SMTP accounts: logins, passwords (encrypted), servers, limits, sending history

1.3 Technical Data

IP Addresses (for security and abuse prevention)

Browser User-Agent, screen resolution, device type

Cookies and session tokens (for authentication)

• API and Webhooks usage logs
• 2. How We Use Data
• The collected data is used for:
• Providing and supporting the Service

Processing payments through third-party gateways

• Sending email campaigns via your connected SMTP
• AI content generation (via built-in models or your OpenAI key) and AI classification of incoming replies
• Abuse prevention (AI Content Filter — see section 4 of the Terms of Use)
• Notifications about campaign status, SMTP failures, balance depletion
• Improving the Service based on aggregated analytics (without identifying specific users)

3. Data Transfer to Third Parties

• We do not sell your data. We only transfer data in the following cases:
• 3.1 Service Providers
• Payment gateways:
• Stripe, CoinGate, Heleket, CactusPay — for payment processing. They only receive the data necessary for the transaction.

AI providers:

Google Gemini (built-in) or OpenAI (if you use your own key) — for generating subjects/content and classifying responses. Only the content of emails is sent to the AI, without recipients' personal data.

• Hosting and infrastructure:
• OVH/Hetzner for storage and Cloudflare for CDN/DNS. Data is stored in the EU.
• Analytics:
• Google Analytics, Ahrefs Analytics — only aggregated data about website traffic, not campaign data.
• 3.2 Legal Requirements
• We may disclose your data if there is a legitimate request from government authorities, to protect our rights, user safety, or prevent fraud.
• 4. Data Storage and Protection

4.1 Storage Periods

Account data — while the account is active, plus 30 days after closure for recovery

Campaign data — 24 months after the last campaign activity

• SMTP logs and events — 12 months Snapshots of messages blocked by the AI filter — up to 12 months (for abuse investigation)
• Financial data — 7 years (tax law requirement) 4.2 Security Measures
• TLS 1.3 encryption for all connections Bcrypt for password hashing; AES-256 for encrypting API keys and SMTP passwords in the database
• Limited employee access to production data (based on the principle of least privilege) Regular backups and disaster-recovery plan

Firewall, monitoring of suspicious activity, protection against brute-force attacks

5. Cookies and Tracking

We use the following categories of cookies:

Necessary:

• session-cookies for authentication and interface operation. The Service does not work without them.
• Analytical:
• Google Analytics for understanding traffic. They do not personally identify you.
• Functional:
• saving language, dashboard theme (dark/light), other UI settings.

Tracking pixel in outgoing campaigns (for open-rate) — this is a technology that you (as a Postigo user) apply to your recipients. Compliance with the legal requirements of such tracking is your responsibility.

• 6. Your rights (GDPR / personal data law)
• If you are located in the EU, the UK, or another jurisdiction with similar legislation, you have the following rights:
• Access:
• request a copy of your data
• Correction:

request correction of inaccurate data

Deletion:

• request deletion of data (right to be forgotten), except where storage is required by law Restriction of processing:
• suspend data processing Portability:
• get data in a machine-readable format Objection:

express disagreement with certain processing methods

Complaint:

contact the data protection supervisory authority

• To exercise your rights, please write to We will respond within 30 days.
• 7. Data transfer across borders Postigo servers are located in the EU. If you are located outside the EU, your data may be transferred to and stored in the EU. We ensure an adequate level of protection in accordance with GDPR through standard contractual clauses (SCC) with service providers.
• 8. Children The service is not intended for persons under the age of 18. We do not knowingly collect data from minors. If you discover that a child has provided us with data, please inform us and we will delete it.
• 9. Policy changes We may update this policy. We will notify you of significant changes by email or through the Service interface at least 14 days before they take effect. The date of the last update is indicated at the beginning of the document.
• 10. Privacy contacts For any questions about privacy and data processing:
• Privacy email: General support:
• Terms of Use: link

Homepage [email protected]. About us

Postigo is a platform for cold email outreach with AI-powered response filtering, content rotation, and deliverability analytics.

Email outreach that

works for you

Postigo is a platform for cold email outreach with AI-powered content rotation, response filtering, and deliverability control. We help teams connect with customers from the first email to the deal.

What we do

Deliverability

SPF/DKIM/DMARC support, SMTP rotation, provider limit control, and automatic bounce processing.

AI automation

• Subject and body generation via Gemini/OpenAI, {word1|word2} rotation, classification of responses as positive/negative/auto-reply. [email protected]
• Analytics [email protected]
• Open/click tracking, campaign reports, follow-up on unanswered emails, A/B testing at the subject and content level. Principles