Mailday Privacy Policy

Last updated: 2026-05-13 · Effective date: 2026-05-13

CreatorGeek, Inc., doing business as Mailday ("Mailday," "we," "us," or "our"), respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our website at www.mailday.ai, our application, our APIs, and related services (collectively, the "Service").

This Policy applies to: members, workspace admins, workspace managers, and workspace-managed members who hold a Mailday account; viewers who access shared reports; website visitors; and people who contact us.

If you are a workspace-managed member or accessing a shared report, the workspace or member who shared access with you may have additional terms or notices that apply.

1. Information We Collect

1.1 Information you give us

• Account information: name, email, password (hashed), profile photo, role, business name, billing details
• Company contact information you save in your workspace: company name, contact name, role, email, phone number, and notes
• Payment information: handled by Stripe; we receive limited tokens and metadata, not your full payment card number
• Customer content: emails sent and received through assigned inboxes, attachments, uploaded media, workflow data, invoices, notes, and any data you input
• Communications with us: support tickets, feedback, and survey responses
• AI prompts and inputs: text and content you provide to AI Features
• Consent records: timestamp, policy version, and the IP address + user-agent string captured at the moment you accept the Terms

1.2 Information from connected platforms

When you connect Instagram, Facebook, Threads, TikTok, YouTube, X (Twitter), Pinterest, or other platforms, we receive data permitted by your OAuth authorization, which may include:

• Platform account ID, username, and profile information
• Posts, reels, stories, videos, pins, tweets, and associated metadata
• Comments and direct messages (where applicable to feature)
• Analytics and insights
• For YouTube specifically: channel data, video metadata, comments, and analytics provided by the YouTube API Services

1.3 Information collected automatically

• Device and log data: IP address, browser type, operating system, device identifiers, referring URLs
• Usage data: pages viewed, features used, timestamps, click activity
• Email engagement data: open and click events captured via small, opt-out-able tracking pixels embedded in outbound mail you send through your assigned inbox
• AI tool-call audit metadata: per AI call we log the user ID, role, scope, status code, error code (if any), and duration — not the prompt or response content
• System error logs: when an error fires in the application, we capture a sanitized stack trace, the route that failed, a request identifier, and minimal metadata for debugging; credentials, cookies, and other obvious secrets are scrubbed before storage
• Email raw MIME headers: stored on inbound messages for deliverability diagnostics and abuse investigation
• Cookies and similar technologies: see our Cookie Policy

1.4 Information from third parties

• Payment processors (Stripe): payout status, KYC outcome, dispute information
• Email infrastructure (AWS SES, with fallback delivery via Cloudflare Email Worker and SendGrid): delivery and bounce data
• Identity providers: information from SSO providers when you sign in via SSO

We do not purchase personal information from data brokers for marketing.

1.5 Abandoned-signup recovery

If you start a signup but do not complete it, we may send up to a small number of automated follow-up emails to the address you entered, reminding you to finish setting up your workspace. You can opt out at any time by clicking the unsubscribe link in the email or by emailing privacy@mailday.ai.

2. How We Use Information

We use information to:

1. Provide, operate, and maintain the Service
2. Authenticate users and secure accounts
3. Process payments and payouts
4. Send and receive email through assigned inboxes
5. Publish, schedule, and analyze content on connected platforms at your direction
6. Provide AI Features (drafting, scheduling, analytics, replies, etc.)
7. Generate analytics and shared reports
8. Communicate with you about the Service (transactional messages, security alerts, abandoned-signup follow-ups)
9. Provide customer support
10. Detect, investigate, and prevent fraud, abuse, and security incidents (including rate-limiting and error monitoring)
11. Comply with legal obligations and respond to lawful requests
12. Improve and develop the Service (using aggregated or de-identified data)

We do not use your personal information for targeted advertising, and we do not "sell" personal information as that term is defined under U.S. state privacy laws.

3. Legal Bases (EU/UK Users)

Where the GDPR or UK GDPR applies, we process personal information on the following bases: Contract (to provide the Service you signed up for), Legitimate interests (security, fraud prevention, feature improvement), Consent (where required, e.g. certain cookies — withdrawable at any time), and Legal obligation (to comply with applicable law).

