Legal

Privacy Policy

How we handle personal data across our website, dashboard, and open-time ad serving platform.

This Privacy Policy describes how MailAdx (“MailAdx”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you visit www.mailadx.com, use the MailAdx dashboard and APIs, interact with ads served through MailAdx in email newsletters, or otherwise engage with our services (collectively, the “Services”).

Effective date: May 25, 2026  |  Last updated: May 25, 2026

1. Who we are and how to contact us

MailAdx operates a newsletter advertising platform that combines supply-side inventory management, demand-side campaign tools, and an open-time ad server that selects and delivers ads when a subscriber opens an email.

For privacy-related questions or requests, contact us at privacy@mailadx.com. For data protection matters under GDPR, you may also contact our Data Protection contact at dpo@mailadx.com. See also our GDPR Compliance page for additional information for European users and business customers.

2. Scope of this policy

This policy applies to:

  • Website visitors who browse mailadx.com, submit demo or contact forms, subscribe to product updates, or create an account.
  • Business customers (publishers, advertisers, networks, agencies) and their authorized users who access the MailAdx dashboard or APIs.
  • Newsletter subscribers who receive emails containing MailAdx-served ads or who use our Ad Choices opt-out tools.

When a publisher uses MailAdx to monetize their newsletter, that publisher is typically the data controller for their subscriber list and email marketing relationship. MailAdx generally acts as a data processor on the publisher's instructions when handling subscriber identifiers for ad serving, reporting, and related operations. This policy explains both MailAdx's own processing and how we handle data on behalf of customers.

3. Information we collect

3.1 Information you provide directly

  • Account and profile data: name, work email, organization name, role, billing contact details, and authentication credentials for dashboard users.
  • Sales and support communications: information submitted through demo requests, contact forms, support tickets, or email correspondence.
  • Marketing preferences: email address if you subscribe to MailAdx product updates.
  • Publisher and advertiser configuration: placement settings, deal terms, campaign definitions, creative assets, audience segment definitions, billing settings, and API keys you create in the dashboard.
  • Ad Choices opt-out requests: email address submitted through our opt-out form (hashed immediately for suppression purposes; see Section 5).

3.2 Information collected automatically — website and dashboard

  • Device and log data: IP address, browser type, operating system, referring URLs, pages viewed, timestamps, and similar diagnostic data when you use our website or dashboard.
  • Cookies and similar technologies: we use essential cookies and local storage to maintain login sessions, remember preferences, and protect against abuse. We do not use third-party advertising cookies on mailadx.com. See Section 9 for details.
  • Audit and security logs: configuration changes, API key usage, and security events associated with your account (retained per your plan; see Section 7).

3.3 Information processed during ad serving (open-time)

MailAdx serves ads when a subscriber's email client requests an ad image at open time — not at send time. When that request occurs, we may process:

  • Hashed subscriber identifier: a SHA-256 hex digest of the subscriber's lowercase email address, passed as the eh parameter (or legacy emailHash) in ad tag URLs. Publishers supply this via an ESP merge field such as {{EMAIL_SHA256}}. We design our platform so that plaintext subscriber email addresses are not required in ad-serving URLs.
  • Publisher and placement identifiers: publisher ID, placement key, network ID, and campaign/creative identifiers needed to run the ad waterfall.
  • Approximate location: country and, where available, region/state derived from the IP address of the request (typically a coarse prefix, not precise geolocation).
  • Device category: inferred from the User-Agent string (for example, desktop, mobile, or webmail client class).
  • Delivery and engagement events: impressions (genuine opens where the display URL is fetched), clicks (via our click redirect URL), and conversion events where conversion tracking is enabled.
  • Request metadata: timestamp, request ID, HTTP headers necessary for serving and fraud prevention, and response codes.

We do not use cookies, browser fingerprinting, or cross-site web tracking pixels for MailAdx ad serving in email. Ads are selected in the context of the newsletter placement and campaign rules — not from browsing history across unrelated websites.

3.4 Information from third parties

  • Payment processors: billing status and transaction identifiers (we do not store full payment card numbers).
  • Programmatic partners: bid responses and limited identifiers when OpenRTB or private marketplace integrations are enabled by a customer.
  • Integration partners: ESP or CRM metadata where you connect optional integrations.

4. How we use information

We use personal information for the following purposes:

  • Provide, operate, maintain, and improve the Services.
  • Run open-time ad decisioning, frequency capping, audience segmentation, pacing, and billing based on verified opens.
  • Generate reporting, invoices, and analytics for publishers, advertisers, and network operators.
  • Authenticate users, enforce role-based access controls, and detect fraud or abuse.
  • Respond to support requests and communicate about your account or the Services.
  • Send product updates and marketing communications where permitted (you may opt out of marketing emails).
  • Comply with legal obligations and enforce our Terms of Service.
  • Honor subscriber opt-out and suppression requests submitted through Ad Choices.

