Effective date: March 17, 2026 | Last updated: March 17, 2026

1. Introduction

Misar AI Technology Pvt. Ltd. ("Misar", "we", "our", or "us") operates MisarMail — an email marketing and inbox management platform accessible at mail.misar.io ("the Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), India's Digital Personal Data Protection Act (DPDPA 2023), and the CAN-SPAM Act.

By using MisarMail, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Account Information: Your name, email address, and password when you register.
Email Account Credentials: IMAP/SMTP usernames and passwords you provide to connect external email accounts. These are stored encrypted using AES-256-GCM.
Contact Lists: Names, email addresses, and custom fields of the contacts you import or add to MisarMail.
Email Content: Subject lines, body HTML/text, and metadata of campaigns and emails you compose and send.
Profile & Organization Data: Company name, website URL, timezone, and profile picture you configure in Settings.
Payment Information: Billing details processed by our payment processor (Stripe via Assisters LLC). We do not store full card numbers.
Support Communications: Messages you send to our support team.

2.2 Information Collected Automatically

Usage Data: Features used, pages visited, buttons clicked, and interactions with the Service.
Device & Browser Data: Browser type, operating system, screen resolution, and device identifiers.
Log Data: IP address (pseudonymized after 30 days), access timestamps, HTTP methods, and response codes.
Email Engagement Data: Opens, clicks, bounces, and unsubscribes from campaigns you send (tracked via pixel and link wrapping).
Cookies & Similar Technologies: Session cookies, preference cookies, and analytics tokens. See our Cookie Policy for details.

3. How We Use Your Information

We use your information to:

Create and manage your account and provide the Service.
Process and deliver your email campaigns on your behalf.
Sync your connected email accounts via IMAP/SMTP.
Track email engagement (opens, clicks, bounces) on campaigns you send.
Send transactional emails (password resets, notifications, billing receipts).
Provide analytics, reports, and deliverability insights.
Respond to support requests and inquiries.
Process payments and manage your subscription.
Detect, investigate, and prevent fraudulent, abusive, or unlawful activity.
Comply with legal obligations and enforce our Terms of Service.
Improve and develop the Service (using aggregated, anonymized data only).

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process personal data under the following lawful bases:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
Legitimate Interests (Art. 6(1)(f)): Fraud prevention, security, Service improvement, and analytics.
Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations.
Consent (Art. 6(1)(a)): Marketing communications from Misar (you can withdraw consent at any time).

5. Data Sharing & Disclosure

We do not sell your personal data. We may share information with:

Service Providers: Trusted vendors who operate infrastructure for us (cloud hosting on Hetzner VPS, payment processing via Stripe). These parties are contractually bound to protect your data.
Within Misar Group: With Assisters LLC (our US billing entity) for payment processing purposes only.
Legal Requirements: When required by law, court order, or governmental authority.
Rights Protection: To protect the rights, property, or safety of Misar, our users, or the public.
Business Transfers: In the event of a merger, acquisition, or sale of assets, with prior notice to you.

6. Your Rights

6.1 GDPR Rights (EU/EEA/UK Users)

Access: Request a copy of all personal data we hold about you.
Rectification: Correct inaccurate or incomplete personal data.
Erasure ("Right to be Forgotten"): Request deletion of your personal data. We will comply within 30 days.
Portability: Receive your data in a machine-readable format (JSON/CSV).
Restriction: Request that we limit processing of your data.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Withdraw consent for marketing at any time.

6.2 CCPA Rights (California Residents)

Right to know what personal information we collect and how it is used.
Right to delete your personal information.
Right to opt out of the sale of personal information (we do not sell personal information).
Right to non-discrimination for exercising your CCPA rights.

6.3 DPDPA Rights (India Residents)

Right to access information about personal data we process.
Right to correction and erasure of personal data.
Right to nominate a person to exercise rights on your behalf.
Right to grievance redressal within 72 hours.

To exercise any of these rights, email privacy@misar.io.

7. Data Security

We implement industry-standard security measures including:

TLS 1.2/1.3 encryption for all data in transit.
AES-256-GCM encryption for email credentials stored at rest.
Row-Level Security (RLS) on all database tables — users can only access their own data.
DKIM, SPF, and DMARC authentication on all outgoing emails.
Regular security audits and vulnerability assessments.
Strict access controls — only authorized personnel can access production systems.

8. Data Retention

We retain your personal data only as long as necessary to provide the Service:

Active account data: Retained for the duration of your account.
Campaign & analytics data: Retained for 24 months after a campaign is sent.
Synced email data: Retained while your account is active; deleted within 30 days of account deletion.
Billing records: Retained for 7 years as required by applicable tax and financial regulations.
Log data: IP addresses pseudonymized after 30 days; logs deleted after 90 days.

When you delete your account, all personal data is deleted within 30 days (except where retention is legally required).

9. International Data Transfers

MisarMail is operated from India. Your data is stored on servers located in Germany (Hetzner VPS). For users in the EEA/UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), to protect your data during international transfers.

10. Cookies

We use essential session cookies, preference cookies, and analytics cookies. For full details, see our Cookie Policy.

11. Children's Privacy

MisarMail is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@misar.io and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting a notice in the Service at least 14 days before the changes take effect. Your continued use of MisarMail after changes constitutes acceptance of the updated policy.

13. Contact & DPO

For privacy-related inquiries, to exercise your rights, or to reach our Data Protection Officer:

Privacy Requests: privacy@misar.io
Data Protection Officer: dpo@misar.io
Registered Address: Misar AI Technology Pvt. Ltd., India
EU Representative: For EEA/UK inquiries — gdpr@misar.io