Legal

Privacy Policy

Last updated: May 2026

1. Who We Are

GrapphenMail is a business email hosting platform operated by Grapphen ("we", "us", "our"). Our registered platform is accessible at workspace.grapphen.com. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

2. Data We Collect

We collect the following categories of data:

  • Account data: Name, email address, organisation name, password (hashed), and role when you register.
  • Email data: Messages, attachments, headers, and metadata associated with your mailboxes. This data is yours — we process it only to deliver the service.
  • Usage data: IP addresses, browser type, pages visited, and feature usage for security monitoring and service improvement.
  • Billing data: Payment details are processed by Stripe and never stored on our servers. We retain transaction records (amount, date, plan) for accounting purposes.
  • Domain & DNS data: Domain names, MX/SPF/DKIM/DMARC records, and BIMI configurations you configure in your account.

3. How We Use Your Data

  • To provide, maintain, and improve the GrapphenMail platform.
  • To send and receive email on your behalf via your configured domains.
  • To process payments and manage subscriptions.
  • To detect abuse, spam, and security threats.
  • To communicate service updates, security notices, and billing information.
  • To comply with legal obligations and enforce our Terms of Use.

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Amazon Web Services (AWS): Infrastructure hosting and AWS SES for email delivery.
  • Stripe: Payment processing.
  • Law enforcement: Only when required by valid legal process.

5. Data Retention

We retain your account and email data for as long as your subscription is active. After account termination we retain billing records for 7 years for legal compliance and delete all other personal data within 30 days unless a longer retention period is required by law. You may request earlier deletion via our GDPR tools inside your dashboard or by contacting support.

6. Your Rights (GDPR)

If you are based in the European Economic Area you have the following rights:

  • Right to access — request a copy of all personal data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure — request deletion ("right to be forgotten").
  • Right to portability — export your data in machine-readable format.
  • Right to object — object to processing based on legitimate interest.
  • Right to restriction — restrict how we process your data.

To exercise any of these rights, use the GDPR tools in your account dashboard or email us at privacy@grapphen.com.

7. Security

We protect your data with TLS 1.2/1.3 encryption in transit, AES-256 encryption at rest, DKIM/SPF/DMARC on all outbound mail, multi-factor authentication options, and immutable audit logging. Our infrastructure is hosted on AWS and undergoes regular security reviews.

8. Cookies

Our marketing site (grapphen.com) uses minimal cookies for session management and analytics. Our application (workspace.grapphen.com) uses session tokens stored in localStorage for authentication — no third-party tracking cookies are used in the application.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify account owners of material changes by email at least 30 days before they take effect. Continued use of the service after that date constitutes acceptance of the updated policy.

10. Contact

For privacy enquiries contact us at privacy@grapphen.com or via our contact page.