5. Email hashes, suppression, and opt-out

MailAdx uses SHA-256 hashes of lowercase email addresses for frequency capping, audience matching, attribution, and global ad suppression. Hashes are one-way values; we cannot reverse a hash to recover the original email address.

When you submit an opt-out through Ad Choices, we hash your email and add it to a global suppression list. Suppressed hashes receive a transparent pixel instead of an ad, impressions are not recorded for billing, and no MailAdx ad will be served to that hash across participating newsletters.

Publishers remain responsible for their email subscription relationship. Opting out of MailAdx ads does not unsubscribe you from a publisher's newsletter unless you contact that publisher directly.

6. Legal bases for processing (EEA, UK, and Switzerland)

Where GDPR or similar laws apply, we rely on the following legal bases:

  • Contract: processing necessary to provide the Services under our agreement with business customers and to manage your account.
  • Legitimate interests: securing our platform, preventing fraud, improving the Services, and serving contextual newsletter ads with minimal identifiers, balanced against your rights. See our GDPR Compliance page for detail.
  • Consent: where required for marketing emails, optional cookies, or where a publisher has obtained valid consent for advertising to subscribers.
  • Legal obligation: tax, accounting, regulatory, and law-enforcement requests.

When we process subscriber data on a publisher's behalf, the publisher determines the lawful basis for sending marketing emails and enabling advertising. Publishers must ensure they have appropriate consent or another valid basis before passing subscriber hashes to MailAdx.

7. How we share information

We may share information with:

  • Service providers and sub-processors who host infrastructure, provide email delivery, payment processing, customer support tools, analytics for our website, and security monitoring — under contractual confidentiality and data protection obligations.
  • Advertising partners where a customer enables programmatic demand, private marketplace deals, or direct advertiser campaigns — limited to data necessary for delivery, measurement, and billing.
  • Linked business customers such as a publisher and advertiser connected through a direct deal, or a network operator viewing aggregate publisher reporting.
  • Professional advisers (lawyers, accountants, auditors) under confidentiality duties.
  • Authorities when required by law or to protect rights, safety, and integrity of the Services.
  • Successors in connection with a merger, acquisition, or asset sale, subject to this policy or notice to you.

We do not sell personal information in the conventional sense. We do not share subscriber email addresses with advertisers for their independent marketing lists.

8. International data transfers

MailAdx may process and store information in the United States and other countries where we or our service providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses and data processing agreements for transfers from the EEA, UK, or Switzerland. Business customers may request a Data Processing Addendum (DPA) by contacting legal@mailadx.com.

9. Cookies and similar technologies

On mailadx.com and the MailAdx dashboard, we use cookies and similar technologies that are strictly necessary for authentication, security, and session management. We may use privacy-respecting analytics on our marketing site to understand aggregate traffic patterns.

MailAdx ad serving in email newsletters does not set third-party advertising cookies in the subscriber's browser as part of the standard display/click tag integration.

10. Data retention

  • Account data: retained while your account is active and for a reasonable period afterward to resolve disputes, enforce agreements, and meet legal obligations.
  • Ad delivery and reporting events: retained according to your plan and contractual reporting windows (typically 13–25 months for operational reporting unless a longer period is required for billing disputes or law).
  • Audit logs: 90 days on standard plans; up to 365 days on Enterprise plans.
  • Suppression list entries: retained until you request removal or we no longer need them to honor your opt-out, subject to legal requirements.
  • Marketing contact data: until you unsubscribe or we retire the list.

We may retain anonymized or aggregated data that no longer identifies individuals for analytics and product improvement.

11. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including TLS 1.3 encryption in transit, AES-256 encryption at rest for MailAdx database storage, role-based access controls, API key scoping, and optional IP allowlisting for enterprise accounts. No method of transmission or storage is completely secure; please use strong passwords and protect your API keys.

12. Your privacy rights

Depending on your location, you may have rights to:

  • Access, correct, or delete personal information we hold about you.
  • Object to or restrict certain processing.
  • Data portability where applicable.
  • Withdraw consent where processing is consent-based.
  • Opt out of marketing communications.
  • Lodge a complaint with a supervisory authority.

Newsletter subscribers: to opt out of MailAdx ads globally, use Ad Choices. For access or deletion related to a specific newsletter, contact the publisher first — they control the subscription relationship. We will assist publishers in responding to valid data subject requests where we act as their processor.

Business users: submit requests to privacy@mailadx.com. We may verify your identity before responding. We aim to respond within 30 days.

13. U.S. state privacy notices

Residents of California, Colorado, Virginia, and other U.S. states with comprehensive privacy laws may have additional rights, including the right to know categories of data collected, request deletion, and opt out of certain sharing. MailAdx does not sell personal information or use it for cross-context behavioral advertising outside the newsletter context described in this policy. Submit requests to privacy@mailadx.com.

14. Children

The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the “Last updated” date. Material changes to business customers may also be communicated by email or in-dashboard notice where required by law or contract.

16. Related documents