Privacy Policy

This Privacy Policy describes how Baytree Software Technologies LLC ("Company", "we", "us", or "our") collects, uses, and shares information when you use the Croft API and related services ("Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Organization name
• Billing information (processed by Stripe)

1.2 Email Content

When you use the Service to send or receive emails, we process:

• Email message content (subject, body, headers)
• Sender and recipient addresses
• Timestamps and delivery metadata
• Attachments and their metadata

1.3 API Usage Data

We automatically collect:

• API requests and responses (excluding sensitive content)
• IP addresses
• Request timestamps
• User agent information
• Error logs and debugging information

1.4 Webhook Data

When you configure webhooks, we collect:

• Webhook endpoint URLs
• Delivery attempts and responses
• Event payloads sent to your endpoints

2. How We Use Information

We use collected information to:

• Provide the Service - Process and deliver emails, store attachments, deliver webhooks
• Maintain and Improve - Monitor performance, fix bugs, develop new features
• Communicate - Send service announcements, respond to support requests
• Billing - Process payments, prevent fraud
• Security - Detect abuse, protect against unauthorized access
• Legal Compliance - Respond to legal requests, enforce our Terms

3. Information Sharing

3.1 Service Providers

We share information with third-party services that help us operate:

3.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to:

• Protect our rights, privacy, safety, or property
• Enforce our Terms of Service
• Respond to claims of content violations

3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

3.4 With Your Consent

We may share information with your consent or at your direction.

4. Data Retention

4.1 Email Data

• Active accounts: Email content and metadata retained until you delete them
• Deleted emails: Permanently deleted within 30 days
• Attachments: Deleted when associated email is deleted

4.2 Account Data

• Active accounts: Retained while account is active
• Closed accounts: Deleted within 90 days of account closure
• Billing records: Retained for 7 years for legal/tax compliance

4.3 Logs and Analytics

• API logs: Retained for 30 days
• Error logs: Retained for 90 days
• Aggregated analytics: May be retained indefinitely

5. Data Security

We implement security measures including:

• Encryption in transit (TLS) and at rest
• API key hashing using Argon2id
• Access controls and authentication
• Regular security assessments
• Sensitive data redaction in logs

However, no system is completely secure. You are responsible for maintaining the confidentiality of your API keys.

6. Your Rights

6.1 Access and Portability

You can:

• Access your data through the API
• Export your email data
• Request a copy of your account information

6.2 Deletion

You can:

• Delete individual emails and attachments via API
• Delete your entire account by contacting us
• Request deletion of specific personal information

6.3 Correction

Contact us to correct inaccurate account information.

6.4 Objection and Restriction

You may object to certain processing activities. Contact us to discuss your concerns.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US.

For EU/EEA users: We rely on Standard Contractual Clauses and other lawful transfer mechanisms.

8. California Privacy Rights

California residents have additional rights under the CCPA/CPRA:

• Right to Know: Request disclosure of collected information
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate against you for exercising rights

To exercise these rights, contact us at [email protected].

9. European Privacy Rights

EU/EEA residents have rights under GDPR:

• Access: Obtain a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Restriction: Limit processing of your data
• Portability: Receive data in machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is based on consent

• Contract performance (providing the Service)
• Legitimate interests (security, fraud prevention, improvement)
• Legal obligations (compliance, legal requests)
• Consent (where specifically obtained)

To exercise these rights, contact us at [email protected].

10. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it.

11. Cookies and Tracking

Our API does not use cookies. Our documentation and website may use:

• Essential cookies for functionality
• Analytics cookies (with consent where required)

12. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Service. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or to exercise your rights:

Email: [email protected]

For EU residents, you may also contact your local data protection authority.

15. Data Protection Officer

For GDPR-related inquiries:

Email: [email protected]