Privacy Policy
Effective and last updated: July 17, 2026
This Policy explains how terrible llc processes information when you use terriblemail. For privacy questions or requests, email help@terrible.llc.
1. Information we collect
Account information
We collect your email address, password hash, email-verification status, plan, account preferences, session and API-key records, and support communications. Passwords are stored as one-way hashes. API-key secrets are shown once and stored as hashes.
Message information
To provide email service, we process sender and recipient addresses, subject lines, text and HTML bodies, headers, attachment metadata, raw inbound MIME, delivery status, spam and virus verdicts, message size, and timestamps. Outbound attachment content is processed to send the requested message. Inbound raw messages and attachments are stored in private object storage during their retention period.
Usage and technical information
We process quota usage, request method and path, response status, timing, request identifiers, IP addresses used for security and rate limiting, browser or client information available in infrastructure logs, webhook delivery information, and diagnostic events. We do not intentionally place message subjects or bodies in application logs.
Billing information
Stripe processes payment card and bank information. terriblemail receives customer and subscription identifiers, plan, subscription status, billing periods, and limited transaction metadata. We do not receive or store complete payment-card numbers.
2. Why we process information
- Provide, route, store, secure, and troubleshoot email and account services.
- Authenticate users, enforce quotas, prevent abuse, and protect sender reputation.
- Process subscriptions and maintain billing entitlements.
- Respond to support, legal, security, and abuse requests.
- Measure reliability and improve the service.
- Comply with law and enforce our agreements.
Depending on applicable law, our legal bases may include performing a contract, legitimate interests in operating and securing the service, consent, and compliance with legal obligations.
3. Retention
By default, full message content and raw-recovery pointers are retained for 30 days, and remaining message metadata is retained for 90 days. Raw inbound objects expire after 30 days. Operational logs are generally retained for no longer than 30 days. Configuration may use shorter or longer periods when disclosed or reasonably required for security, fraud prevention, dispute handling, legal compliance, or backup integrity.
Account and billing records are retained while the account is active and afterward as reasonably necessary for legal, tax, accounting, security, and dispute obligations. Backups may persist for a limited period before rotation.
4. How we share information
We share information only as needed with infrastructure and service providers, including:
- Amazon Web Services for SES email transport and private inbound object and event processing.
- Stripe for subscriptions, Checkout, invoicing, fraud controls, and the customer billing portal.
- Bunny for authoritative DNS.
- Our hosting, backup, security, and operational vendors.
We may also disclose information when required by law; to protect recipients, users, terrible llc, or the public; during a merger, financing, acquisition, or sale; or with your direction or consent. We do not sell personal information or message content.
5. International processing
terriblemail and its providers may process information in the United States and other countries. Where required, we rely on appropriate contractual or legal transfer mechanisms.
6. Security
We use measures designed to protect information, including encryption in transit, private object storage, access controls, credential hashing, bounded message processing, signed webhooks, and restricted runtime permissions. No system is perfectly secure, and we cannot guarantee absolute security.
7. Your choices and rights
You can update billing details through Stripe’s customer portal and revoke API keys in your dashboard. You may request access, correction, deletion, restriction, portability, or objection where applicable by emailing help@terrible.llc. We may need to verify your identity and may retain information where law or legitimate security and accounting needs require it.
8. Children
The service is not directed to children under 18, and we do not knowingly collect their personal information.
9. Changes
We may update this Policy as the service or law changes. We will post the revised date and provide reasonable notice of material changes.
10. Contact
Privacy questions and requests: help@terrible.llc.