Privacy Policy
Your Privacy Matters
Last updated: April 2025 · Effective: April 1, 2025 · Zhost Consulting Private Limited
Zhost Consulting Private Limited ("we", "our", "us") operates MailForge ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By using MailForge, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.
1. Information We Collect
Account & Organisation Data
- Name, email address, and password (hashed with bcrypt — never stored in plain text)
- Organisation name, website, industry, and billing email
- Payment records — processed by RazorPay; we store only transaction references, not card numbers
- SMTP credentials you configure for sending campaigns (encrypted at rest)
Usage Data
- Log data: IP address, browser type, pages visited, access timestamps
- Campaign analytics: sends, opens, clicks, bounces, unsubscribes
- API usage: request counts, endpoints accessed, API key identifiers
Contact Data You Upload
When you import contacts, that data (email, name, company, custom fields) is stored on our servers solely to operate the Service on your behalf. You are the data controller for your contacts' personal data; we act as the data processor.
Email Content
HTML and plain-text content of campaigns you create are stored to enable scheduling, sending, and analytics. We do not scan email content for advertising or profiling purposes.
2. How We Use Your Data
- To create and maintain your account and organisation
- To deliver and track email campaigns on your behalf
- To process payments and issue invoices
- To send transactional system emails: account verification, password resets, team invitations
- To provide customer support and respond to enquiries
- To monitor Service performance, detect abuse, and maintain security
- To comply with applicable legal obligations
We do not use your data or your contacts' data for advertising, third-party profiling, or sale to any third party.
3. Data Sharing
We do not sell personal data. We share data only with:
- RazorPay — payment processing. Subject to RazorPay's Privacy Policy.
- Your SMTP provider — campaigns are sent through the SMTP credentials you provide. Your provider receives recipient addresses and message content per your configuration.
- Law enforcement — when required by applicable law, court order, or governmental authority.
- Business successors — in the event of a merger, acquisition, or asset sale, users will be notified before data is transferred.
4. Data Retention
| Data Type | Retention Period |
|---|
| Active account & organisation data | For the life of the account |
| Personal data after account closure | Purged within 90 days |
| Campaign analytics (aggregated) | 24 months |
| Billing records & invoices | 7 years (statutory requirement) |
| Server & audit logs | 12 months |
5. Security
- Passwords hashed with bcrypt — never stored in plain text
- SMTP credentials encrypted at rest
- All data in transit protected by TLS 1.2+
- CSRF protection on all state-changing requests
- HTTP Strict-Transport-Security (HSTS) enforced in production
- Rate limiting on login endpoints to prevent brute-force attacks
- Account lockout after 5 failed login attempts
No method of internet transmission is 100% secure. We implement industry-standard protections but cannot guarantee absolute security.
6. Your Rights
Depending on your jurisdiction (including GDPR, PDPA, and Indian IT Act), you may have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — request that we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing
To exercise any right, email privacy@marketing.bithost.in. We respond within 30 days.
7. Cookies
MailForge uses only essential session cookies to maintain your login state. We do not use advertising or third-party tracking cookies. See our full Cookie Policy for details.
8. Children's Privacy
MailForge is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with their information, please contact us immediately and we will delete it.
9. International Data Transfers
MailForge is operated by Zhost Consulting Private Limited, registered in India. Your data is processed in India and may also be processed in the country where your chosen SMTP provider operates. We take appropriate steps to ensure adequate safeguards are in place for any international transfers in accordance with applicable data protection law.