Privacy Policy
Last updated 9 July 2026
This Privacy Policy explains what personal data Faivelo (“Faivelo”, “we”, “us”) collects, how we use it, and the rights and choices you have. It applies to faivelo.com, the Faivelo mobile apps, and the Faivelo email-hosting service (together, the “Service”). The Faivelo Service is operated by Louis & Schwartz Group, LLC, a Delaware limited liability company, which is the data controller for the personal data described in this policy (except campaign-recipient data, where you are the controller — see Section 4). Capitalised terms not defined here have the meaning given in our Terms of Service.
The short version: we are an email host, not an advertising company. We collect only what we need to run the Service, we do not read your email, we do not sell your data, and we do not use your email content to train AI models or build advertising profiles. Ever. Our business model is simple — you pay us to host your email, and that is the whole relationship.
1. Data we collect
Account data — the email address you register with and your password, which is stored as a salted bcrypt hash and never in plain text.
Domain & DNS data — the domains you add and the DNS records (MX, SPF, DKIM, DMARC and related records) we create, verify, or manage for them.
Registrar credentials — API keys you optionally provide so we can configure DNS automatically. These are encrypted at rest with AES-256, are used only to manage the DNS records needed for your email, and are deleted when you disconnect the registrar or delete the domain.
Mailbox & message data — the mailboxes you create and the email messages, attachments, contacts, and calendar entries stored on our mail servers on your behalf. Mailbox passwords are stored encrypted so they can be shown to you once at creation.
Campaign data — if you use the campaigns feature: the recipient lists you upload, the content you compose, and delivery events (sends, bounces, opens, clicks, and unsubscribes). See Section 4.
Payment data — payments are processed by Stripe. We store a customer and subscription reference and your plan details; we never see or store your full card number.
Technical data — IP addresses, device and browser information, and server logs needed to operate, secure, debug, and rate-limit the Service and to investigate abuse.
Support data — the contents of messages you send us when you ask for help.
We do not collect data we do not need. We do not buy data about you from third parties, and we do not combine your data with external datasets to profile you.
2. How we use data, and our legal bases
We use personal data to provide and operate the Service (hosting mailboxes, sending and receiving email, configuring DNS, authenticating senders with SPF/DKIM/DMARC), to process payments, to provide support, to secure the Service and prevent spam and abuse, to send you service-related notices, and to comply with legal obligations.
Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract (providing the Service you signed up for — this covers account, domain, mailbox, message, and payment data); legitimate interests (securing our infrastructure, preventing abuse, protecting deliverability for all customers, and improving the Service — this covers technical and log data); legal obligation (tax, accounting, and responding to lawful requests); and consent where we ask for it (non-essential cookies, Section 12). We do not use automated decision-making that produces legal or similarly significant effects about you; automated anti-abuse systems may pause sending, but a human reviews any account suspension on request.
We may create and use aggregated or de-identified data (for example, overall delivery statistics) that does not identify you or any recipient, to operate and improve the Service. We never attempt to re-identify de-identified data.
3. Your email content
Your mailbox is yours. You pay us to host it, which means you are the customer — not the product. We have no advertising business, no data business, and no reason to look at your mail. We process the contents of your mailboxes only as strictly necessary to deliver the Service: storing your messages encrypted at rest, sending and receiving them, spam and malware filtering, and search within your own account. That list is exhaustive.
Automated scanning — inbound and outbound mail passes through automated spam, malware, and abuse filtering, as is standard for any email provider. This scanning is machine-only, exists solely to protect you and our sending reputation, and its results are used for nothing else: no profiles, no keyword extraction, no marketing signals.
Human access — our staff do not browse your email. Not for support, not for product research, not out of curiosity. A staff member may access mailbox data only when you ask us to (for example, to troubleshoot a support issue you raised), when necessary to investigate a specific, evidenced violation of our Terms such as a spam or phishing report, or when required by valid legal process (see Section 11). Such access is limited to the minimum necessary for the task, and every instance is logged.
What we never do — we do not read, scan, or analyse your email content for advertising or profiling; we do not sell it, rent it, or share it with data brokers; we do not use it to train machine-learning or AI models; we do not mine it for “product insights”; and we contractually forbid every subprocessor from doing any of those things. If we ever wanted to change any of this, we would have to tell you first and give you time to leave (Section 14) — but we won’t, because this is the entire point of the product.
4. Campaign features and your recipients
When you send campaigns through Faivelo, you provide the recipient lists and you are the data controller for your recipients’ personal data; Faivelo processes it on your behalf as a processor, solely to send the campaign, maintain suppression lists, and report delivery results back to you. You are responsible for having a lawful basis (such as consent or, where the law allows, legitimate interest) to email your recipients. If you need a Data Processing Addendum for your GDPR or UK GDPR compliance, email support@faivelo.com and we will provide one.
Campaign emails may include an open-tracking pixel and rewritten links for click tracking (disabled by default for cold outreach), and always include unsubscribe headers and a one-click unsubscribe link. When a recipient unsubscribes, we record their address in a suppression list so you cannot email them again through the Service — we retain that minimal record precisely so the opt-out keeps working. Tracking applies to campaign emails only — we never add tracking to your ordinary personal or business correspondence.
5. If you received an email from a Faivelo customer
If you received a campaign email sent through Faivelo, the sender — not Faivelo — chose to contact you and is the controller of your data. Every campaign email includes an unsubscribe link that takes effect immediately and permanently across all of that sender’s campaigns. If you believe a sender is abusing the Service, or you want your address suppressed from a sender’s lists, contact us at support@faivelo.com: we investigate every report, and we suspend senders who violate our Sending Policy.
