Legal
Privacy policy
Last updated: July 12, 2026
The short version
Volanea is an email platform. We collect what we need to run your account and deliver your email, we don't sell data to anyone, and the contacts you upload belong to you — we process them only to send the email you tell us to send. The rest of this page spells that out precisely.
What we collect
Account data. Your name, email address, and password (stored hashed), or your Google/GitHub profile email if you sign in with OAuth. Billing details are handled by Razorpay — we never see or store card numbers.
Project data. The content you create on the platform: templates, campaigns, workflows, sending domains, and the contact lists you upload or collect. Contact data is yours; we act as a processor for it.
Email and engagement data. Messages sent through the platform, their delivery status, and engagement events (opens, clicks, bounces, complaints) where tracking is enabled — this is the product working as described.
Technical data. Server logs (IP address, user agent, timestamps) kept for security, abuse prevention, and debugging. The dashboard uses a single session cookie. We run no advertising trackers.
How we use it
To provide the service: authenticate you, deliver your email, show you analytics, invoice you, and warn you when something needs attention (a failing domain, an approaching usage cap). To protect the platform: detecting spam, phishing, and abuse — automated systems may scan message content for this purpose. To improve the product, using aggregate, de-identified usage patterns. Never to sell, rent, or trade your data — to anyone.
Your contacts are not our contacts
The people on your contact lists are your audience, not ours. We never email them except on your instruction, never add them to any list of ours, and never share them with other customers or third parties. If you delete a contact or your account, that data is deleted with it.
Who processes data on our behalf
We use a small set of infrastructure providers, each bound by their own data-processing terms:
Amazon Web Services (email delivery via SES, United States) · Google Cloud (application hosting and databases, United States) · Razorpay (payment processing, India) · AWS Amplify / GitHub (website hosting and code infrastructure).
Retention
Account and project data is kept while your account is active and deleted on account deletion. Email logs and engagement events are kept to power your analytics. Server logs rotate on a short schedule. Backups exist for disaster recovery and expire automatically within 30 days.
Security
All traffic is encrypted in transit (TLS). Passwords are hashed, API keys are shown once and stored securely, and webhook deliveries are HMAC-signed so you can verify they came from us. Production access is limited to what operating the service requires.
Your rights
You can access, correct, export, or delete your data. Most of it is self-serve in the dashboard (contact export is one click; account data is editable in settings). For anything else — including full account deletion — email us and we'll complete it within 30 days. If you're in a jurisdiction with statutory data rights (GDPR, DPDP), those rights apply and we honor them.
Children
Volanea is not directed at children and we don't knowingly collect data from anyone under 16.
Changes and contact
If this policy changes materially, we'll note it here and email account owners before it takes effect. Questions or requests: support@volanea.com.