Privacy Policy

Effective Date: April 1, 2026 | Last Updated: April 1, 2026

1. Introduction

AlecRae, Inc. ("AlecRae," "we," "us," or "our"), located at 548 Market Street, Suite 45000, San Francisco, CA 94104, is the data controller for personal data processed through the AlecRae platform.

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, platform, API, mobile applications, and all associated services (collectively, the "Service"). It applies to all users worldwide, with additional provisions for users in the European Economic Area (EEA), United Kingdom (UK), California, and other jurisdictions with specific privacy requirements.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you confirm that you are authorized to agree to this policy on the organization's behalf.

2. Information We Collect

(a) Account Information. Name, email address, organization name, job title, billing address, and phone number provided during registration. Passwords are never stored in plaintext — only cryptographic hashes using industry-standard algorithms (scrypt/Argon2).

(b) Email Content and Metadata. When you use the Service to send, receive, or store email, we process: sender and recipient addresses, subject lines, email body content (text and HTML), attachments, email headers (including Received, Message-ID, Date, MIME-Version, Content-Type), timestamps, IP addresses of sending and receiving servers, delivery status information, and bounce/complaint notifications.

(c) Domain and DNS Data. Domain names, DNS records (SPF, DKIM, DMARC, MX, CNAME, TXT), domain verification status, DKIM keys, and authentication configuration.

(d) Usage Data. Login timestamps, features accessed, pages viewed, API calls made (endpoints, parameters, response codes), search queries, UI interactions, session duration, and feature adoption metrics.

(e) Device and Technical Data. Browser type and version, operating system, screen resolution, language preference, time zone, IP address, and approximate geolocation (city/country level) derived from IP address.

(f) AI-Derived Data. Our AI systems generate derived data from your email content, including: priority scores for incoming emails, sentiment analysis results, relationship strength scores between you and your contacts, communication pattern data (frequency, response times, reciprocity), writing style models that capture your tone and vocabulary patterns, threat assessment scores, and spam confidence scores. This data is generated automatically and stored separately from your raw email content.

(g) Payment Information. Payment processing is handled by Stripe, Inc. We do not store full credit card numbers, CVVs, or bank account details. We retain only the last four digits of your card number, card brand, expiration date, and billing address for record-keeping.

3. How We Use Your Information

We use the information we collect for the following purposes:

(a) Service Delivery. Processing, delivering, and storing your emails; managing your domains and authentication; providing API access; maintaining your account.

(b) AI-Powered Email Security. Automatically classifying inbound email as legitimate, spam, or phishing using AI models. Detecting malware, threats, and suspicious content. These functions are essential to the Service and protect all users.

(c) AI Priority and Organization. Ranking incoming emails by importance, threading conversations, and surfacing time-sensitive messages.

(d) AI Relationship Intelligence. Building communication graphs that map your relationships, track interaction frequency, and identify important contacts. Detecting follow-up opportunities and communication patterns.

(e) AI Sentiment Analysis. Analyzing the emotional tone of emails to detect urgency, frustration, or positivity in communications.

(f) AI Writing Assistance. Learning your writing style to provide personalized draft suggestions, tone adjustments, and subject line recommendations.

(g) AI Threat Detection. Scanning URLs, attachments, and content patterns for known and emerging threats in real time.

(h) Deliverability Optimization. Managing IP reputation, processing ISP feedback loops, monitoring blocklists, optimizing send timing, and managing warm-up schedules.

(i) Analytics and Reporting. Generating delivery reports, engagement analytics, bounce breakdowns, and reputation dashboards.

(j) Platform Improvement. Analyzing aggregate, anonymized usage patterns to improve features, fix bugs, and optimize performance.

(k) Customer Support. Responding to your inquiries, diagnosing technical issues, and providing account assistance.

(l) Security and Fraud Prevention. Detecting unauthorized access, preventing abuse, enforcing our Acceptable Use Policy, and protecting platform infrastructure.

(m) Legal Compliance. Complying with applicable laws, regulations, legal processes, and governmental requests.

4. AI-Specific Processing Disclosures

How Our AI Processes Your Email

This section provides detailed disclosure about automated processing of your data by our AI systems, as required by GDPR Article 13(2)(f) and Article 22.

(a) Essential Automated Processing. Spam classification, phishing detection, malware scanning, and threat assessment are performed automatically on all email processed through the Service. These functions cannot be disabled as they are necessary to maintain platform security, protect all users, and ensure deliverability. The legal basis for this processing is our legitimate interest in maintaining a secure email platform (GDPR Article 6(1)(f)) and performance of our contract with you (GDPR Article 6(1)(b)).

(b) Optional Automated Processing. The following AI features process your email content but can be disabled in your account settings: sentiment analysis, relationship intelligence and communication graph building, writing style learning and composition assistance, and smart priority ranking. Disabling these features does not affect core email delivery functionality. The legal basis for this processing is your consent (GDPR Article 6(1)(a)), which you may withdraw at any time.