4. AI Processing

Mailday uses AI models, including those provided by Anthropic, PBC, to deliver AI Features.

• What is processed: prompts, content you submit to AI Features, and context drawn from your workspace data to perform the requested task
• Where: through Anthropic's API (United States) and within our cloud infrastructure
• Training: Your customer data is not used to train AI models by us or, per our contractual arrangement, by Anthropic
• Retention of AI inputs/outputs: AI prompts, outputs, and action logs are retained according to the schedule in Section 9
• Sensitive actions: AI actions with material impact (large payouts, mass-deletions, invoice issuance above a configured threshold) require admin approval
• Disabling AI: you can disable AI Features at the workspace level, or pause AI temporarily, from settings

For more, see our AI Use Policy.

5. Third-Party Platforms

5.1 Connected social platforms

Data from Instagram, Facebook, Threads, TikTok, YouTube, X (Twitter), and Pinterest is processed only to provide features you have authorized (publishing, analytics, comment management, etc.).

5.2 YouTube API Services disclosure

Where you use YouTube features, the Service uses YouTube API Services. By using these features, you also agree to be bound by the YouTube Terms of Service and acknowledge Google's privacy practices described in the Google Privacy Policy. You may revoke our access to your Google account at any time via security.google.com/settings/security/permissions.

We refresh data fetched from the YouTube API Services in line with YouTube's developer requirements and delete stored YouTube data when you disconnect the integration, except where retention is required for security or legal reasons.

5.3 Meta, TikTok, X, Pinterest

Use of Instagram, Facebook, and Threads integrations is also governed by Meta's Platform Terms. Use of TikTok integrations is also governed by the TikTok Developers Terms. Use of X integrations is governed by the X Developer Agreement and Policy. Use of Pinterest integrations is governed by the Pinterest Developer Guidelines. We comply with each platform's data use, deletion, and security requirements.

5.4 Disconnection and deletion

When you disconnect a platform, we delete platform-derived personal information from the Service within 30 days, subject to limited retention for security logs and legal/tax records. See our Data Deletion page for the specific steps for each platform.

6. How We Share Information

We share personal information only as described below.

6.1 With subprocessors and service providers

We use third parties to host data, process payments, deliver emails, run AI, store files, run feature flags, and operate the Service. They process data on our behalf under written contracts. See our Subprocessor List.

6.2 With workspaces and authorized users

If you are a Workspace-Managed Member, your Workspace Admin and assigned Workspace Manager have access to your workspace data. If you are a Workspace Admin or Manager, you have access to managed members' workspace data.

6.3 With companies you choose

When you share a report or workflow with a company, the viewer accesses the content you shared. Where you enable Viewer AI chat, you may also review what the Viewer asked from your report's viewer view.

6.4 With connected platforms at your direction

When you publish a post, reply to a comment, or upload a video, that content is sent to the relevant platform.

6.5 For legal reasons

We may disclose information when we believe in good faith it is required to comply with law, valid legal process, or government request, or to protect rights, safety, or property.

6.6 In a business transaction

If we are involved in a merger, acquisition, financing, or asset sale, personal information may be transferred. We will provide notice before personal information becomes subject to a different privacy policy.

6.7 With consent

With your consent or at your direction.

We do not sell personal information.

7. International Transfers

We are based in the United States and our infrastructure is located in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. For transfers from the EU/UK/Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. A copy of the relevant SCCs is available on request from privacy@mailday.ai.

8. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy.

• We display a cookie banner to EU/UK, California, and other applicable visitors at first visit.
• We honor the Global Privacy Control (GPC) signal as an opt-out of sale/share where applicable under U.S. state law.
• We do not use targeted advertising cookies or third-party advertising pixels (no Meta Pixel, no TikTok Pixel, no LinkedIn Insight Tag) at launch.
• We use LaunchDarkly for feature flags, application observability (errors + performance), and an opt-in session replay to diagnose bugs. Session replay can be disabled via the cookie preferences control. See the Cookie Policy for the named cookies and storage keys involved.

