Privacy Policy
Please read and understand our customer privacy policy. if you have any questions, please email us at [email protected]
MailNinja (referred to as “we” or “us” throughout this policy) are committed to protecting and respecting your privacy and keeping personal information secure. This policy applies to our email marketing software and services, including www.mailninja.co (and its sub-domains), referred to as ‘our website’ in this policy.
This policy (together with our Terms of Service, Cookies Policy and any other documents that they refer to) sets out:
- details of the personal information that we may collect from you;
- information about how we use your personal information;
- information about the limited way we share your information with our partners;
- information about how we store your information; and
- information about your rights.
Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it.
Children
This website is offered and available to users who are at least 18 years of age or older and of legal age to form a binding contract. Minors under 18 and at least 13 years of age, are only permitted to use the website through an account owned by a parent or legal guardian with their appropriate permission. Minors under 13 are not permitted to use the website or the MailNinja services. We do not knowingly collect personal information from children under 13. Parents and guardians should at all times supervise their children’s activities. If we learn we have collected or received personal information from a child under 13, we will delete that personal information.
If you believe we might have any information from or about a child under 13, please contact us at [email protected].
Data controller
For the purpose of data protection legislation including the General Data Protection Regulation (‘GDPR’), the data controller of your personal data is:
MailNinja Limited (registered at Companies House with company number 08740980 and trading as MailNinja).
Registered Address: 128 City Road, London, England, EC1V 2NX
Who is this policy addressed to?
When we refer in this policy to ‘you’, we are referring to a customer of our services, or a person visiting our website. We are not referring to a person receiving an email sent by a customer using our service, or a person on a mailing list maintained by one of our customers. We refer to those people in this policy as ‘Contacts’. We do not have any relationship with Contacts, and process information relating to them solely for the purposes of providing our service to our customers.
When we refer to a ‘contact list’ in this policy, we are referring to details of Contacts (including their email addresses) processed by us on your behalf to provide you with our MailNinja service.
If you are a Contact and wish to cease receiving emails from one of our customers, please unsubscribe directly using the unsubscribe link in the customer’s email, or contact the customer directly.
If a Contact makes a direct request to be removed from the contact list of one of our customers, we may do so on behalf of our customer, while providing notice to the customer of the Contact’s request. Our customer is the data controller in respect of Contacts’ personal data, and Contacts should consult our customer’s own Privacy Policy for details on the customer’s data protection practices. We will never use the Contact email addresses to send our own informational and promotional content. We may refer to Contact’s personal data when generating usage reports and analysis as data processor for our data controller customers. This may involve analysis on the events (such as bounces, unsubscribes, clicks, and opens) arising from emails sent to Contacts using our service.
Information we may collect from you
We may collect and process the following data about you:
- Identity Data; includes first name, maiden name, last name, username or similar identifier and title.
- Contact Data; includes your business or personal address, email address and telephone numbers.
- Transaction Data; includes details about payments to and from you and other details of services you have purchased from us.
- Technical Data; includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
- Usage Data; includes information about how you use our website and services.
- Marketing and Communications Data; includes information that allows us to choose how best to market specific communications to you.
- Special Categories of Personal Data; where you provide this to us in the context of your instructions or applying for a job (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data)
- You may give us your information by filling in forms on our website or by corresponding with us by email, live chat, phone or otherwise. This includes information you provide when you register to use our service, respond to any surveys that we send to you to complete, and when you contact us for any reason. When you register for our service we will ask for a range of information we need to collect in order to set up your account and engage one or more of our upstream email service providers to handle your emails. If you contact us, we may keep a record of any information contained in the correspondence.
- When using our paid service, you will be asked for financial details such as credit/debit card information. The processing of these payments is carried out by our payment processor, Stripe. We do not store any credit or debit card information on our servers. Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. (This is the most stringent level of certification available). Their Privacy Policy and security assurances are available on their website.
