Start free
Legal

Privacy Policy

Last updated April 24, 2026

How SushiSend collects, uses, and protects the information you entrust to us.

This Privacy Policy explains what information SushiSend ("we," "us," "SushiSend") collects when you use our website, dashboard, API, and related services ("the Service"), how we use it, and the rights you have over it. This is a living document; final production language will be reviewed by legal counsel before General Availability.

1. Information we collect

  • Account data: name, email, password hash, country, phone number, workspace name, billing details, and consent timestamps captured at signup.
  • Usage data: API requests, dashboard interactions, IP address, user-agent, and timestamps. Used for product analytics, abuse prevention, and debugging.
  • Sending data: email headers, recipient addresses, delivery status, and engagement events (opens/clicks when enabled). Body content is retained only as long as needed for delivery, deliverability monitoring, and audit.
  • Integrations: OAuth tokens and scoped credentials you authorize (e.g. Cloudflare, Stripe). Encrypted at rest with per-environment keys.

2. How we use information

  • To provide, operate, and improve the Service.
  • To authenticate you, bill you, and send you important account notices.
  • To detect, investigate, and prevent fraud, abuse, and deliverability incidents.
  • To comply with legal obligations and respond to lawful requests.
  • To train and improve automated abuse-detection and quality models, subject to the safeguards in our Ethical AI Promise.

3. Sharing

We share information with sub-processors strictly necessary to deliver the Service: Amazon Web Services (SES), Cloudflare, Stripe, and a small set of operational tools. We never sell personal data. We disclose data in response to lawful legal process and publish transparency reports annually.

4. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your data, and to object to or restrict certain processing. Email privacy@sushisend.com to exercise any of these rights. We respond within 30 days.

5. Security

Passwords are hashed with PBKDF2. Credentials and third-party tokens are encrypted at rest with rotated per-environment keys. Sessions are cookie-bound and renewed on use. Two-factor authentication is required for owners and admins within 14 days of signup.

6. Retention

We retain account data for the life of your workspace plus 30 days after deletion. Message metadata is retained for 90 days for deliverability analytics; message bodies are purged as soon as delivery windows close, except when flagged for abuse review.

7. Children

SushiSend is not directed at children under 13 and we do not knowingly collect their data.

8. Contact

Questions? Email privacy@sushisend.com. For security reports, see our security disclosure policy.