Legal
Privacy policy
Last updated: 28 May 2026
Speedmail is a Chrome extension and dashboard that lets you send personalized mass emails and AI-generated newsletters through your own Gmail account. This policy describes what data we collect, what we don't, and how we use it. If anything is unclear, email hello@speedmail.ai and we'll clarify.
1. Data we collect
- Account: your email, name, and a unique ID issued by Supabase Auth.
- Gmail OAuth tokens: a Google-issued access token + refresh token, encrypted at rest with AES-256-GCM. We use these only to send mail on your behalf via the
gmail.sendscope. - Campaign content: the subjects, bodies, and lists you create inside Speedmail.
- Tracking events: opens (pixel) and clicks (redirect) for messages you sent through Speedmail. We record a hashed IP, country, and device class — never the raw IP.
- Billing: Stripe customer + subscription IDs. We never see your card number.
2. Data we do not collect
- We do not read your Gmail inbox, sent folder, drafts, or any other Google product. The OAuth scope is
gmail.send— read access is not requested. - We do notimport your contacts unless you explicitly use the "Gmail Contacts" list source (currently disabled).
- We do not sell or share your data with advertisers, data brokers, or AI training providers.
3. How we use the data
- To deliver the service you signed up for: queuing and sending emails.
- To show you analytics on your own campaigns.
- To ground the AI newsletter writer when you paste a URL — we fetch the page server-side, extract text, and pass that to the AI model. The model provider (Vercel AI Gateway → DeepSeek) does not retain your prompts or train on them.
- To send transactional emails: welcome, billing receipts, follow-up scheduling confirmations.
4. Sub-processors
We use the following companies to operate Speedmail:
- Supabase — Postgres database + authentication (your data sits in the AWS ap-southeast-1 region).
- Vercel — application hosting, edge proxy, and AI Gateway.
- Stripe — payment processing.
- Upstash — durable message queue for spaced sending.
- Resend — transactional email delivery (welcome / billing receipts only, NOT your campaign sends).
5. Your rights
- Export:email us and we'll send you a JSON export of your account.
- Delete:email us and we'll wipe your account within 7 days. Tracking events for already-sent emails persist until the recipient list rotates out (typically 90 days).
- Revoke Gmail access: visit myaccount.google.com/permissions and remove Speedmail. Sends stop immediately.
6. Security
- OAuth refresh tokens encrypted at rest (AES-256-GCM).
- Database access gated by Postgres Row Level Security.
- All traffic in transit over TLS 1.2+.
- Tracking pixel + click tokens are opaque random tokens, not signed JWTs (so recipient lists can't be inferred from them).
7. Children
Speedmail is not directed to anyone under 16. If you believe we've collected data from a minor, email us and we'll delete it.
8. Changes
We'll update the "Last updated" date at the top of this page on any material change and email signed-in users when a change affects what we collect or share.
9. Contact
Questions? Email hello@speedmail.ai.