Legal
The following Privacy Notice (“Notice”) is applicable to the processing of your personal data by Sinch Email. For the purposes of this Notice, “Mailgun”, “Sinch”, “Sinch Email”, “we”, “us” or “our” refers to Sinch AB (publ) or any of its subsidiaries, including the Sinch Email brands Mailgun, Mailgun Optimize, Mailjet and Email on Acid with which you or your employer have contracted if you are a Sinch customer or the employee of such a customer (hereafter simply “Customer”).
This Notice applies to activities where we are the Controller under data protection law and excludes processing on Customers’ behalf while providing services – activities for which Customers are the Controllers.
We will collect personal data from you based upon your business relationship with us and the use of our platforms and services, as set out below. If you are a Customer, you should read this Notice in conjunction with our Terms of Service.
Before reading, please keep in mind that:
We collect information about you when you, or your colleague or employer, fill in a sign up or contact form on our website or send us an email. We may also receive your personal data from third parties, who know about your likely interest for our services. If we receive your personal data from such third parties we will reach out to you separately to inform you that we’ve received your contact details.
We collect information by automated means. When you visit our website, view one of our advertisements on a third party-owned website, or read our marketing newsletters, we automatically collect information about you via cookies, web beacons and other similar technologies. These are small files associated with information that your browser or our servers will save and return as part of your use of the website and the services for purposes such as saving your login session between visits, remembering your display preferences, tracking your use of the website, and for audience measurement purposes. For more information on our use of cookies, read our cookies notice.
This section describes the activities that Sinch Email undertakes related to Customer Data.
Personal data. This is information that lets us know who you are. This includes the information you provide us when registering to use the platform (i.e. your name, company name, email address, postal address, other contact information you share with us, associated domain name and credit card information). Your login credentials are also personal data. This category also includes information tied to your identity that you provide us through other means, such as emails to our support team.
In addition, and in the context of using our services, namely creating and sending emails, we have access to the information contained in the subject and content of the emails that you send out, as well as the email contacts you send to via our services.
The data you submit should not include any sensitive personal data, such as Government identifiers (i.e. social security, driving licence, or taxpayer identification numbers), complete credit card or complete personal bank card numbers, medical records or particulars connected with applications for care or treatment associated with private individuals.
Non-personal data. This is information that doesn’t let us determine your identity. This generally comes from your use of the services after registering on our website. Non-personal data includes information that could personally identify you in its original form, but that we have modified (for instance, by aggregation) any personal data.
For a more detailed view of what data we process and what we use it for, review the table below:
| Activity | Why is this done? (Purpose) | Lawful basis* | What Personal data? | Deleted When? |
| Administering, and entering into the contractual relationship with the Customer (including billing) | To enable Sinch Email to administer, foster and develop its Customer relationship (with the use of a customer relationship management system), perform credit checks and, verification of identity and personal or business data and payment details and other verifications before offering services to Customers. To enable Sinch Email to fulfil obligations in accordance its contract with its Customers, this may include sending you service announcements on elements included within the contract, customer service enquiries, product specification updates, contracts updates. | Legitimate interests | Contact data; such as phone number, email address, address, name, company, signature, position, contact preference and any other information that you may provide to Sinch, including the internal Sinch identifying number for the customer entity. Payment details: method of payment for Sinch Email services and associated data such as billing address.** Technical data: computer settings when stored, log information on use of portal/forum, IP-address. | For the duration of the business relationship between Sinch Email and the customer |
| Administering portals and websites | To enable Sinch Email to operate and administer access and use of the forums, websites, mobile applications, messaging products and portals provided to Customers, resellers, developers and other user groups, including APIs providing integrations with Customers and third party integration providers. | Legitimate interests | Contact data: such as phone number, email address. Technical data: computer settings when stored, log information on use of portal/forum, IP-address, functional cookie data | For the duration of the business relationship between Sinch and the customer |
| Information security | To enable Sinch Email to protect forums, websites, portals, services and the customer data within, including detecting, investigating and preventing threats and fraud and to find vulnerabilities. | Legal obligation as an electronic communications provider | Technical data: computer settings when stored, log information on use of portal/forum, IP-address | According to the legal requirements |
