Privacy Policy

1. Introduction

Mailbuttons is operated by Code Cutter Limited, a company registered in England and Wales (company number 08453060) with registered office at Unit 96 The Maltings Business Centre, Stanstead Abbotts, Ware, Herts, SG12 8HG ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Mailbuttons platform.

For information collected by us about you on our own behalf — including account, billing, and support data — Code Cutter Limited (trading as Mailbuttons) acts as the data controller. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, and operate security controls aligned with ISO/IEC 27001.

Customers acting as Data Controllers and using the Service to process personal data of third parties are additionally subject to our Data Processing Agreement (DPA), which sets out the relationship between Code Cutter Limited (as Processor) and the Customer (as Controller) in respect of such processing.

2. Information We Collect

2.1 Personal Information

We may collect the following types of personal information:

• Contact information (name, email address, phone number)
• Account credentials and authentication data
• Payment and billing information
• Communication preferences
• Profile information and preferences

2.2 Usage Information

• Service usage data and analytics
• Device information and browser data
• IP addresses and location data
• Cookies and similar tracking technologies
• Email content processed through our platform

2.3 Business Information

• Company information and domain data
• Email routing and automation configurations
• Integration data with third-party services
• Support and communication records

3. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining our AI email automation services
• Processing and routing emails according to your configurations
• Managing your account and providing customer support
• Processing payments and billing
• Improving our services and developing new features
• Communicating with you about service updates and important notices
• Complying with legal obligations and protecting our rights
• Preventing fraud and ensuring platform security

4. Data Protection and Security

We implement comprehensive security measures to protect your information:

• Encryption of data in transit and at rest using industry-standard protocols
• Access controls and authentication mechanisms
• Regular security audits and vulnerability assessments
• Employee training on data protection and privacy
• Incident response procedures for data breaches
• Compliance with ISO/IEC 27001 information security standards

5. Sub-processors and Information Sharing

We do not sell, trade, or rent your personal information. We engage a small, carefully-vetted set of sub-processors to deliver the Service. Each is bound by a written data processing agreement with terms equivalent to those we offer our Customers.

Beyond these sub-processors, we share information only in the following limited circumstances:

• With your explicit consent
• To comply with legal obligations, court orders, or lawful regulatory requests
• To protect our rights, property, or safety, or that of our users
• In connection with a business transfer, subject to equivalent privacy protections

6. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account data: Retained while your account is active and for 7 years after closure
• Email content: Processed and deleted according to your configuration settings
• Audit logs: Retained for 7 years for security and compliance purposes
• Support communications: Retained for 3 years after resolution

7. Your Rights under UK and EU GDPR

Under UK GDPR and EU GDPR you have the following rights in respect of personal data we hold about you:

• Access: obtain confirmation of, and a copy of, your personal data
• Rectification: have inaccurate or incomplete information corrected
• Erasure: request deletion of your personal data (subject to legal retention obligations)
• Portability: receive your data in a structured, machine-readable format
• Restriction: require us to limit how we process your data
• Objection: object to processing carried out on the basis of legitimate interests
• Withdraw consent: withdraw consent where processing is based on consent

To exercise these rights, contact our Data Protection Officer at dpo@mailbuttons.com. We respond to verified requests within one month, as required by UK and EU GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, if you are based in the European Union, your local supervisory authority.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage patterns, and provide personalized content. You can control cookie preferences through your browser settings. For detailed information about our cookie usage, please see our Cookie Policy.

9. Data Residency and International Transfers

Mailbuttons operates with UK and EU data residency by default. Customer data, including the contents of email passing through your mailboxes and the audit logs derived from it, is stored within the United Kingdom and European Economic Area.

Where a sub-processor located outside the UK/EEA is used (notably Cloudflare for DNS / edge protection and, for opt-in hosted-agent features, Anthropic for LLM inference), transfers are made on the basis of UK Addendum / EU Standard Contractual Clauses and supplementary safeguards as required by UK and EU GDPR. A customer can elect to disable the hosted-agent LLM feature, in which case no customer email content leaves the UK/EEA.

Off-site backups are held by Backblaze, Inc. (US-incorporated) in their EU Central region (Amsterdam, Netherlands). All backup data is encrypted client-side with a key we control before leaving our infrastructure; Backblaze cannot read backup contents in plaintext. The transfer relationship is governed by UK Addendum / EU Standard Contractual Clauses.

10. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us: