Sign inGet started →
Legal · Privacy

Privacy
policy.

Last updated: May 18, 2026GDPR & CCPA compliantSOC 2 Type II
The short versionWe collect what we need to operate the email API and nothing more. We don't sell your data. We don't train models on your message content. You can export or delete your data from the dashboard. Questions go to privacy@layersend.com.

In plain English

LayerSend, Inc. ("LayerSend") provides an email-sending platform to developers. To do that, we process two kinds of data:

  • Your account data — the email address, name, organization, and billing details of the people who run a LayerSend workspace.
  • Email data — the messages you choose to send through our API, including recipient addresses, subject lines, and content.

This policy explains what happens to both.

What we collect

Account & identity data

  • Name and email address (when you sign up).
  • Workspace name, billing address, and payment method (handled by Stripe — we never see your card number).
  • API keys and their scopes.
  • Authentication metadata — IP address, browser user-agent, and timestamps for login events.

Email & event data

  • Messages you submit to POST /v1/emails — including from, to, cc, bcc, reply_to, subject, html, text, custom headers, and tags.
  • Delivery telemetry from AWS SES — sent, delivered, bounced, complained.
  • Recipient engagement events — opens and clicks — when you enable tracking pixels and link rewriting.

Product usage data

  • Dashboard analytics: pages viewed, features used, errors encountered. Collected via a first-party analytics endpoint, never shared with third-party advertisers.

How we use it

  • To operate the Service — accept your API calls, route messages through AWS SES, deliver webhook events, render logs.
  • To bill you — count messages, calculate overages, send invoices.
  • To prevent abuse — detect spam, phishing, malware, and credential stuffing. Block, throttle, or notify accordingly.
  • To communicate with you — transactional product email (receipts, security alerts), and — if you opt in — occasional product updates.
  • To improve the Service — aggregated, de-identified metrics inform our roadmap. We do not train machine-learning models on the content of your messages.

Sharing & sub-processors

We do not sell personal data. We share it only with the sub-processors required to deliver the Service, under written contracts that require equivalent protections.

  • Amazon Web Services (AWS SES, S3, KMS) — message delivery and storage. Region: us-east-1, with optional EU residency.
  • Supabase — Postgres database for account and metadata storage.
  • Railway — application and API hosting.
  • Stripe — payment processing.
  • Postmark — outbound transactional email to LayerSend account holders (so a LayerSend incident never blocks our own support emails).
  • Linear, Slack, Notion — internal tooling. Customer data flows here only when you contact support and include it in a ticket.

Retention

We keep data only as long as it's useful to you or required by law.

  • Message bodies — 30 days, then permanently purged from production and backups.
  • Event metadata (delivered, opened, bounced) — for the lifetime of your workspace, until you delete it.
  • API request logs — 30 days.
  • Billing records — 7 years, to meet tax and accounting requirements.
  • Deleted workspaces — purged within 30 days of cancellation.

Security

Security is a working system, not a checkbox. Our current posture:

  • SOC 2 Type II audited annually by an independent firm. Report available under NDA.
  • Encryption — TLS 1.3 in transit, AES-256 at rest. API keys are stored as Argon2id hashes.
  • Access control — least-privilege production access, hardware-key MFA, audit logs.
  • Vulnerability management — third-party penetration test annually, continuous dependency scanning, a published responsible disclosure policy.
  • Incident response — material incidents are reported to affected customers within 72 hours.

Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (the "right to be forgotten").
  • Export your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your local data protection authority.

Most of these you can exercise directly from the dashboard. For anything you can't self-serve, email privacy@layersend.com and we'll respond within thirty (30) days.

For California residentsUnder the CCPA/CPRA, you may request disclosure of the categories of personal information we have collected and request deletion. We do not sell personal information or share it for cross-context behavioral advertising.

Cookies & tracking

The marketing site (this page) uses only essential cookies — a session token if you're signed in, and a preferences cookie for theme. We do not use third-party advertising or behavioral-tracking cookies.

The dashboard uses additional first-party cookies for authentication, CSRF protection, and product analytics.

International transfers

LayerSend is headquartered in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. and other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021 modules), supplemented by the UK Addendum and Swiss equivalents as applicable.

Children

The Service is not directed to anyone under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can delete it.

Contact

Our Data Protection Officer can be reached at privacy@layersend.com.

Postal mail: LayerSend, Inc., Attn: DPO, 548 Market Street #51290, San Francisco, CA 94104, United States.

This policy will change as the product changes. We'll always update the "Last updated" date, and notify workspace admins by email for material changes.