Privacy Policy
Last updated: March 2026
1. Overview
Waxseal ("we", "us", "our") operates the waxseal.app email hosting service. This Privacy Policy explains what data we collect, how we use it, and your rights. We comply with Japan's Act on Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
2. Data We Collect
Account Information
- Email address (for account login and notifications)
- Password (stored as bcrypt hash — we never store plaintext)
- Language preference
- Plan and subscription status
Email Data
- Email messages stored in your mailboxes (content, headers, attachments)
- Email metadata (sender, recipient, timestamps, message sizes)
- Domain configuration (DNS records, verification tokens)
Technical Data
- IP addresses (for security and abuse prevention)
- Server logs (connection timestamps, error logs)
- Audit log (account actions: login, password change, settings changes)
Payment Data
Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVCs, or bank account details. We store only the Stripe customer ID and subscription ID needed to manage your billing.
3. How We Use Your Data
- Email delivery: To receive, store, and send email on your behalf
- Account management: To authenticate you and manage your subscription
- Service operation: To maintain, monitor, and improve the Service
- Security: To detect and prevent abuse, spam, and unauthorized access
- Communication: To send service notifications (not marketing)
We do not: scan your email content for advertising, sell your data to third parties, use your data for profiling or behavioral targeting, or share your data with anyone except as described in this policy.
4. Data Storage and Security
Your data is stored on servers located in Tokyo, Japan. Email data is replicated to a secondary server in Singapore for disaster recovery. Backups are encrypted and stored in Backblaze B2.
Security measures include:
- TLS encryption for all email transmission (IMAP, SMTP)
- TLS encryption for all web traffic (HTTPS)
- Passwords hashed with bcrypt
- Two-factor authentication available for all accounts
- SSH key-only server access
- Encrypted backups with limited retention
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Email messages | Until you delete them, or 30 days after account termination |
| Account information | Until account deletion + 30 days |
| Server logs | 90 days |
| Audit log | 1 year |
| Backups | 30 daily, 12 weekly, 12 monthly |
6. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details |
| Vultr | Server hosting | All data stored on servers |
| Backblaze B2 | Encrypted backups | Encrypted email and DB data |
| Cloudflare | DNS, DDoS protection | DNS queries, web traffic |
We do not use analytics services, advertising networks, or tracking pixels.
7. Your Rights
All Users
- Access: View all data we hold about you from the portal
- Correction: Update your account information at any time
- Deletion: Delete your account from Settings
- Export: Download your email via IMAP at any time
APPI (Japan) Rights
Under the Act on Protection of Personal Information, you have the right to request disclosure, correction, suspension of use, or deletion of your personal information. Contact [email protected].
GDPR (EU) Rights
If you are in the European Economic Area, you have additional rights including: right to access, rectification, erasure, restriction of processing, data portability, and objection. Our legal basis for processing is contract performance (providing the email service you subscribed to). Contact [email protected] or our supervisory authority.
CCPA (California) Rights
California residents have the right to know what personal information is collected, request deletion, and opt out of sale. We do not sell personal information. Contact [email protected].
8. Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery via email and portal notification. We will also report to the Personal Information Protection Commission (Japan) as required by APPI.
9. Children
The Service is not intended for children under 16. We do not knowingly collect data from children under 16.
10. Changes
We may update this Privacy Policy from time to time. Material changes will be notified via email at least 30 days before they take effect.
11. Contact
For privacy-related questions or to exercise your rights:
- Email: [email protected]
- Data Protection Officer: [email protected]