# Privacy policy

> Email Fast's privacy policy in plain language: what we collect and why, where it lives, how long we keep it, and your rights — with erasure that destroys data.

Canonical: https://emailfast.dev/legal/privacy

**Who we are.** Email Fast ("we") operates the email platform at emailfast.dev. For
customer data processed on behalf of our customers, we act as a processor under the
[Data Processing Agreement](/legal/dpa); for visitor and account data we are the
controller.

## What we collect, and why

| Data | Why | Kept |
|---|---|---|
| Account data (email, name, auth credentials) | Operating your account; passkeys/TOTP secrets for security | Life of the account |
| Message content and recipient data you send through the platform | Delivering your email — it's the product | Per your plan's retention window; configurable; erasable |
| Delivery events (bounces, opens where enabled, complaints) | Deliverability, suppression, and your analytics | Per retention window |
| Consent records (signup forms, double opt-in) | Compliance evidence for your sending | Life of the list |
| Site analytics (this website) | Cookie-less, aggregate page metrics — no cross-site tracking, no advertising identifiers | Aggregates only |
| Support correspondence | Answering you | As needed |

We do **not** sell personal data, run advertising systems on it, or use customer
message content to train AI models — ours or anyone's.

## Where data lives

On dedicated infrastructure in the EU (Germany), operated by us. The short list of
third parties that touch limited data is published at
[subprocessors](/legal/subprocessors).

## Your rights

Access, correction, export, objection, and erasure. Erasure here is unusually
literal: GDPR erasure by crypto-shred: destroying a key destroys the data it protected, without corrupting the tamper-evident audit ledger. Requests: **hello@emailfast.dev** — verified and
answered within 30 days, usually much faster.

## Security

Summarized honestly on the [security page](/security); vulnerability reporting via
[security.txt](/.well-known/security.txt).

## Changes

Material changes are announced in the [changelog](/changelog) and, for account
holders, by email. This page carries its verification date at the top.
