EmailsVia

Privacy Policy

Last updated: 2026-05-04

What this policy covers

EmailsVia (“we”) is a self-serve mail-merge product operated by the author of emailsvia.com. This policy explains what data we collect when you use the service, how we use it, and how to remove it.

Data we collect

  • Account data: email, password hash (or Google OAuth identity), the subscriptions / billing rows tied to your account.
  • Sender authorization: when you connect a Gmail address, we store a long-lived OAuth refresh token (encrypted with AES-GCM) plus a short-lived access token. We never see or store your Google password.
  • Campaign content: the recipient lists (CSVs / Sheets you upload), email templates, attachments, and per-recipient send/open/click/reply history you create inside the product.
  • Usage data: send counts per day, error logs, basic request metadata (IP, user-agent) for security and abuse-detection purposes.
  • Payment data: handled entirely by Stripe. We store a customer id and the plan you’re on. We never see your card number.

Use of Google APIs (Gmail send + read)

EmailsVia’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • We request the gmail.send scope to send your campaigns from your own Gmail address (the “via” in EmailsVia: messages route through your outbox, not ours).
  • We request the gmail.readonly scope to detect inbound replies to campaigns you sent and surface them in the Replies inbox. We only read messages dated after a reply-detection window (currently 7 days).
  • We do not use Gmail data to train models, do not sell or share it with advertisers, and do not allow humans to read it except (a) with your explicit permission for support, (b) for security investigations, or (c) to comply with applicable law.
  • You can revoke access at any time at myaccount.google.com/permissions or by deleting the sender from your EmailsVia dashboard.

How we use the data

  • To deliver the product features you signed up for.
  • To bill you (via Stripe) for paid plans.
  • To detect and stop abuse (e.g. spam, sudden bounce-rate spikes).
  • To send transactional email (receipts, security alerts, password resets).

We do not sell your data, and we do not use it for advertising.

Sub-processors

We rely on a small set of vendors to operate the service:

  • Supabase — Postgres database, file storage, auth provider.
  • Vercel — hosting and edge runtime.
  • Stripe — payment processing and tax calculation.
  • Google — for the Gmail API integration you authorize per sender.

Retention and deletion

You can delete any piece of campaign data from inside the app at any time. Deleting your account removes all associated rows (campaigns, recipients, tracking events, replies, senders, subscriptions) and revokes Gmail access. Backups are retained for at most 30 days. To delete an account email hello@emailsvia.com from the address attached to the account.

Security

  • All traffic is HTTPS only.
  • Sender Gmail credentials are encrypted at rest with AES-256-GCM.
  • Tracking and unsubscribe URLs are HMAC-signed; tampering invalidates them.
  • Database access is scoped per-tenant via Postgres RLS policies; one user cannot read another user’s rows.

Contact

Questions or data-deletion requests: hello@emailsvia.com.