MailWell

Privacy Policy

Effective Date: September 7, 2025

At MailWell, we believe journaling should feel safe, private, and personal. This Privacy Policy explains what information we collect, how we use and protect it, and the rights you have regarding your data.

For users in the European Union (EU)/United Kingdom (UK), MailWell is the data controller of your personal information. For users in California (CCPA) and India (DPDP Act, 2023), this policy ensures compliance with your respective data privacy rights. By using MailWell, you agree to the practices described here.

1. Information We Collect

We collect only what’s necessary to provide and improve our service.

Information You Provide Directly

  • Name & Email Address: To create your account, communicate with you, and send journaling prompts.
  • Timezone: To ensure your prompts arrive at the correct local time.
  • Journal Entries: Your reflections, securely stored.

Information from Third Parties

  • Authentication Details: Handled securely by Clerk; we do not see or store your passwords.
  • Payment Information: Processed by Paddle. We never store full card details.

Information Collected Automatically

  • Usage & Device Data: IP address, browser type, device info, and general usage patterns.
  • Cookies & Similar Technologies: Used for secure login sessions, fraud prevention, and service improvements. (See Section 12).

2. How We Use Your Data

We use your personal data only for the following purposes:

  • To provide the service: Sending prompts, storing entries, and letting you review them.
  • To manage your account: Authentication (Clerk) and payments (Paddle).
  • To offer enhanced features (with consent): AI analysis of entries (via OpenAI) for insights.
  • To improve service: Aggregated/anonymous usage analytics.
  • To communicate: Service announcements, responses to support requests.
We do not sell, trade, or share your information for advertising purposes.

3. Legal Basis for Processing (GDPR)

  • Performance of a Contract: Processing your name, email, timezone, and entries to deliver the service.
  • Consent: For non-essential features like AI analysis and marketing. You can withdraw consent at any time.
  • Legitimate Interests: Processing device and usage data to ensure security, fraud prevention, and product improvements.

4. Third-Party Services (Sub-processors)

We work with trusted partners under strict data protection agreements:

  • Clerk – Authentication & user profiles
  • Convex – Database & secure storage
  • SendGrid / Mailgun / Resend – Journaling emails
  • Paddle – Payment processing
  • OpenAI – AI-powered text analysis

AI clarification: Journal entries are sent to OpenAI for temporary processing. They are not used to train OpenAI’s models and are not stored beyond the processing session.

5. Your Data Rights

You may exercise these rights anytime by contacting us at privacy@mailwell.me.

General Rights (All Users)

  • Access your data
  • Request correction of inaccuracies
  • Request deletion of your account

EU/UK Residents (GDPR)

  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint

California Residents (CCPA)

  • Right to know, delete, and opt-out
  • Right to limit use of sensitive data
  • Right of no retaliation

India (DPDP Act, 2023)

  • Right to access, correct, and delete
  • Right to withdraw consent
  • Right to nominate another individual

6. Data Retention

  • Account data and journal entries: Deleted within 30 days of account closure.
  • Payment records: Retained for up to 7 years if legally required (e.g., tax compliance).
  • Security & abuse logs: Retained no longer than 90 days.

7. Security

We safeguard your data with industry-standard practices:

  • Encryption: TLS in transit, AES-256 at rest.
  • Access controls: Limited to minimum staff roles required.
  • Monitoring & audits: Regular checks of systems and subprocessors.

No system is 100% secure, but we are committed to continuous improvements.

8. International Data Transfers

Your data may be processed outside your home country (e.g., in the US). For EU/UK transfers, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Children’s Privacy

MailWell is not for children under 13 (or the higher minimum in your jurisdiction, e.g., 16 in the EU). We do not knowingly collect data from minors. If discovered, we delete it promptly.

10. Changes to This Policy

If we make significant updates, you will be notified by email or in-app at least 30 days prior to the effective date.

11. Contact Us

MailWell
Email: privacy@mailwell.me

12. Cookies & Tracking

MailWell uses minimal cookies required for functionality and security:

  • Essential cookies: Keep you logged in securely.
  • Functional cookies: For timezone and preferences.
  • Security cookies: Detect fraud and prevent abuse.
We do not use tracking or advertising cookies.