Security & Trust
Smailor is an email infrastructure service. We take security, deliverability, and privacy seriously — not as marketing, but as the core of a service your team depends on every day.
GDPR compliant
Data processed in Europe. Full DPA available for business customers.
TLS everywhere
All connections encrypted in transit. STARTTLS enforced on email delivery.
SPF · DKIM · DMARC
Full email authentication stack on all outbound mail. BIMI support available.
How outbound and inbound email actually works.
Outbound mail — SMTP with authentication
Every outbound email is signed with DKIM (RSA-2048) on your custom domain. SPF records delegate sending rights to Smailor's infrastructure. DMARC enforcement prevents spoofing of your domain. Envelope-from alignment is enforced for consistent delivery.
Inbound mail — MX routing
Your domain's MX records point to Smailor's mail receivers. Incoming messages are validated, spam-scored, and routed to the correct inbox in under a second. Attachments are stored separately and served via authenticated URLs.
Data center — Hetzner (Germany / Finland)
All data is stored on Hetzner servers located in the EU (Germany and/or Finland). Hetzner is ISO 27001 certified. Data never leaves the European Economic Area without appropriate safeguards.
Deliverability — domain warm-up & reputation
New domains go through a warm-up schedule to build sender reputation progressively. Per-domain sending stats are visible in your dashboard. BIMI logos are supported for brand recognition in Gmail and Apple Mail. We monitor bounce rates and automatically throttle to protect your domain's reputation.
Anti-spam & abuse prevention
Outbound rate limiting per domain and per account. Sending through Smailor for unsolicited bulk mail violates our Acceptable Use Policy and results in immediate suspension. We score inbound messages for spam and phishing before routing. Abuse reports go to [email protected].
What we collect, why, and for how long.
We do not sell your data
Your emails, contacts, and message content are never sold or shared with third parties for advertising. We process data solely to provide the service, ensure security, and comply with the law.
We do not train AI on your content
Your private messages are never used to train public or third-party machine learning models. AI features run on a self-hosted model (Qwen 2.5, 1.5 B). Your data never leaves our servers.
Encryption in transit & at rest
All HTTP traffic uses TLS 1.2+. Email delivery uses STARTTLS with opportunistic encryption. Database volumes are encrypted at rest by Hetzner's storage layer.
Access controls & audit
Role-based access within workspaces. Authentication via password (bcrypt-hashed) or OAuth (Google, Discord). Session tokens are short-lived and rotate on sensitive actions.
Third-party services we use to run Smailor. All are bound by appropriate data processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Servers, storage, networking | 🇩🇪 Germany / 🇫🇮 Finland (EU) |
| Mollie | Payment processing | 🇳🇱 Netherlands (EU entity) |
| Cloudflare | DNS, CDN, bot protection (Turnstile) | 🇺🇸 USA (SCC covered) |
| Qwen 2.5 (self-hosted) | AI triage & drafting (on-premises) | 🇩🇪 Germany — no data transfer |
SCC = Standard Contractual Clauses (EU transfer mechanism). Full list updated as sub-processors change.
All public legal and compliance documents in one place.
Terms of Service
Rules for using the service, plans, and liability.
Privacy Policy
How we collect, use, and protect personal data.
Data Processing Agreement
GDPR DPA for business customers (Art. 28 RGPD).
Acceptable Use
Prohibited conduct, spam, and abuse policy.
Cookie Policy
Cookies and similar technologies on our sites.
Legal Notice
Company details, imprint, and contact information.
Security contact
Please disclose security issues responsibly. We investigate all credible reports and will acknowledge receipt within 48 hours. Do not publish vulnerabilities before we've had a chance to address them.