Purposes for collecting your personal information
We use information held about you for the following purposes:
- to provide you with information or services that you request from us, including responding to any requests for assistance with the service;
- to send you newsletters about our service and notify you about any changes to the service;
- to carry out our obligations arising from any contracts entered into between you and us;
- to administer our site and for internal operations, including troubleshooting;
- to help optimise and develop our service, for example through statistical analysis and research on your use of our service;
- as part of our efforts to keep our website safe and secure and to monitor actual or suspected fraudulent activity;
- to determine your regional location for the purposes of recommending a billing currency;
- to customise your experience;
- to manage your account and provide you with customer support;
- to communicate with you regarding your use of our service;
- to send you marketing communications;
Your contact lists
- All data including your contact lists are stored on servers hosted within the United Kingdom.
- At peak send times and during routine maintenance of our proprietary mail servers hosted in Germany, MailNinja may opt to use SendGrid to send emails on your behalf. SendGrid will only have access to your email lists when you are sending an email. Once the email is sent, SendGrid will no longer have access to your contact list. They do not store any of your contact data on their servers. This is subject to change, and we may use different email service providers or modify our use of SendGrid in the future, without prior notice to you.
- We don’t, under any circumstances, sell or share your contact lists with anyone else. If someone on your contact list complains or contacts us, only then will we respond to that person. Only you, our authorised employees, and SendGrid have access to view your contact lists.
- We may also monitor those events for the purposes of administering our service (including checking for any abuse of our service) and research on patterns and trends in the use of our service. We will never use any Contact data for the purposes of that administration or generating that research. It will always be conducted on an aggregated and anonymised dataset, which does not identify any individual Contact.
- You may export (download) your contact lists from MailNinja at any time. We’ll only ever use and disclose the information in your contact lists for the reasons listed in this section or in the section entitled ‘How we use your personal information’ above.
- We will never use or disclose the information in your contact lists to send our own informational and promotional content. If we detect abusive or illegal behaviour related to your contact list, we may share your contact list or portions of it with affected internet service providers (“ISPs”) or anti-spam organisations. We may also be required to disclose it to law enforcement or regulatory bodies. We will only do so if legally required.
- We may conduct analysis on your use of the service and the results generated by your emails sent by means of the service. This analysis is conducted solely on an aggregated and anonymised basis.
Cookies and tracking technologies
- Our website may use third party cookies to distinguish you from other users of our website. The majority of these cookies are required to provide our service, ensuring you remain signed in to MailNinja and that we can personalise the service offered. We may also use cookies and other similar tracking technologies, such as web beacons, for advertising and targeting purposes. For more information about cookies, visit our Cookies Policy.
Where we store your personal data
- Account details and IP addresses that we collect from you are stored on our servers located in the United Kingdom. All the personal data we collect from you may be processed by our staff. Such staff may be engaged in, among other things, the fulfilment of your services, and the provision of support services. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. Please contact us if you would like more details on the appropriate safeguards we employ to require that these providers process your data with due respect for its privacy.
Security
- All information you provide to us is stored on our secure servers. Any payment transactions will be carried out by Stripe over encrypted connections using SSL technology (see the ‘Payment Information’ section above). Where we have given you (or where you have chosen) a password or API key which enables you to access certain parts of our site, or you have invited team members to access parts of our site, you are responsible for keeping this password or API key confidential.
- We take security very seriously, and ‘privacy by design’ is baked into our engineering and product development principles but, as with any online service, despite our use of leading security tools and techniques, the personal data we hold about you can never be 100% immune from unauthorised access.
Disclosure of your information
We may disclose your personal information to any company under the same ownership as us.
