Privacy Policy — TuruMail

Section 1

Who We Are

TuruMail, Inc. ("TuruMail," "we," "us," or "our") is a Adidigi Webhaat Resolutions LLP operating the cold email platform at turumail.com and related subdomains. We are the data controller for personal data collected through our website and services.

Section 2

Data We Collect

We collect the following categories of personal data:

Category	Examples	Source	Legal Basis
Account Data	Name, email, company, password hash	You provide directly	Contract performance
Billing Data	Payment method (tokenized), billing address, invoices	You / Stripe	Contract performance
Usage Data	Campaigns created, emails sent, features used	Automatic collection	Legitimate interest
Technical Data	IP address, browser type, device ID, log data	Automatic collection	Legitimate interest
Communications	Support tickets, emails to our team	You provide directly	Legitimate interest
Email Content	Campaign templates, contact lists you upload	You provide directly	Contract performance

Data We Do NOT Collect

We do not collect biometric data
We do not collect health or medical information
We do not purchase or augment your data from third-party data brokers
We do not read the content of emails you send to track behavioral patterns

Section 3

How We Use Your Data

We use your personal data only for the purposes described below:

To provide our service: Account management, email sending, campaign management, analytics, and customer support
To improve the platform: Aggregate usage analytics help us prioritize features and fix bugs. We never analyze individual account content for this purpose.
To communicate with you: Product updates, billing notifications, security alerts, and responses to your support requests. You can opt out of marketing communications at any time.
To ensure security: Fraud detection, abuse prevention, and compliance with our Terms of Service
To comply with legal obligations: Responding to lawful requests from government authorities, enforcing our terms, and protecting rights

We will never use your data for advertising on third-party platforms or sell it to any third party for any purpose.

Section 4

Data Sharing & Third Parties

We share personal data only in the following limited circumstances:

Service Providers (Sub-processors)

We work with trusted third-party vendors who process data on our behalf under strict data processing agreements:

Stripe — Payment processing (does not receive full card data)
Amazon Web Services — Cloud infrastructure and data storage (EU and US regions)
Cloudflare — DDoS protection and CDN (does not store personal data)
Intercom — Customer support chat (limited account data only)
Datadog — Infrastructure monitoring (anonymized/aggregated only)

We maintain a complete, up-to-date sub-processor list available at turumail.com/subprocessors. We notify customers 30 days before adding new sub-processors.

Legal Requirements

We may disclose personal data if required by law, court order, or if we believe disclosure is necessary to prevent harm or illegal activity. We will notify affected users unless legally prohibited from doing so.

Business Transfers

If TuruMail is acquired or merges with another company, your data may be transferred to the successor entity. We will notify you and provide an opt-out opportunity before any such transfer.

Section 5

Data Retention

We retain personal data only as long as necessary:

Account data: Retained while your account is active, plus 30 days after deletion to allow for account recovery
Billing records: Retained for 7 years for tax and legal compliance
Email campaign data: Retained for the duration of your subscription, then deleted within 30 days of account deletion
Support communications: Retained for 3 years after ticket resolution
Server logs: Automatically deleted after 90 days
Backup data: Our backup snapshots are deleted within 60 days of account deletion

You can request early deletion of any data category by contacting info@turumail.com.

Section 6

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you. We respond within 30 days.

Right to Rectification

Correct inaccurate or incomplete personal data at any time via your account settings.

Right to Erasure

Request deletion of your account and all associated personal data. We process within 30 days.

Right to Portability

Export your data in a machine-readable format (JSON or CSV) from your account settings.

Right to Object

Object to processing based on legitimate interests. We will stop unless compelling grounds override your interests.

Right to Restrict

Request that we limit how we use your data while a dispute is being resolved.

To exercise any of these rights, contact info@turumail.com or use the self-service tools in your account settings. We will verify your identity before processing requests and respond within 30 days (extendable to 60 days for complex requests with notice).

If you are in the EU/EEA, you also have the right to lodge a complaint with your national data protection authority.

Section 7

Cookies & Tracking

We use cookies and similar technologies to operate our website and service. You can control cookie preferences through our Cookie Settings banner or your browser settings.

Essential Cookies (Always Active)

Authentication session cookies — required to stay logged in
CSRF protection tokens — required for form security
Load balancer cookies — required for service reliability

Analytics Cookies (Optional)

We use privacy-friendly analytics (no cross-site tracking, IPs are anonymized)
These help us understand how users interact with our website to improve the product
You can opt out at any time via Cookie Settings or browser Do Not Track settings

We do not use advertising or remarketing cookies. We do not share cookie data with third parties for advertising purposes.

Section 8

Security

We implement industry-standard security measures including:

TLS 1.3 encryption for all data in transit
AES-256 encryption for sensitive data at rest
Bcrypt hashing for passwords (never stored in plain text)
SOC 2 Type II certified infrastructure
Regular third-party penetration testing
Multi-factor authentication available for all accounts
Role-based access control for all internal systems
Automated anomaly detection for unauthorized access attempts

In the event of a data breach that affects your personal data, we will notify you within 72 hours of discovery as required by GDPR, along with information about what was affected and what steps we are taking.

To report a security vulnerability, contact info@turumail.com. We have a responsible disclosure program.

Section 9

Children's Privacy

TuruMail is a business-to-business service and is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have inadvertently collected data from a person under 16, we will delete it promptly.

If you believe we may have collected data from a minor, please contact info@turumail.com immediately.

Section 10

International Data Transfers

TuruMail is headquartered in the United States. If you are accessing our service from the EU, EEA, UK, or other regions with data transfer restrictions, your data may be transferred to and processed in the United States.

We ensure all international transfers are protected through one or more of the following safeguards:

EU Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to third countries
UK International Data Transfer Agreements (IDTA): For transfers from the UK
EU-US Data Privacy Framework: TuruMail is certified under the EU-US Data Privacy Framework

You can request a copy of our Standard Contractual Clauses by contacting info@turumail.com.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Send an email notification to all registered users at least 30 days before changes take effect
Display a prominent notice in the TuruMail dashboard
For significant changes (e.g., new data categories or uses), we will obtain fresh consent

Your continued use of TuruMail after changes take effect constitutes your acceptance of the updated policy. If you do not agree, you may delete your account before the effective date.

Section 12

Contact Us

For privacy-related questions, requests, or concerns:

Email: info@turumail.com
Response time: We aim to respond to all privacy requests within 5 business days and must respond within 30 days under applicable law

If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.