Privacy policy

last updated: July 4, 2026 · plain-English summaries are part of the policy, not decoration

1 · What we collect

tl;dr — your account email, your billing info (via Stripe), and the test email you point at us

Account data: the email address you sign up with, your workspace name, and authentication metadata (GitHub OAuth ID if you use it). Billing data: handled by Stripe; we store your Stripe customer ID and the last four digits of your card. Message content: the emails your systems send to your MailFixture inboxes, including headers, bodies, attachments, and the values we extract from them. Usage data: API request logs (endpoint, timestamp, key prefix, status) retained 30 days for debugging and abuse prevention.

2 · What we don't do with it

tl;dr — no selling, no ads, no training models on your email. ever.

We do not sell or rent any of your data. We do not use message content for advertising, profiling, or training machine-learning models — extraction runs deterministic parsers, not your data as fuel. We read message content only when you open a support ticket that requires it, and we tell you when we did.

3 · Retention and deletion

tl;dr — messages age out per your plan (24h–90d), then they're gone. actually gone.

Messages are hard-deleted when your plan's retention window ends (Free 24 hours, Solo 7 days, Team 30 days, Scale 90 days), when their inbox is deleted, or when you delete them — whichever comes first. Deletion removes rows and stored blobs, including backups within 30 days. Closing your account deletes all message content within 72 hours; billing records are kept as long as tax law makes us.

4 · Subprocessors

tl;dr — three, and we'll email you 30 days before adding a fourth
PROVIDERPURPOSELOCATION
AWSHosting, storage, mail ingestionUS / EU
StripePayments, invoicingUS
PlausibleCookieless website analytics (marketing site only)EU

5 · GDPR & your rights

tl;dr — we're the processor for message content; DPA on every paid plan; export or erase on request

For message content, you are the controller and we are the processor — a signed DPA with SCCs is available on all paid plans, self-serve. For your account data, we are the controller. You can access, export, correct, or erase your data by emailing privacy@mailfixture.com; we respond within 30 days, usually much faster. EU data residency (message storage in eu-central) is available on Team and above.

6 · Cookies

tl;dr — one session cookie in the app. no banner because there's nothing to consent to.

The dashboard sets a single first-party session cookie to keep you signed in. The marketing site sets none — analytics are cookieless. There are no third-party trackers anywhere on either.

7 · Changes & contact

Material changes get 30 days' email notice and a diff — this policy lives in a public repo, so you can hold us to it. Questions: privacy@mailfixture.com · MailFixture, Inc., 2261 Market St #4820, San Francisco, CA 94114.