We may disclose your personal information to selected third parties, including:
- in the event that we sell or buy any business or assets, the prospective seller or buyer of such business or asset;
- if MailNinja or substantially all of its assets are acquired by a third party, to the relevant third party;
- business parties and subcontractors for the purposes of providing MailNinja services;
- when an email is sent, SendGrid will see the ‘from’ name and address, the subject, the body of the email, and the destination email addresses. When an email recipient opens an email you have sent or clicks a link in the email, SendGrid will see the IP address of the recipient (from which may be inferred a notional latitude and longitude associated with that IP address);
- analytics providers that assist us in the improvement and optimisation of our website; and
- law enforcement agencies or regulatory bodies; or other third parties for fraud detection and prevention. We will only do this is if we are legally required to do so;
We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Service and other agreements, or to protect the rights, property, or safety of MailNinja, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud detection and protection and credit risk reduction.
Third party integrations
- You can additionally integrate your MailNinja account with third party apps, websites or other services with whom you have your own account independent of MailNinja. If you do decide to connect your account with that third party to MailNinja, the third party you integrate will as a result receive your contact lists, information about your use of our services, and access to any other personal data you make available to them. All third parties you integrate in this way are your own data processors – they are not sub-contractors or sub-processors of MailNinja. Information collected by these third parties is subject to their own terms and privacy policies. We use Zapier to allow you to integrate third party applications.
Retention of your personal information
- The periods for which we keep your information depend on why your information was collected and what we use it for. We will not keep your personal information for longer than necessary for our business purposes or for legal requirements.
- If you cancel your subscription and the current period has ended, we will keep your account live for up to 60 days, giving you the opportunity to renew your subscription prior to closing your account and deleting your data. During this time, we may attempt to send warning emails to your account email address so that you have an opportunity to restart your plan and back up any data you may need. We may also contact you about our services during this time.
- After the 60-day renewal window, we may keep a backup copy of your data on our servers for reporting, campaign archiving or personalisation (live merge tag) purposes. We may also keep limited information for up to 6 years for compliance and accounting purposes and to enforce or defend any legal claims in respect of our terms of service.
Legal basis for processing
We are required to state the legal basis on which we undertake processing of your personal information. We will only use your information where:
- we have your consent to do so; or
- we need to process the personal information to perform services for you under our terms of service.
- we have a legitimate interest in engaging in the provision of our MailNinja service and in offering products and services of value to you. Please contact us if you would like to learn more about our assessment of our legitimate interests in processing data.
- we are processing the data to meet a legal requirement.
Any consent you provide may be withdrawn at any time by emailing us.
Your rights
You have the right to request access to personal data that we may process about you.
You have the right to require us to correct any inaccuracies in your data, free of charge. If you wish to exercise this right, you should:
- put your request in an email to us;
- provide us with enough information to identify you (e.g. username or email address); and
- specify the information that is incorrect and what it should be replaced with.
You can access, correct, update or request deletion of your personal information at any time, either through your online account or by contacting us.
Deletion of data will be carried out on the understanding that removal of some information (e.g. email address) during an active membership term may negatively affect your ability to use the MailNinja service.
Invoices are sent directly from Stripe and are stored on their servers. We cannot delete invoices, as these are kept for tax purposes.
You can request that we restrict the processing of your personal information, object to the processing of your information or request portability of your personal information. For these requests please contact us. We will comply with your request where your rights have been exercised in accordance with applicable laws.
You have the right to obtain and reuse your personal data in a structured, commonly used and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such information transferred directly to a third party.
If we have collected and processed your personal information with your consent, then you can withdraw that consent at any time. To be clear, we may still continue to process your data if we have a different legal basis for doing so (for example, if we are required by law to do so, or we need to do so for the purposes of fulfilling our obligations to you under our terms of service).
You also have the right to ask us to stop processing your personal data for direct marketing purposes. You can do this through your MailNinja dashboard or via email. If you wish to exercise this right via email, you should:
- put your request in writing (an email with a header that says ‘Unsubscribe’ is acceptable);
- provide us with enough information to identify you (e.g. email address); and
- if your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g. email or telephone), please specify the channel you are objecting to.
You have the right to make a complaint to the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your personal data or believe our processing of your personal data does not comply with data protection law.