(c) AI Model Training. Anonymized, aggregated patterns derived from email processing across the platform may be used to improve the accuracy and performance of our AI models. We do NOT use individual emails as training examples. We do NOT retain raw email content for model training purposes. Individual writing style models are private to your account and are not shared with or used to train models for other users. You may opt out of contributing anonymized patterns to model improvement in your account settings (Settings > Privacy > AI Training). Opting out does not degrade service quality.

(d) AI-Derived Data. Priority scores, sentiment results, relationship graphs, and writing style models are stored as structured data separate from your raw email content. This derived data is automatically deleted within 30 days of account closure. During your subscription, you can view AI-derived insights in your dashboard but cannot export the underlying AI models, as they are generated by our proprietary systems.

(e) No Human Review. Your email content is processed exclusively by automated systems. No AlecRae employee, contractor, or agent reads your emails. The only exceptions are: (i) when you voluntarily share email content with our support team for troubleshooting, (ii) when we are compelled by valid legal process (subpoena, court order, national security letter), or (iii) when investigating confirmed abuse reports, in which case review is limited to the specific content at issue.

(f) Automated Decision-Making. Our AI systems make automated decisions that affect your experience, including: which emails appear in your inbox vs. spam folder, the priority order of your inbox, and whether outbound emails are flagged for compliance review. Under GDPR Article 22, you have the right to object to decisions based solely on automated processing that significantly affect you. To exercise this right, contact dpo@alecrae.com. We will review any contested automated decision with human oversight within 5 business days.

(g) Profiling. Our AI creates profiles of your communication patterns, relationships, and writing style. These profiles are used solely to personalize your experience within the Service. We do not use these profiles for advertising, do not share them with third parties, and do not use them for automated decision-making that produces legal effects or similarly significant effects on you.

5. How We Share Your Information

We do NOT sell your personal data. We have never sold personal data and have no plans to do so.

We share personal data only in the following circumstances:

(a) Infrastructure Providers. Amazon Web Services (US/EU) and Hetzner (Germany) provide hosting, compute, and storage infrastructure. They process data on our behalf under strict data processing agreements.

(b) AI Processing. Anthropic (US) provides AI model inference capabilities. Email content processed by Anthropic is subject to their data processing agreement, which prohibits use of our data for model training.

(c) Payment Processing. Stripe, Inc. (US) processes payments. They receive billing information necessary to process your transactions, subject to their privacy policy and PCI DSS compliance.

(d) CDN and Security. Cloudflare, Inc. (global) provides content delivery and DDoS protection. They process network request data (IP addresses, request headers) in transit.

(e) Law Enforcement. We may disclose personal data when we believe in good faith that disclosure is required by applicable law, regulation, legal process, or governmental request (including subpoenas, court orders, and national security letters). We will notify you of such requests unless prohibited by law or court order, and will challenge overbroad requests where feasible.

(f) Corporate Transactions. In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide at least 30 days' advance notice via email before any such transfer and will ensure the acquiring entity is bound by privacy protections at least as protective as this Privacy Policy.

(g) Anonymized and Aggregate Data. We may share anonymized, aggregated data that cannot reasonably be used to identify any individual with analytics partners and for industry research. This data includes aggregate sending volumes, platform-wide spam rates, and anonymized threat intelligence.

6. Data Retention

We retain your data for the following periods:

Data Type

Retention Period

Email Content

User-configurable (default 7 years, minimum 30 days)

Account Data

Duration of account + 90 days

AI-Derived Insights

Deleted within 30 days of account closure

Server and Access Logs

90 days

Backups

30 days (rolling)

Payment Records

7 years (legal/tax requirement)

Abuse/Compliance Records

3 years

Upon account deletion, we initiate automated deletion of your data according to the schedule above. Some data may persist in encrypted backups for up to 30 days after deletion from live systems.

7. Your Rights Under GDPR (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

(a) Right of Access (Article 15). You may request a copy of the personal data we hold about you, including information about how it is processed and who it is shared with.

(b) Right to Rectification (Article 16). You may request correction of inaccurate personal data or completion of incomplete data.

(c) Right to Erasure (Article 17). You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data was unlawfully processed.

(d) Right to Restriction (Article 18). You may request that we restrict processing of your personal data while we verify its accuracy, while you contest our legitimate interests, or while we assess an erasure request.

(e) Right to Data Portability (Article 20). You may request your personal data in a structured, commonly used, machine-readable format (MBOX, EML, JSON) and transmit it to another controller.

(f) Right to Object (Article 21). You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

(g) Rights Related to Automated Decision-Making (Article 22). You have the right not to be subject to decisions based solely on automated processing that significantly affect you, and to obtain human intervention, express your point of view, and contest the decision.

