Privacy Policy

Sakura Mail is designed to process mailing data for customers without turning that data into a separate product.

1. Who we are

Sakura Mail is a service in the Sakura Software Solutions family. Contact: alexdevriesxing@gmail.com. The final operating entity, postal address and jurisdiction must be inserted before production launch.

2. Roles

For account, billing and service-operation data, Sakura Mail acts as a data controller. For recipient lists and campaign content uploaded by a customer, the customer is generally the controller and Sakura Mail acts as a processor or service provider, processing data on documented instructions to provide the service.

3. Data we process

Account email, authentication and session records; workspace and sender settings; payment order identifiers and amounts; encrypted recipient addresses, names, consent records and optional metadata; campaign content, attachments and schedules; delivery, suppression, security and audit events; and limited technical data such as IP-derived security hashes and user-agent strings.

4. Why we process it

To create and secure accounts, store and send campaigns, maintain suppression lists, process payments, prevent abuse, troubleshoot delivery, comply with law, and protect users and the service. We do not sell or rent personal data, use recipient lists for independent marketing, or build advertising profiles from campaign data.

5. Security and access

Recipient addresses are encrypted at rest using AES-256-GCM. The application scopes data operations to the authenticated workspace. Platform-admin analytics are designed not to expose recipient addresses or campaign bodies. Scheduled sending is not zero-knowledge: authorized Worker code must decrypt an address immediately before sending. Personnel or contractors may access data only when strictly necessary for support, security, incident response or legal obligations, under access controls and logging.

6. Service providers

Cloudflare provides hosting, Workers, D1, R2, Queues, bot protection and email delivery. PayPal processes checkout and payment data. These providers process information under their own terms and privacy notices. A production subprocessor list and data-processing terms should be published before launch.

7. Retention

Account and billing records are retained while the account is active and as needed for legal, tax and fraud-prevention duties. Campaign and contact data remain until deleted by the customer or the account is closed, subject to backup and legal-retention periods. Suppression records may be retained longer so an opted-out address is not accidentally mailed again. Login codes expire within minutes; sessions expire or are revoked.

8. International transfers

Cloud providers may process data in multiple countries. Where required, Sakura Mail will use appropriate contractual and legal transfer mechanisms. Customers must evaluate their own transfer obligations for uploaded recipient data.

9. Your choices and rights

Account holders can access, correct, export or delete workspace data through the product or by contacting us. Recipients should normally contact the sender shown in the email; they can also use the included unsubscribe link. Depending on location, people may have rights to access, correction, deletion, restriction, objection, portability or complaint to a regulator.

10. Cookies

The service uses an essential, secure session cookie for authentication. PayPal and Cloudflare Turnstile may set or read data needed to provide payment and anti-abuse functions. We do not deploy advertising cookies in this starter implementation.

11. Children

The service is intended for businesses and adults, not children. Customers may not knowingly upload children’s data without a valid legal basis and appropriate safeguards.

12. Changes

Material changes will be posted with a new effective date and, where required, communicated to account holders.