Privacy Policy

Time Macro LLC (“we”, “us”, “our”) operates CeyMail. This Privacy Policy explains how we collect, use, and protect information through the CeyMail website (ceymail.com) and CeyMail Mission Control software. By using our services, you agree to the collection and use of information as described in this policy.

2.1 Account Information

Full name, email address, and company name (optional). Collected during registration and stored in our database.

2.2 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription details (tier, status, current period dates) but never receive or store credit card numbers, bank account details, or payment method information.

2.3 Contact Form Submissions

Name, email address, subject, and message. Submitted through our contact form and stored in our database.

2.4 License Key Data

Cryptographic key hash, display key (last 8 characters), tier, resource limits, activation status, creation and expiry dates.

2.5 Server Activation Data

When CeyMail Mission Control activates a license, our activation API receives: license key ID, machine ID (a hashed hardware fingerprint), server IP address, and hostname.

2.6 Automatically Collected Information

httpOnly session cookies for authentication (Supabase auth JWT). We do not use tracking cookies, analytics cookies, or advertising cookies. IP addresses are used for rate limiting but are not stored persistently.

3.1 Email Content

Email content is processed for spam screening purposes. Cloud mode sends email sender address, recipient addresses, subject line, and message body (up to 4,000 characters) directly from your server to Google Gemini 2.5 Flash via Google's Generative AI API for spam classification. Local mode processes the email body on your server using a DistilBERT model with no external data transfer. SpamAssassin performs rule-based filtering entirely on your server.

3.2 Screening Logs

Sender address, recipient addresses, subject (truncated), spam score, classification result, and action taken. Retained for a configurable period (default 90 days), then automatically purged.

3.3 Audit Logs

Administrator actions, target resource, action details, and IP address. Retained indefinitely by default (admin-managed).

3.4 System Metrics

CPU usage, memory usage, disk usage, mail queue size, and service health status. Stored locally on your server.

Important: Email content processed by Mission Control stays on your server or goes directly from your server to Google Gemini. It never passes through ceymail.com servers.

We use the information we collect to: provide, maintain, and improve our services; process payments and manage subscriptions; generate and validate license keys; respond to contact form inquiries and support requests; protect against abuse and unauthorized access (via reCAPTCHA, rate limiting, and honeypot fields); and send transactional emails (magic link authentication, billing notifications, license expiry alerts).

We do not use your information for advertising, profiling, or selling to third parties.

5.1 Stripe (Stripe, Inc.)

Processes all payments. Receives your email address and customer metadata. Subject to the Stripe Privacy Policy (opens in new tab).

5.2 Google reCAPTCHA v3 (Google LLC)

Bot protection on signup, login, and contact forms. Google receives the reCAPTCHA token, your IP address, and browser information for risk scoring. Subject to the Google Privacy Policy (opens in new tab) and Google Terms of Service (opens in new tab).

5.3 Google Gemini API (Google LLC)

AI spam screening in Cloud mode only. Your server sends email content directly to Google's Generative AI API. This is opt-in — only activated when you enable Cloud screening mode in the Mission Control dashboard.

CeyMail uses the paid Gemini API. Under Google's paid API terms, Google does not use your prompts or responses to train its models or improve its products. Google processes paid API data in accordance with its Gemini API Additional Terms of Service (opens in new tab) and acts as a Data Processor under its Data Processing Addendum. Google retains prompts and responses for up to 55 days solely for abuse monitoring and policy enforcement — not for training or product improvement. No human reviewers read paid API data unless it is flagged for policy violations.

5.4 Let's Encrypt (Internet Security Research Group)

SSL/TLS certificate provisioning via automated domain validation. Subject to the Let's Encrypt Privacy Policy (opens in new tab).

5.5 CeyMail Activation API (api.ceymail.com, operated by Time Macro LLC)

Handles license activation and periodic heartbeat validation. Receives: license key ID, machine ID (hashed hardware fingerprint), and subscription tier.

5.6 CeyMail Update Server (updates.ceymail.com, operated by Time Macro LLC)

Checks for available software updates. Sends a GET request with User-Agent header only. No personal data is transmitted.

We use only essential session cookies required for authentication (Supabase auth JWT, httpOnly, Secure, SameSite attributes). We do not use: analytics cookies, tracking pixels, advertising cookies or identifiers, browser fingerprinting, Google Analytics, Mixpanel, Plausible, or any other third-party tracking service.

Google Fonts (Poppins) are served via Next.js font optimization, meaning font files are self-hosted after build with no runtime requests to Google's servers.

We implement industry-standard security measures including: Ed25519 cryptographic signing for license keys; AES-256-GCM encryption for stored API keys (such as Google Gemini API keys); SSHA512 password hashing for mail account credentials; HTTPS/TLS encryption on all connections; Content Security Policy (CSP) headers and security headers (HSTS, X-Frame-Options, X-Content-Type-Options); Row-Level Security (RLS) policies in our database; rate limiting on all public-facing API endpoints; and CSRF protection on all authenticated requests.

While no system is 100% secure, we take reasonable measures to protect your information.

Account data: retained while your account is active; deleted upon request.

Subscription data: synced from Stripe; retained until the Stripe subscription is deleted.

License keys: retained until expired or revoked.

Contact form submissions: retained until the inquiry is resolved, then archived.

AI screening logs: retained for 90 days by default (configurable via log_retention_days setting), then automatically purged.

Audit logs: retained indefinitely by default, managed by server administrator.

System metrics: retained indefinitely by default, managed by server administrator.

You may: access your personal data through your portal settings and license management page; correct your account information through portal settings; request account deletion by contacting support@ceymail.com; request data export by contacting support@ceymail.com; and object to specific processing activities.

For EU/UK residents (GDPR): you have rights of access, rectification, erasure, data portability, restriction of processing, and objection.

For California residents (CCPA): you have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

Our website infrastructure is hosted in the United States. Stripe and Google operate globally and may process data in various jurisdictions. By using our services, you consent to the transfer of your information to the United States and other countries where our service providers operate. We ensure that any such transfers comply with applicable data protection laws.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account or through a prominent notice on our website. We will provide at least 30 days notice before material changes take effect. Your continued use of the services after the notice period constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or your personal data, please contact us at support@ceymail.com.

Time Macro LLC.