.

2.3 No client-facing tracking. Client-facing tools are engineered to avoid persistent storage of IP addresses, device fingerprints, or behavioral profiles. Any operational telemetry required to complete a requested action is ephemeral and not retained beyond the transaction.

2.4 Public website analytics (Controller). Our marketing website may use privacy-respecting analytics to understand aggregate usage and performance. We do not build cross-site profiles and we do not reuse public-site analytics in Client-facing systems.

3) Categories of Data

3.1 Public website (Controller capacity). Business contact data you submit (e.g., forms, inquiries): name, business email, company, role. Limited website analytics on the public site (aggregate page views and diagnostics). Where technically present, IP addresses are truncated or discarded by our analytics provider.

3.2 Services (Processor capacity). Configuration/admin metadata necessary to execute your instructions: domain names; DNS records and validation state; tenant/organization identifiers; mailbox identifiers and aliases (if provisioning is enabled); API-key scopes/labels; webhook endpoints and health; event/log headers and delivery statuses; account/region/quota flags. We do not process or store message bodies or mailbox contents.

4) Identity, OAuth, and Service Integrations (Provider-Agnostic)

4.1 Least-privilege access. When you connect an identity/directory account or authorize our app via an OAuth-style flow, we request only the permissions necessary to (a) authenticate your administrators and (b) perform domain/mailbox administration and provider configuration you have requested. If tokens are stored, they are encrypted at rest and retained only while needed to perform those actions.

4.2 Human access limits. We do not allow human access to integration data except (i) with your explicit approval (e.g., a support ticket), (ii) to investigate security/abuse, or (iii) where required by law.

4.3 No sale / no ads. We do not sell integration data and do not use it for advertising or cross-context behavioral profiling.

4.4 Platform rules. We comply with the applicable developer/platform policies of the identity and email-infrastructure providers you choose. Where a provider’s policy is stricter than this Policy, the stricter rule applies.

5) Email Infrastructure Providers (Provider-Agnostic)

At your direction we configure reputable email-infrastructure and mailbox platforms to enable lawful business communications. Typical actions include: create/list/update/delete domains/sender identities; configure and validate SPF/DKIM/DMARC; configure routing/sending settings, rate limits, streams/routes, and (where applicable) IP pools; create/list/update/rotate API keys with least-privilege scopes; create/list/update webhooks and event destinations; verify delivery/health; retrieve aggregate logs/metrics (bounces, complaints, deliveries) for operational status. We do not ingest message bodies from these systems. Content responsibility remains with the Client as Controller and sender.

6) Lawful Bases (EEA/UK/Switzerland)

• Legitimate interests (website operation and security; non-profiling analytics; operating and maintaining the Services).
• Consent (where required for cookies/analytics on the public website and when you approve integration permissions).
• Contract (processing necessary to perform the Agreement with the Client).

7) Disclosures and Sub-Processors

We may disclose limited information to: service providers/sub-processors (hosting, security, limited public-site analytics, support) under confidentiality, least-privilege access, and data-protection terms; professional advisers (legal, accounting) under confidentiality; corporate transactions (merger/acquisition) where data transfer is part of the transaction; and legal/safety: to comply with law, enforce agreements, or protect rights and security. We maintain a current list of material sub-processors upon request at [email protected]. We do not sell personal data.

8) International Transfers

We may process data in multiple jurisdictions. Where required for transfers from the EEA/UK/Switzerland, we implement appropriate safeguards (e.g., Standard Contractual Clauses and, where appropriate, transfer-risk assessments). Clients, as Controllers, are responsible for their own cross-border transfer mechanisms for Client Data.

9) Security

We implement commercially reasonable administrative, technical, and physical safeguards aligned with SOC 2 principles, including least-privilege access, MFA, encryption in transit and at rest where applicable, key management, vulnerability management, and logging/monitoring. Client-facing tools are designed to avoid persistent storage of IP addresses and message content.

HIPAA/PHI. The Services are not designed for PHI. We do not act as a Business Associate unless expressly agreed in writing; Clients must not transmit PHI through the Services without a signed BAA.

10) Incidents

If we confirm a security incident that materially impacts the confidentiality, integrity, or availability of the Services or Client Data that we process, we will notify the affected Client without undue delay and in any event within seventy-two (72) hours, including known scope and remediation steps. This notice does not require disclosure of unrelated proprietary audit artifacts.

11) Retention

• Public website (Controller): retained only as long as necessary for the purposes in this Policy or to meet legal obligations, then deleted or anonymized. We do not retain full IP addresses for analytics.
• Services (Processor): configuration/admin metadata is retained for the Term and at Client instruction. Minimal records necessary for security, compliance, or financial recordkeeping may be retained as permitted by the Agreement and law.
• Integration tokens and related admin metadata: stored only while needed to perform your requested actions and deleted within a reasonable time (typically thirty (30) days) after revocation or task completion, unless longer retention is legally required.

12) Your Choices and Rights

12.1 Revoke access. You may revoke our app’s access in your identity/provider account at any time (administrator or tenant portal). Once revoked, we cease access and delete stored tokens as described above.

12.2 Deletion requests. Email [email protected]. We will verify identity and delete stored tokens and any associated admin metadata we control (if any) within a reasonable time, subject to legal retention requirements.

12.3 Data subject rights. Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing, and to portability. For Client Data, contact the Client (Controller). For public-site or integration data we control, contact [email protected]. We do not discriminate for exercising rights.

12.4 Abuse reports. Complaints regarding Client messages should be sent to our Report Abuse page or [email protected]. We will forward such reports to the relevant Client and may take operational actions (e.g., throttling/suspension) to mitigate harm. Content responsibility remains with the Client.

13) Children

Our website and Services are not directed to children and are not available for consumer use. We do not knowingly collect personal data from individuals under sixteen (16).

14) Jurisdiction-Specific Notices

California (CCPA/CPRA). For the public website we may act as a “business”; for the Services we act as a “service provider.” We do not sell or share personal information as those terms are defined by CPRA. California residents may exercise access, deletion, and correction rights by emailing [email protected].

EEA/UK/Switzerland (GDPR/UK GDPR). You may lodge a complaint with your supervisory authority. Our EU/UK representatives (if appointed) and SCC information are available upon request.

Türkiye (KVKK). For the public website we may be a “data controller”; for the Services we act as a “data processor” strictly on Client instructions. Data subjects in Türkiye may exercise rights under KVKK Law No. 6698 by contacting [email protected].

15) Platform Compliance (General Statement)

Our use of data obtained through identity, directory, or email-infrastructure integrations adheres to the applicable platform/developer policies for those services. We request only the permissions necessary to perform domain/mailbox administration and provider configuration and we avoid permissions that grant access to email message content.

16) Changes to This Policy

We may update this Policy from time to time. The “Last updated” date will change when we do. Where appropriate, we will provide a prominent notice on our website or by email. Continued use indicates acceptance of the updated Policy.

17) Annex: Permissions Transparency (Provider-Agnostic)

We request only the permissions necessary to perform domain/mailbox administration and provider configuration, including domains, DNS authentication (SPF/DKIM/DMARC) checks, API keys, webhooks, logs/metrics, routing/settings, and account status. We do not request permissions that allow reading email message content.

Questions? Contact [email protected].