Privacy Policy
Last updated: April 12, 2026
1. Introduction
This Privacy Policy explains how TweakMail ApS ("we", "us", "our"), registered in Copenhagen, Denmark, collects, uses, stores, and protects your personal data when you use our services at launch.email, tweak.email, and tweakmail.com (collectively, the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679, the Danish Data Protection Act (Databeskyttelsesloven), and other applicable EU and Danish data protection legislation.
2. Data Controller
The data controller for the personal data we collect about you as a user of our Service is:
TweakMail ApS
Copenhagen, Denmark
CVR: [pending registration]
Email: privacy@tweakmail.com
When you use the Service to send emails to your own contacts, you are the data controller for your contacts' personal data, and we act as a data processor on your behalf under Article 28 of the GDPR.
3. What Data We Collect
3.1 Account Data
When you register, we collect:
- Full name
- Email address
- Password (stored as a cryptographic hash — we never store plaintext passwords)
- Timezone and preferences
3.2 Billing Data
Payment information is collected and processed by our payment processor, Stripe, Inc. We do not store your full credit card number. We receive from Stripe only the last four digits, card brand, and billing address for invoice purposes.
3.3 Contact Data (Your Recipients)
When you upload contacts or collect them through waitlists, we store their email addresses and any additional fields you provide (name, tags, etc.) on your behalf as a data processor.
3.4 Content Data
Email templates, campaign content, AI-polished text, subject line tests, and deliverability check results you create within the Service.
3.5 Usage & Technical Data
- IP address
- Browser type and version
- Pages visited and features used
- Date and time of access
- Referring URL
We collect this data through server logs and, where you have consented, through cookies (see Section 9).
4. Legal Basis for Processing
Under Article 6 of the GDPR, we process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails | Contract performance (Art. 6(1)(b)) |
| Analytics & service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance & fraud prevention | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
- To create and manage your account
- To process subscriptions and payments via Stripe
- To send email campaigns and sequences on your behalf
- To provide AI-powered email analysis and polishing features
- To send you transactional emails (account verification, password reset, billing receipts)
- To monitor and improve the Service's performance and security
- To comply with legal obligations under EU and Danish law
6. AI Data Processing
Our Tweak mode features use AI language models (via the Laravel AI SDK) to analyse and improve your email content. When you use these features:
- The email content you submit is sent to our AI provider for processing.
- We do not send any personal data of your contacts to the AI provider — only the email text you choose to analyse.
- Our AI provider processes data under their data processing agreement with us and does not use your inputs to train their models.
- AI-generated results are stored in your account for your reference.
6a. Data Warehouse Connections (BigQuery)
If you connect a Google BigQuery data warehouse, the following applies:
- We store an encrypted OAuth refresh token (AES-256) to maintain your connection. No BigQuery credentials or passwords are stored in plaintext.
- We request only the bigquery.readonly scope — we cannot modify, delete, or write to your warehouse.
- Data from your warehouse is queried live at send time and is never persisted, cached, or copied by the Service. Query results exist only in memory for the duration of the email send.
- You choose which datasets, tables, and columns are accessible. Only the columns you explicitly map to placeholders are queried.
- Google acts as a sub-processor for BigQuery connections. Google's data processing terms apply to the data stored in your warehouse.
- You may disconnect BigQuery at any time from Settings, which immediately deletes the stored refresh token and all placeholder mappings.
6b. Delivery Events & API Data
The Service collects and stores delivery event data (delivered, bounced, opened, clicked, spam reports, unsubscribes) from email sends and via the REST API. This data includes:
- Recipient email addresses associated with events
- Event type, timestamp, provider, and source
- Technical metadata (e.g. bounce reason, SMTP response codes)
Event data is used to update campaign analytics, maintain suppression lists, and sync contact statuses. It is retained for the duration of your account. API keys are generated per team and can be revoked at any time from Settings.
7. Data Sharing & Third Parties
We share personal data only with the following categories of recipients, all bound by appropriate data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (EU SCCs) |
| Resend / Email provider | Email delivery | USA (EU SCCs) |
| AI provider | AI email analysis | USA (EU SCCs) |
| Google Cloud (BigQuery) | Data warehouse queries (if connected by customer) | Customer-selected region |
| Hosting provider | Infrastructure | EU |
For transfers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) as approved by the European Commission, or other valid transfer mechanisms under Chapter V of the GDPR.
We do not sell, rent, or trade your personal data to any third party.
8. Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Contact data: Retained for the duration of your account. Deleted within 30 days of account deletion or when you manually remove contacts.
- Campaign & content data: Retained for the duration of your account.
- Billing records: Retained for 5 years after the last transaction as required by Danish bookkeeping law (Bogføringsloven).
- Server logs: Automatically deleted after 90 days.
9. Cookies
We use cookies in accordance with the EU ePrivacy Directive and Denmark's Cookie Order (Cookiebekendtgørelsen). The cookies we use are:
| Cookie | Type | Purpose |
|---|---|---|
| Session cookie | Strictly necessary | Authentication & CSRF protection |
| lt-color-mode | Functional | Remembers your dark/light mode preference (localStorage) |
Strictly necessary cookies do not require consent. We will obtain your consent before placing any non-essential cookies, in compliance with the ePrivacy Directive.
10. Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact us at privacy@tweakmail.com. We will respond within 30 days.
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18) — Request that we limit the processing of your data.
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent (Art. 7) — Withdraw consent at any time where processing is based on consent.
- Right to lodge a complaint — You may file a complaint with the Danish Data Protection Agency (Datatilsynet) at www.datatilsynet.dk, or with the supervisory authority in your EU/EEA member state.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/HTTPS)
- Encrypted password storage (bcrypt hashing)
- Access controls and role-based permissions
- Regular security reviews
12. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Service at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.
14. Contact
For privacy-related questions or to exercise your data subject rights, contact us at:
TweakMail ApS
Copenhagen, Denmark
Email: privacy@tweakmail.com
You may also lodge a complaint with the Danish Data Protection Agency:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk