Privacy Policy
How we collect, use, and protect personal data — and an honest account of where it is processed.
This policy explains how Dairo handles personal data under the EU General Data Protection Regulation (GDPR / DSGVO). We have written it to be read, not to obscure. Where our posture has limits — such as US legal exposure through our cloud subprocessors — we say so plainly.
01Data controller
The controller responsible for the processing of personal data described in this policy is the operator of Dairo, identified in full in our Impressum. Dairo is built and operated from Germany.
You can reach us about anything in this policy, including data-subject requests, at [email protected]. We do not currently operate a statutory Data Protection Officer; if that changes, contact details will be published here and in the Impressum.
02Scope of this policy
This policy applies to the Dairo marketing site (dairo.app), the Dairo dashboard, and the Dairo API, SDKs, CLI, and MCP server (together, the “Service”). It explains what personal data we process when you visit our site, create an account, or use Dairo to operate email inboxes for your applications and agents.
Where you use Dairo to send and receive email and send physical mail on behalf of your own users, you are the controller of that mail content and Dairo acts as your processor. A Data Processing Agreement governing that relationship is available on request at [email protected].
03Data we collect
We process the following categories of personal data:
- Account data. Email address, name, and authentication credentials managed by our auth provider. We store a hashed reference, never your plaintext password.
- Billing data.Plan, billing email, and transaction metadata. Card details are handled directly by our payment processor and never reach Dairo’s servers.
- Usage and product data. Inboxes, domains, API keys (stored hashed), webhook endpoints, and aggregate usage counters needed to operate and meter the Service.
- Email content you route through Dairo. Message headers, bodies, attachments, and delivery events for the inboxes you create. This is processed on your instruction to provide the Service.
- Technical data. IP address, user agent, and request logs generated when you use the site or API, retained for security, abuse prevention, and debugging.
We do not use third-party advertising trackers and we do not sell personal data.
04Legal bases for processing (Art. 6 GDPR)
We rely on the following legal bases under the GDPR/DSGVO:
- Contract (Art. 6(1)(b)). To create and operate your account, provision inboxes and domains, deliver email, and bill you.
- Legitimate interests (Art. 6(1)(f)). To secure the Service, prevent fraud and abuse, keep operational logs, and improve the product. We balance these against your rights and you can object (see your rights below).
- Legal obligation (Art. 6(1)(c)). To meet tax, accounting, and other statutory retention duties.
- Consent (Art. 6(1)(a)). Where we ask for it, such as optional product emails. You can withdraw consent at any time.
05Subprocessors
We use a small set of vetted subprocessors to run the Service. Each is bound by a data processing agreement and, where applicable, EU Standard Contractual Clauses.
- Amazon Web Services (AWS) — compute (Lambda) and email delivery and receiving (SES), hosted in the EU region
eu-north-1(Stockholm). AWS is a US-incorporated company. - Supabase — authentication and the primary Postgres database, on an EU project.
- Polar — billing and payment processing.
- Vercel — hosting and CDN for the frontend.
Our current subprocessor list, including roles and regions, is also published by the Service’s compliance endpoint and kept in sync with this policy. We will give notice of material changes before a new subprocessor begins processing personal data.
06Hosting and data residency
Dairo is built in Germany and designed for EU developers, with GDPR-aligned data handling and billing in EUR. Our primary infrastructure runs in the AWS EU region eu-north-1 (Stockholm), and our database lives on an EU Supabase project.
We want to be precise rather than make a marketing claim: several of our subprocessors (AWS, Supabase, Vercel) are US-incorporated companies. Even with EU-resident infrastructure, this means we cannot claim that your data is beyond the reach of US law. We acknowledge this openly in the next section rather than overstate our posture.
07International transfers and US CLOUD Act
Some processing may take place in, or be accessible from, the United States — for example by US-incorporated subprocessors. Where personal data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses and additional safeguards.
Honestly stated: because our cloud subprocessors are US-incorporated, they may in principle be subject to the US CLOUD Act and could be compelled to produce data regardless of where it is stored. We do not claim immunity from this. Provider-opaque, customer-managed encryption (BYOK) that would further reduce this exposure is on our roadmap and planned, not yet generally available.
08Data retention
We keep personal data only as long as needed for the purposes above:
- Account and configuration data: for the life of your account, then deleted or anonymized after closure.
- Email content and delivery events: until you delete the relevant inbox or message, or close your account, subject to short backup windows.
- Security and request logs: a limited rolling window for abuse prevention and debugging.
- Billing records: as long as tax and accounting law requires (typically up to ten years under German law).
You can request erasure of an email subject or purge of an inbox through the Service; these run as auditable erasure jobs.
09Your rights
Under the GDPR/DSGVO you have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on legitimate interests. Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, email [email protected]. We will respond within the statutory time limit (normally one month). You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your residence or place of work.
10Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit and at rest, network isolation (no-egress VPC and IAM-scoped roles), hashed API keys and credentials, and least-privilege access. No system is perfectly secure, but we design Dairo to limit blast radius by default.
12Children
Dairo is a developer tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
13Changes to this policy
We may update this policy as the Service evolves or the law changes. We will revise the “last updated” date above and, for material changes, give reasonable notice through the Service or by email.
14Contact
Questions about this policy or your data: email [email protected], or write to us at the postal address listed in our Impressum.