6. Sharing and subprocessors
We do not sell personal data, and we do not share it for cross-context behavioural advertising. We share data only with service providers that help us run Faivelo, under contracts (including data-processing agreements) that limit what they may do with it:
Amazon Web Services (US/EU) — email delivery, DNS, and encrypted message and file storage. Stripe (US) — payment processing. Vercel (US) — application hosting. Neon (US) — database hosting. Upstash (US) — rate-limiting infrastructure. Sentry (US) — error monitoring, which may receive technical request context when an error occurs. Your DNS registrar (e.g. Cloudflare, GoDaddy, Namecheap) — only if you connect one, and only to manage your DNS records.
If we add or replace a subprocessor that will process customer content, we will update this policy and give notice as described in Section 14 before the change takes effect.
With your consent only (see Section 12), our public website also uses Google Analytics (US) for usage analytics and a Reddit (US) ads pixel for advertising measurement. Neither loads unless you accept them in the cookie banner, and neither ever receives your mailbox or message content.
We may also disclose data as described in Section 11 (government and legal requests), to protect the rights, safety, or property of Faivelo or others, or as part of a merger, acquisition, or sale of assets (in which case this policy continues to apply to your data and we will notify you of any change of controller).
7. International transfers
We are a US-based service and process data on infrastructure located in the United States. If you use Faivelo from the EEA, UK, or Switzerland, your data is transferred to the US. For such transfers we rely on appropriate safeguards under GDPR Chapter V, including the European Commission’s Standard Contractual Clauses (and the UK Addendum) with our subprocessors, and providers certified under the EU–US Data Privacy Framework where available.
8. Security
Security is the product. We protect your data with TLS encryption in transit, AES-256 encryption at rest, salted bcrypt hashing for account passwords, encryption of sensitive secrets such as registrar API keys, DKIM signing and DMARC enforcement against spoofing, least-privilege access controls, and audit logging. Access to production systems is restricted to the personnel who need it.
No system is perfectly secure. If we learn of a breach affecting your personal data, we will notify you and the relevant authorities without undue delay and within the timeframes required by law (including the 72-hour supervisory-authority notification under GDPR where it applies). If you believe you have found a security vulnerability in the Service, please report it to support@faivelo.com — we read every report and act on them quickly. We will not pursue good-faith security research, provided you do not access, modify, or destroy other people’s data, disrupt the Service, and you give us reasonable time to fix the issue before disclosing it publicly.
9. Retention
We keep personal data and email for as long as your account is active. When you delete a mailbox, a domain, or your account, we delete the associated data from our active systems immediately (and in any case within 30 days), and residual copies age out of encrypted backups on a rolling basis. Specific retention periods: security and audit logs have IP addresses removed after 90 days and are deleted after 12 months; billing records are kept as required for tax and accounting (typically 7 years); minimal suppression-list entries are kept so unsubscribes keep working; records of your acceptance of our Terms are kept for the life of your account and as needed to establish or defend legal claims.
10. Your rights
Depending on where you live, you have the right to access, correct, export, or delete your personal data, to restrict or object to certain processing, to data portability, and to withdraw consent where processing is based on consent (without affecting processing that happened before withdrawal). If you are in the EEA or UK, you may also lodge a complaint with your local supervisory authority — though we would appreciate the chance to resolve your concern directly first. If you are a California resident, you have equivalent rights under the CCPA/CPRA, including the right to know, delete, and correct — and the right not to be discriminated against for exercising them. Residents of other US states with privacy laws (such as Virginia, Colorado, Connecticut, and Texas) have similar rights, which we honour. We do not “sell” or “share” personal information as those terms are defined in California law, so there is nothing to opt out of; where an opt-out preference signal such as Global Privacy Control applies, we treat it as a valid opt-out.
You can exercise the most important rights yourself, instantly and without asking: download a complete copy of your data (Settings → “Export data”) and permanently delete your account and everything in it (Settings → “Delete account”), as well as delete individual mailboxes and domains from your dashboard at any time. For anything else, email support@faivelo.com; we will verify your request and respond within the time required by applicable law (one month under GDPR, extendable as the law allows; 45 days under the CCPA).
11. Government and legal requests
We disclose customer data to authorities only in response to valid, binding legal process — such as a subpoena, court order, or warrant — targeting a specific account, and only after our review of the request’s validity and scope. We interpret requests narrowly, produce only the data specifically required, and challenge requests that are overbroad or improper. Unless we are legally prohibited from doing so (for example by a gag order), we will notify you before disclosing your data so you can object. We do not give any government direct, standing, or bulk access to our systems.
12. Cookies
Faivelo uses first-party essential cookies to keep you signed in — these are required for the Service to work and are set without asking. Separately, our public website can use Google Analytics and a Reddit ads pixel, but only if you accept them in the cookie banner shown on your first visit. If you decline, no analytics or advertising cookies are set at all. You can change your choice at any time via “Cookie preferences” in the page footer, and withdrawing consent is as easy as giving it.
13. Children
The Service is not directed to anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
14. Changes
We may update this policy from time to time. If we make material changes — especially any change to how we handle your email content — we will give you reasonable advance notice by email or in-app notice before the change takes effect. The “last updated” date above reflects the latest version. Continued use of the Service after changes take effect means you accept the updated policy; if you do not accept it, you may export your data and close your account at any time.
15. Contact
For privacy questions or to exercise your rights, contact the data controller: Louis & Schwartz Group, LLC (operating Faivelo), by email at support@faivelo.com, or by post at 131 Continental Dr, Suite 305, Newark, DE 19713, USA (c/o Legalinc Corporate Services Inc., registered agent). Email is the fastest way to reach us.