EmailFlow.ai
Product Pricing Templates Blog Docs
Sign in Get Started
Product Pricing Templates Blog Docs
Sign in Get Started

GDPR at EmailFlow AI

Last updated: July 7, 2026

This page explains how EmailFlow AI supports compliance with the EU General Data Protection Regulation and the UK GDPR — in concrete product terms, not slogans. For the binding legal commitments, see our Privacy Policy and Data Processing Addendum.

Our two roles

  • Controller — for your account data (name, email, billing, usage). We decide how and why it is processed, and our Privacy Policy governs it.
  • Processor — for your subscribers' data (the contacts you import, collect, and email). You are the controller; we process it solely on your documented instructions under the DPA.

Because most personal data in EmailFlow AI is subscriber data, most GDPR obligations fall on you as the controller — and our job is to give you the tools to meet them. That is what the rest of this page maps out.

Data subject rights, mapped to product features

Every right below is backed by a feature that exists in the product today — through the app and, for most of them, the API as well:

Right How you exercise it in EmailFlow AI
Access & portability Export any list's subscribers — including all custom fields, tags, and statuses — to CSV from the app, or read them programmatically through the contacts API.
Rectification Edit any subscriber's fields in the app, or update them through the contacts API.
Erasure Delete individual subscribers, selections, or whole lists in the app, or delete through the API. Deletion is immediate in the live database.
Objection / withdrawal of consent Every marketing email carries an unsubscribe link, and sends include RFC 8058 one-click List-Unsubscribe headers so mailbox providers can surface a native unsubscribe button. Unsubscribed contacts are excluded from sends automatically.
Restriction Unsubscribe a contact (stops all marketing sends) without deleting the record, or move them out of active segments.

If a data subject contacts us directly about data controlled by one of our customers, we refer the request to that customer and assist them in responding — as the GDPR expects of a processor.

Where data is processed

The application and its database are hosted on a dedicated server in Falkenstein, Germany (EU). Some subprocessors are in the United States — notably Amazon SES for email delivery, our AI inference provider, and our payment processor. The complete audited list, with each vendor's purpose and location, is on the subprocessors page. Where personal data leaves the EEA or UK, we rely on the safeguards in each vendor's data protection terms, such as the European Commission's Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

Retention by design

Operational data is purged on fixed schedules built into the product, not by manual cleanup:

  • API idempotency records — purged after 24 hours.
  • Webhook delivery logs and raw API usage logs — purged after 30 days.
  • Trigger event fire logs — purged after 90 days.
  • Transactional message records — purged after 13 months (one year of comparable analytics).
  • Subscriber data and campaign content — retained while your account is active; you can delete any of it at any time, and account closure removes it as described in the Privacy Policy.

Security measures

The technical and organizational measures protecting personal data — TLS everywhere, credentials encrypted at rest, hashed passwords and API keys, two-factor authentication, scoped API access, signed webhooks, tested atomic deploys — are described claim-by-claim on the security page, and contractually committed in Annex II of the DPA.

Signing a DPA

Our Data Processing Addendum is published openly, including a downloadable PDF. It incorporates processor obligations under Article 28 GDPR, our subprocessor commitments, and international transfer safeguards. Questions and signature requests go to privacy@emailflow.ai.

Your responsibilities as a sender

GDPR compliance is shared. As the controller of your subscriber data you remain responsible for having a lawful basis to email your contacts (consent or another valid basis), honoring their requests, and giving them accurate privacy notices. EmailFlow AI's Acceptable Use Policy requires permission-based sending — purchased lists and unsolicited email are prohibited on the platform.

EmailFlow.ai

AI email marketing that turns emails into revenue. Design on-brand campaigns in minutes, automate the busywork, and reach the inbox.

Product

Features Pricing Templates Integrations Blog Get started free Sign in

Docs

Welcome Quickstart AI Design Studio Campaigns Automations API

Deliverability

Sending domains & DKIM Verified senders Email verification Tracking domains

Legal & trust

Privacy Policy Terms of Service Acceptable Use Security GDPR DPA Subprocessors
© 2026 EmailFlow AI. All rights reserved. Built for marketers who want results, not busywork.