Privacy Policy
Effective date: 1 June 2026 · Version 1.0
1. Who we are
NewslettersSuck.Email is operated by [Company Legal Name], a company registered in South Africa ([Registration Number]), with its registered office at [Physical Address] ("we", "us", "our").
We are the Responsible Party under the Protection of Personal Information Act 4 of 2013 ("POPIA") and the Data Controller under the UK General Data Protection Regulation and EU GDPR (collectively "GDPR"), in respect of personal information we process about you.
Our Information Officer for POPIA purposes can be reached at: [io@newsletterssuck.email].
2. What personal information we collect
2.1 Information you give us
- Account data: work email address, company name and website URL (collected at signup).
- Kickoff form data: brand voice adjectives, target audience description, approver email addresses, send window preference, physical mailing address for CAN-SPAM compliance.
- Billing data: we use Stripe to process payments. We never store full card numbers; Stripe holds payment instrument data on our behalf under their own privacy policy.
- Approval replies: email reply content from designated approvers. Replies are processed to determine newsletter approval or revision instructions and are not used for any other purpose.
2.2 Information we collect automatically
- Usage logs: page views, API calls, error reports (Azure Application Insights). We reference events by ID — we do not log recipient email addresses in telemetry.
- Audit log: every AI model call, debate turn, approval reply, email-tool API call and billing event is stored for 7 years for regulatory compliance. Entries reference objects by internal ID only.
2.3 Information from third parties
- Your website and public web presence: with your explicit consent at signup, we scrape your company website, public LinkedIn company page and publicly available newsletter archives to pre-populate your brand kit.
- Your email service provider: we receive campaign-level performance statistics (open rates, click rates — aggregated, not per-recipient) from your connected provider. We never receive or store the personal information of your newsletter recipients.
3. How we use your personal information
| Purpose | Lawful basis (POPIA) | Lawful basis (GDPR) |
|---|---|---|
| Provide the newsletter production and sending service | Contractual necessity | Article 6(1)(b) — contract performance |
| Process payments and manage subscriptions | Contractual necessity | Article 6(1)(b) — contract performance |
| Send transactional emails (approval requests, reports, invoices) | Contractual necessity | Article 6(1)(b) — contract performance |
| Comply with legal obligations (audit log, tax records) | Legal obligation | Article 6(1)(c) — legal obligation |
| Detect, prevent and investigate fraud or abuse | Legitimate interest | Article 6(1)(f) — legitimate interests |
| Improve our AI model prompts and debate pipeline (aggregated, anonymised only) | Legitimate interest | Article 6(1)(f) — legitimate interests |
We do not use your newsletter content or approval replies to train AI models. All Azure OpenAI calls are made against zero-data-retention endpoints where Microsoft's abuse-monitoring is disabled at your request.
4. Who we share your information with
- Microsoft Azure — our cloud infrastructure provider (Azure SQL, Azure Container Apps, Azure Key Vault, Azure OpenAI). Hosting is in South Africa North. Data Processing Agreement in place.
- Stripe — payment processing. Stripe is a PCI-DSS Level 1 certified payment processor. Their privacy policy governs your payment data.
- SendGrid (Twilio) — transactional email delivery (approval requests, reports). We do not use SendGrid to send your newsletter campaigns; that is handled by your own connected email service provider.
- Your email service provider — we push newsletter content to the email service provider you connect (e.g. Mailchimp, HubSpot, TouchBasePro). We share only the campaign content and scheduling instructions; we do not share your account credentials beyond the secure API key stored in Azure Key Vault.
We do not sell personal information. We do not share personal information with advertisers.
5. International transfers
Your data is stored in Azure South Africa North (Johannesburg). We do not replicate or back up data outside this region without updating this policy. Where third-party processors (e.g. Stripe, SendGrid) operate outside South Africa, we have ensured they provide appropriate safeguards under POPIA section 72 and GDPR Chapter V (standard contractual clauses where applicable).
6. How long we keep your information
- Account and brand kit data: retained for the duration of your subscription plus 30 days post-cancellation, then permanently deleted.
- Audit log entries: retained for 7 years from creation, then deleted, as required by applicable financial record-keeping regulations.
- Billing records: retained for 7 years for tax purposes.
- Approval replies: retained for the duration of your subscription plus 30 days, then deleted as part of the hard-delete process.
When you cancel your subscription, you will receive an export of your data immediately. After 30 days, all data (except audit log and billing records) will be permanently deleted and a deletion certificate will be emailed to you.
7. Your rights
Under POPIA and GDPR, you have the right to:
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to correct inaccurate or incomplete data.
- Erasure / Hard-delete: request deletion of your data (subject to legal hold requirements). Cancelling your subscription triggers automatic deletion after 30 days.
- Object: object to processing based on legitimate interests.
- Portability: receive your data in a machine-readable format (available via the portal export feature).
- Withdraw consent: where processing is based on consent (e.g. website scraping), withdraw it at any time by contacting us. Withdrawal does not affect past processing.
To exercise any right, email [privacy@newsletterssuck.email]. We will respond within 30 days (POPIA) / 1 month (GDPR). You also have the right to lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za) or your national data protection authority.
8. Security
All data is encrypted at rest (Azure SQL Transparent Data Encryption) and in transit (TLS 1.2+). Email-tool API credentials are stored in Azure Key Vault, not in the database. We conduct periodic security reviews aligned with the OWASP Top 10.
9. Cookies
We use strictly necessary cookies for session management. See our Cookie Policy for full details.
10. Changes to this policy
We will notify you by email at least 14 days before making material changes to this policy. The "effective date" at the top of this page will be updated on each revision. Continued use of the service after the effective date constitutes acceptance.