(h) Right to Withdraw Consent. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

(i) Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact our Data Protection Officer at dpo@alecrae.com. We will respond within 30 days. We may require identity verification before processing your request. Requests are fulfilled free of charge unless they are manifestly unfounded or excessive.

8. Your Rights Under CCPA (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

(a) Right to Know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share it.

(b) Right to Delete. You may request deletion of your personal information, subject to certain exceptions (legal obligations, security, completing transactions).

(c) Right to Opt-Out of Sale. We do not sell personal information. We have not sold personal information in the preceding 12 months.

(d) Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or service levels.

(e) Authorized Agents. You may designate an authorized agent to submit requests on your behalf with proper written authorization.

To exercise your CCPA rights, email privacy@alecrae.com or use the privacy controls in your account settings. We will respond within 45 days.

9. International Data Transfers

Your personal data may be processed in the United States and the European Union. For transfers of personal data from the EEA/UK to countries without an adequacy decision (including the United States), we rely on:

(a) Standard Contractual Clauses (SCCs). EU Commission-approved Standard Contractual Clauses (Decision 2021/914) are incorporated into our data processing agreements with all sub-processors located outside the EEA.

(b) Supplementary Measures. In addition to SCCs, we implement supplementary technical measures including end-to-end encryption, pseudonymization, and access controls that prevent unauthorized access to personal data.

(c) Transfer Impact Assessments. We conduct annual transfer impact assessments for all international data transfers, evaluating the legal framework of the recipient country and the effectiveness of our supplementary measures.

10. Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data:

(a) Encryption at Rest. All data is encrypted at rest using AES-256-GCM. Database fields containing sensitive data use additional application-level encryption.

(b) Encryption in Transit. All connections use TLS 1.3 minimum. Inter-service communication uses mutual TLS (mTLS) with certificate-based authentication.

(c) Access Controls. Principle of least privilege, role-based access control, multi-factor authentication for all employee access, and hardware security keys for infrastructure access.

(d) Network Security. Network segmentation, web application firewall, DDoS mitigation, intrusion detection and prevention systems.

(e) Monitoring. 24/7 security monitoring, automated anomaly detection, comprehensive audit logging of all data access.

(f) Testing. Regular penetration testing by independent third parties, continuous vulnerability scanning, bug bounty program.

(g) Incident Response. Documented incident response procedures with defined roles, communication plans, and post-incident review processes.

(h) Compliance. SOC 2 Type II certification (planned), annual security audits, regular employee security awareness training.

11. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we discover that we have inadvertently collected personal information from a child under the applicable age, we will promptly delete it.

If you believe a child under the applicable age has provided personal information to us, please contact us immediately at privacy@alecrae.com.

12. Cookies and Tracking

We use cookies and similar technologies for essential functions (authentication, session management, CSRF protection), functional preferences (theme, language), and anonymized analytics. We do not use third-party advertising cookies or tracking pixels.

For detailed information about the cookies we use, their purposes, and how to control them, please see our Cookie Policy at /legal/cookies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account and through a prominent notice on the Service.

Material changes include: new categories of personal data collected, new purposes for processing, new third-party data sharing, changes to your rights, and changes to our AI processing practices. Your continued use of the Service after the notice period constitutes acceptance of the updated policy.

14. Contact Information

For privacy-related inquiries:

Data Protection Officer

Email: dpo@alecrae.com

Privacy Team

Email: privacy@alecrae.com

Mailing Address

AlecRae, Inc.

Attn: Privacy / Data Protection Officer

548 Market Street, Suite 45000

San Francisco, CA 94104

United States

EU Representative (GDPR Article 27)

For data subjects located in the European Economic Area, our Article 27 representative is in the process of being appointed with a qualified pan-EU representation service. The representative's name, address and contact details will be published in this Privacy Policy and in our Impressum as soon as the appointment is finalised. In the interim, data subjects may exercise their rights by contacting dpo@alecrae.com, and we will treat that contact as constructive notice to the representative for the purposes of Article 27(4) GDPR.

UK Representative (UK GDPR Article 27)

For data subjects located in the United Kingdom, our Article 27 UK GDPR representative is in the process of being appointed. The representative's name, address and contact details will be published in this Privacy Policy and in our Impressum as soon as the appointment is finalised. In the interim, UK data subjects may exercise their rights by contacting dpo@alecrae.com, which will be treated as constructive notice to the representative.

Right to lodge a complaint

You always have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement:

• EU: see the list of national Data Protection Authorities at edpb.europa.eu.

• UK: Information Commissioner's Office (ICO) at ico.org.uk, helpline 0303 123 1113.

• California: California Privacy Protection Agency (CPPA) at cppa.ca.gov or the Office of the Attorney General at oag.ca.gov/privacy.

• Canada: Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

• Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.