| Marketing, both direct and indirect | Sending newsletters, information and invites for seminars or webinars, white papers or similar marketing activities undertaken with leads or persons of interest and similar feedback and promotional communication, including leads sharing with partners provided that your explicit consent has been given. | Consent (for such practices where you have explicitly opted in or registered) Legitimate interests (when we reach out to you as a person of interest) | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch. Technical data; terminal equipment data, location data, page views and sessions, interactions and similar metadata about interaction with our portals and websites. Partner data; where you have opted in to a partner direct marketing solution, we process demographic- and interest group data along with aggregated identifiers to tailor our outreach to you. | For the duration of your consent (until you opt-out or the opt-in ceases to be relevant) or, when not based on your opt-in, until you are no longer associated with a relevant lead, including when you have objected or opted out |
| Analytics and product development | Gathering insights related to the use of services, platforms and websites for the purpose of improving functionalities and the overall customer experience. When applicable, this is performed on aggregated and anonymized data. | Legitimate interests | Customer feedback data: information on your particular feedback and experience as applicable (when freely offered) Technical data: computer settings, log information on use of portal/forum (as collected by tracking technologies described on our cookies Statement, IP-address | Retained only temporarily (as expressed in our cookies statement) before anonymization |
| Administering opt-outs and opt-ins | Maintaining features for opt-out and opt-in (such as consents and unsubscribe features) as required by law | Legal obligation under privacy and marketing laws | Contact data and opt-in or opt-out information Technical data: log information on use of portal/forum (as collected by tracking technologies described on our cookies statement, IP-address | As required to maintain an appropriate opt-in and opt-out register in each instance |
| Service announcements | Providing service announcements including notices of downtime, updates, disturbances etc. according to SLA | Legitimate interests | Email address | For the duration of the business relationship between Sinch and the customer |
| Legally required reporting | To enable Sinch to (prepare to) administer and fulfil our obligations under mandatory law including providing correct information to relevant authorities | Legal obligations under tax laws and other national reporting laws | Customer entity data Payment data and billing information ** | According to the legal requirement- we will delete such records when we are no longer legally obligated to retain them but may retain anonymized records, if the law allows. |
| Tax calculation and financial audits | Fulfilling legal requirements and activities related to payment and calculation of tax and associated financial audits and planning | Legal obligation Legitimate interests | Customer entity data Payment data and billing information** | According to the legal requirement – deleted when no longer legally obligated to retain them but may retain anonymized records, if the law allows. |
| Address and refute claims in legal or official proceedings | Protecting Sinch interests in official proceedings | Legitimate interest | Contact data: such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch or is created in communication with you. Technical data: computer settings when stored, log information on use of portal/forum, IP-address | When a legal hold is applied, information is retained until legal prescription or until the hold is lifted |
| Responding to legitimate authority requests for information | Responding to legitimate authority requests for information, such as subscriber information, according to legal requirements in each jurisdiction | Legal obligation | Contact details: such as phone number, email address, name, company registered address and usage data, subscriber data | Information is processed only to respond to the individual request. |
| Protecting services from threats, fraud and spam | Upholding an appropriate standard for our services by acting on detected inappropriate behaviours such as fraud, spam, phishing and similar activities – including automated risk-analysing features that can stop traffic from being delivered as legally required and permitted in each jurisdiction – including by suspending accounts. | Legitimate interests (Legal obligation, where such obligations apply) | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch Service Data: data related to the activities discovered. | Retained for evidence and investigation until the matter is resolved. |
| Aggregating or de-identifying | Preparing anonymized, statistical information from personal data to gain customer and market insights | Legitimate interests | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch (which is removed as part of this process in order to de-identify) Technical data: site and platform visit behaviour, IP-address | N/A (activity describes end of retention practice) |
*A Lawful basis is required in certain jurisdictions (including the EU/EEA and the UK) in order to process personal data. The lawful bases assigned above indicate that use of Customer Data serves to understand the Customer base, manage Sinch relationship with that Customer base, carry out core business operations and comply with applicable legal obligations, as listed above.
** For Customers who choose to pay for Sinch services by credit card or direct debit, Sinch, or our service provider, collects details related to the payment for processing. Payment data is stored according to industry standards for maximum security.
This section describes the circumstances wherein the Sinch entity that first received your personal data will share personal data with other entities, including other Sinch entities.
Sinch does not sell personal data and does not allow third parties to use your personal data for their own business interests, without explicit consent from data subjects to do so, for instance from active customers who opt-in to participate in leads-sharing programs.
In the below, you’ll find the contexts and reasons for sharing your personal data with other parties. Please note that it’s not likely your data has been shared with all the listed categories of recipients. The sharing of your personal data depends on context: such as the specific Sinch service and where you live.