Please note that the right of access and the right to erasure do not constitute absolute rights and the interests of other individuals may restrict your right of access or erase in accordance with local laws.
Important notice regarding your rights: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
International transfers
Some of our external third parties are based or send personal data outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Specific Provisions for California Residents
This section of the Policy applies to you, if you are a California resident.
During the last twelve (12) months we have collected the following categories of personal information from users:
- Information that you chose to upload or otherwise provided by you to MailNinja, which may include: (i) Identifiers and personal information, such as name, postal addresses, online identifiers, email addresses, passport number or driving licence number, social security number; (ii) characteristics of protected classifications, such as gender; facial image; electronic or similar information; (iii) commercial information;
- Information we collect when you use MailNinja, including (i) Identifiers and personal information, such as online identifiers, internet protocol (IP) addresses, access device and connection information such as browser type, version, and time zone setting and browser plug-in types and versions; (ii) commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (iii) Internet or other electronic network activity information, including, but not limited to log-in and log-out time, the duration of sessions, the content uploaded and downloaded, viewed web-pages or specific content on web-pages, activity measures; (iv) Location information.
- Information that we collect or receive from third parties, such as service clients, advertisers, and third-party accounts you link with MailNinja, including: (i) Identifiers and personal information, such as name, online identifiers, email addresses, internet protocol (IP) addresses, access device and connection information such as browser type, version, and time zone setting and browser plug-in types and versions; (ii) Internet or other electronic network activity information, including, but not limited to log-in and log-out time, the duration of sessions, the content uploaded and downloaded, viewed web-pages or specific content on web-pages, activity measures; (iv)Commercial information; and (v) Location information.
- Inferences drawn from any of the information identified above to create a profile about you.
We use the personal information that we collect or receive for the business purposes as described above under the Section titled “Purposes for collecting your personal information”.
We may disclose the above listed categories of personal information to third parties for business purposes as described above under the Section titled “Disclosure of your information” in the Privacy Policy. In the preceding twelve (12) months, we have disclosed all the categories of personal information detailed above for business purposes.
As previously mentioned in this Policy, we do not “sell” (as such term is defined in the CCPA) personal information.
You are entitled to the following specific rights under the CCPA, subject to certain exceptions, in relation to personal information related to you:
- You have a right to request access to the personal information we have collected about you over the past 12 months, including: (i) the categories of personal information we collect about you; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting your personal information; (iv) the categories of third parties with whom we have shared your personal information; (v) the specific pieces of personal information that we have collected about you.
- You have a right to request that we delete personal information related to you that we collected from you under certain circumstances and exceptions.
- You also have a right not to be discriminated against for exercising your rights under the CCPA.
- You also have a right to submit your request via an authorised agent. If you use an authorised agent to submit a request to access or delete your personal information on your behalf, the authorised agent must: (1) be a person or business entity registered with the California Secretary of State to conduct business in California; (2) provide proof of such registration; and (3) provide documentation or other proof indicating that they are authorised to act on your behalf. We may also require you to verify your identity directly with us, and directly confirm with us that you provided the authorised agent permission to submit the request.
To make such requests, we kindly ask that you contact us at [email protected]. We will verify your request using the information associated with your account, including email address. Government identification may also be required.
A request for access can be made by you only twice within a 12-months period. Any disclosures that we provide will only cover the 12-months period preceding receipt of your request. We do not charge a fee to process or respond to your verifiable User request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such a decision and provide you with a cost estimate before processing further your request.
Changes to privacy policy
- We keep our privacy policy under regular review. If we change our privacy policy we will post the changes on this page, notify you, and place notices on other areas of the site, so that you may be aware of the information we collect and how we use it at all times.
Complaints
If you have any questions or comments regarding our use of your data, please contact us by email. If you make a complaint to us and think we have not dealt with it to your satisfaction, you may send your complaint to the Information Commissioner for investigation. For more information on the Information Commissioner, and how to make a complaint, please visit their website.