9. Data Retention

We retain personal information only as long as needed to provide the Service and to meet legal obligations. Specific retention periods:

Some data may be retained beyond these periods where required by law, to enforce our agreements, to defend or pursue legal claims, or in anonymized or aggregated form.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information. These include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls; access to admin/internal tools restricted to authorized personnel on a need-to-know basis
• Size limits and source checks on inbound and outbound messages and attachments; deeper malware scanning is on our roadmap
• Audit logging of administrative actions
• Backups with 90-day retention
• Vendor risk reviews
• A formal incident response process

We are planning SOC 2 Type II certification. Updates will be posted at mailday.ai/security.

No method of transmission or storage is 100% secure. Report suspected security issues to security@mailday.ai.

11. Your Privacy Rights

11.1 Rights under U.S. state privacy laws (California, Colorado, Connecticut, Virginia, Utah, Oregon, Texas, and others)

Depending on your state, you may have the right to know, access and obtain a copy of, correct, delete, opt out of sale/share, limit the use of sensitive personal information, appeal a denial, and be free from discrimination for exercising your rights.

We do not sell or share personal information for cross-context behavioral advertising. We honor the Global Privacy Control signal.

11.2 Rights under GDPR / UK GDPR

You may have the right to access, rectify, or erase your personal information; restrict or object to processing; data portability; withdraw consent; and lodge a complaint with your local supervisory authority.

11.3 Rights for Canadian, Australian, and other international users

You may have rights under PIPEDA (Canada), the Privacy Act 1988 (Australia), and other applicable laws. We honor verifiable requests under these laws.

11.4 How to exercise your rights

Submit requests by email to privacy@mailday.ai or via our online request form at mailday.ai/privacy-request. We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity.

12. Data Processing Addendum

Workspaces and enterprise customers may execute a Data Processing Addendum that incorporates the EU Standard Contractual Clauses and the UK Addendum.

13. Children's Privacy

The Service is not intended for children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children.

14. Do Not Track

There is no industry standard for responding to DNT. We honor Global Privacy Control (GPC) as an opt-out signal under applicable U.S. state laws.

15. Public Profiles and Testimonials

No public member profiles. Mailday does not offer public member profiles or public-by-default profile pages. Your account information, workspace content, and assigned inbox are visible only to you, the users you authorize within your Workspace, and (where you choose to share) Viewers via Shared Reports.

Testimonials and case studies. If we wish to publish a testimonial or case study that identifies you or your business, we will obtain your prior written consent describing how your name, image, logo, or quotes will be used. You may revoke that consent at any time for future use.

16. Changes to This Policy

We may update this Policy. If changes are material, we will notify you (e.g., by email or in-product banner) before they take effect. The "Last updated" date at the top reflects the latest revision.

17. Contact

• Privacy: privacy@mailday.ai
• Legal: legal@mailday.ai
• Security / Incident response: security@mailday.ai
• Mail: CreatorGeek, Inc., 465 California St, San Francisco, CA 94101

EU representative (GDPR Article 27)

Mailday has appointed Prighter EU Rep GmbH as its representative in the European Union for matters concerning the processing of personal information of individuals located in the European Economic Area:

Prighter EU Rep GmbH · Schellinggasse 3/10, 1010 Vienna, Austria · Company registration: FN 639035h · Online contact form: [TBD — pending Prighter Letter of Appointment] · Email: [TBD — pending Prighter Letter of Appointment]

UK representative (UK GDPR Article 27)

Mailday has appointed Prighter Ltd as its representative in the United Kingdom for matters concerning the processing of personal information of individuals located in the UK:

Prighter Ltd · 20 Mortlake High Street, London, SW14 8JN, United Kingdom · Company registration: 12854033 · Online contact form: [TBD — pending Prighter Letter of Appointment] · Email: [TBD — pending Prighter Letter of Appointment]

Right to lodge a complaint

EU residents may also lodge a complaint with their local supervisory authority. UK residents may lodge a complaint with the Information Commissioner's Office (ICO).