| Type of recipient | Why is data shared? (Purpose) |
| Sinch Group entities | Your personal data will be shared within the Sinch Group, including for business continuity and information security and support purposes, as well as for legally mandated reporting, bookkeeping, billing, and similarly important activities. |
| Hosting Services | We host the website and operate the platform using third parties, including Google Cloud Platform, AWS®, MacStadium and Rackspace®. Your platform will be hosted from their data centers throughout the United States or Europe, based on where you have selected to deploy our services (no transfers between these separate data center locations occur). |
| Payment Providers | We use Stripe®, Chargify, Aria, and Authorize.net to process subscription payments, and therefore provide them with the personal data required to charge your credit card and maintain any payment mandate information as law requires. |
| Website functionalities and optimization | We use third-party services either embedded into our website (such as Drift, Optimizely, VWO, Segment™, Split.io and Google® Analytics) or outside of it (such as GitHub®, Unbounce and Twitter®) to communicate with you or to enhance the function of the website and the services, and for product development and optimization. |
| Customer engagement | We use third-party service providers and platforms (such as Gainsight, Customer.io, Looker, Snowflake, Salesforce, Uservoice, Zapier, and Zendesk) for customer engagement, customer chat, product feedback and customer support ticketing. |
| IP addresses | We may share your contact information with ARIN (American Registry for Internet Numbers) for the purposes of fulfilling your request to re-assign the dedicated IP addresses. |
| Partners of integrated solutions and services | For certain features and products, there are options for Customers to make use of integrated services and technical solutions. If the Customer chooses to use these solutions, those third parties, notified to the Customer, receive and process personal data as described. |
| Authorities and other required/legitimate recipients | Sinch may disclose personal data to third parties (including government bodies or authorities) if in receipt of legitimate requests for information or otherwise if disclosure is compelled by applicable law, regulation, legal process or other government request. Similarly, Sinch may make such disclosures to protect rights under agreements or in line with internal policies, or in order to protect the security and integrity of services, Sinch Group and our interests or the public from harm or illegal activities. Unless prohibited by law, Sinch will notify such disclosure requirements. Our US company, Mailgun Technologies, Inc., is subject to the investigatory and enforcement powers of the Federal Trade Commission as part of certification under the EU-U.S Data Privacy Framework (“EU-U.S DPF”). |
| Business reorganisation transfers | As part of corporate entity sale, merger, reorganization, dissolution or similar events – personal data, as assets, may be part of entities transferred or shared as part of such a transaction of companies. |
Sinch, being a global group, transfers personal data between countries. For instance, Sinch shares personal data internally between Sinch entities for many of the purposes described above under processing activities, such as to ensure correct billing and account handling. When personal data is transferred to a country that offers a lower level of protection for personal data than where the personal data is first sourced, Sinch ensures that requirements under applicable laws are fulfilled for the protection of the personal data transferred.
For transfers of personal data from the EU/EEA to other countries Sinch ensures that the European Standard Contractual Clauses cover the transfers unless an alternative mechanism for lawful transfers is applicable, including the EU-US Data Privacy Framework or Binding Corporate Rules of the third parties importing the personal data (such as service providers).
Mailgun Technologies, Inc., a US based Sinch company, complies with the EU-U.S Data Privacy Framework (“EU-U.S DPF”) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S Department of Commerce. Mailgun Technologies, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles regarding the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF, the Principles shall govern. To learn more about the Data Privacy Framework Program, and to view the certification, please visit https://www.dataprivacyframework.gov/
For specific information on what mechanisms have been used for transfers of your personal data, direct your query to the Sinch Group Data Protection Officer at dpo@sinch.com
This section briefly describes Sinch standards for protection of your personal data.
Sinch is strongly committed to keeping your Personal Data safe. Sinch has implemented and will maintain technical, administrative, organizational and physical measures that are reasonably designed to protect your Personal Data. These measures include encryption and redaction, and Sinch has dedicated teams to monitor our information security and privacy practices. Our infrastructure is located in top-tier data centers. Each of these locations adhere to strict physical and procedural controls which are frequently audited. Our applications are routinely scanned for vulnerabilities and an independent penetration test is conducted annually. Our employees undergo background checks (when allowed) and sign non-disclosure agreements at the time of hire.
Remember, though, that some parts of the services are public and that email, by its nature, is not a reliably private means of communication.
This section summarizes your rights as a data subject under data protection laws and suggests how you may best take action if you have concerns or questions. To exercise these rights, please contact the Data Protection Officer at dpo@sinch.com.
Mailgun Technologies, Inc. has committed to cooperate and comply, in compliance with the EU-US DPF and the UK Extension to the EU-US DPF, with the advice of the panel established by the EU data protection authorities (DPA) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF. If you are an EU or UK resident, you have the right, under certain conditions, to invoke binding arbitration as per the EU-US DPF Principles Annex.
When you exercise your rights, we may need to confirm your identity to ensure that your personal data is not disclosed an unauthorized person.
You have the right to lodge a complaint with a supervisory authority if you believe your data rights have been violated. If you live outside the EU/EEA, you may have the right to lodge a complaint with a data protection supervisory authority or other government body in your country, state or region, but such government bodies are not available everywhere in the world. Regardless of where you live and work, you can always reach out to the Sinch Group Data Protection Officer at dpo@sinch.com if you have questions or to direct your concerns.
Last revised 02/13/2026. To review a changelog and see the previous version, click here.