Privacy Policy

The Short Version

• We collect what we need to run the service, nothing more
• We don't sell your data or your customers' data
• We connect to your POS (Square, Clover) to track revenue, not to mine your sales data
• Your subscriber lists belong to you
• SMS phone numbers are handled with the same care as email addresses
• You can delete your account and data anytime

What We Collect

Account Information

When you sign up, we collect:

• Your name and email address
• Your business name
• Payment information (processed securely by Stripe)

Your Subscriber Data

When you import or add subscribers (or when customers join via QR code or SMS), we store:

• Email addresses of your subscribers
• Phone numbers (for SMS subscribers)
• Names (if provided)
• How they joined (import, QR code, SMS opt-in, manual entry)
• Any tags or segments you create
• Unsubscribe/opt-out status and dates
• Email engagement history (clicks, bounces)
• SMS delivery status

Your subscriber data belongs to you. We process it only to send emails and SMS messages on your behalf and track campaign performance. We will never use your subscriber list to send our own messages or share it with third parties.

QR Code Sign-Up Data

When customers join your list via QR code, we receive:

• Their email address (from the "From" field of their email)
• Their name (if their email client includes it)
• The email subject and a short snippet of body text (typically empty for join emails)

We automatically send a branded welcome email to new subscribers who join via QR code. This email confirms their subscription and introduces your business.

POS Integration Data (Square, Clover)

When you connect your POS account (Square or Clover), we access:

• Product catalog: Item names, descriptions, and categories
• Recent orders: Order line items and amounts from the past 14 days (to identify actively selling products)
• Promo code redemptions: Which codes were used and transaction amounts

Why we access this: We use product and order data to help our AI write emails that mention products you actually sell. If your best-seller this week is the "Oat Milk Latte," we can reference it by name instead of making something up.

We do not access customer personal information, payment card details, employee data, or data beyond what's listed above. We never share your POS data with third parties.

Email Campaign Data

For each email campaign you send, we track:

• Who received the email
• Who clicked links in the email
• Who unsubscribed
• Revenue attributed via promo codes

We intentionally do not track open rates. They're unreliable since Apple Mail Privacy Protection launched, and we'd rather show you metrics that actually mean something.

SMS Campaign Data

For each SMS campaign you send, we track:

• Who received the message
• Delivery status (delivered, failed, pending)
• Who opted out (replied STOP)
• Revenue attributed via promo codes

SMS messages are sent through our carrier partner (Telnyx) which requires us to maintain records of message delivery for compliance purposes.

SMS Registration Data

To comply with carrier regulations (10DLC), when you enable SMS we collect:

• Your business EIN (Employer Identification Number)
• Business physical address
• Business type and description

This information is required by The Campaign Registry (TCR) and mobile carriers to verify your business identity and approve your SMS campaigns. We encrypt your EIN at rest and only share it with TCR for registration purposes.

Automatic List Hygiene

To maintain healthy email delivery, we automatically:

• Mark hard-bounced emails as inactive (invalid addresses)
• Remove addresses that generate spam complaints
• Track engagement to identify inactive subscribers

This happens automatically to protect your sender reputation and ensure your emails reach real inboxes. We do not delete subscriber records — we mark them inactive so you retain the historical data.

Technical Data

Like most websites, we collect:

• IP addresses
• Browser type and version
• Pages visited and actions taken

This helps us maintain security and improve the product.

How We Use Your Data

• To provide the service: sending emails and SMS messages, tracking performance, managing your account
• To generate content: our AI uses your business info and products to draft relevant, accurate emails and SMS messages
• To register your SMS capability: submitting your business information to carriers for 10DLC compliance
• To charge you: processing payments for campaigns
• To communicate with you: account notifications, support responses, occasional product updates
• To improve the product: understanding how people use Cherub Email to make it better

AI Content Generation

We use AI (specifically Anthropic's Claude) to help draft email content. When generating content, we send:

• Your business name, type, and description
• Products you're actively selling (from your POS, if connected)
• The campaign details you provide (offer type, dates, promo code)

We do not send your subscriber list, customer names, or personal data to the AI. Generated content is based on your business, not your customers.

What We Don't Do

• We don't sell your data or your subscribers' data
• We don't share data with third parties for advertising
• We don't use your subscriber lists for our own marketing
• We don't build profiles of your customers

Third-Party Services

We use a few third-party services to run Cherub Email:

• Postmark: for sending emails
• Telnyx: for sending SMS messages and managing phone numbers
• The Campaign Registry (TCR): for SMS carrier compliance and business verification
• Stripe: for payment processing
• Square & Clover: for product data and revenue tracking (only with your authorization)
• Anthropic: for AI-powered content generation (business info only, not customer data)
• PostHog: for product analytics (page views, feature usage, no personal customer data)

Each of these services has their own privacy policies and handles only the data necessary for their specific function.

Data Retention

• Account data: kept while your account is active, deleted within 30 days of account deletion
• Subscriber data: kept while your account is active, deleted within 30 days of account deletion
• Email campaign data: kept for 2 years for your reference, then archived
• SMS campaign data: kept for 5 years as required by TCPA and carrier regulations
• SMS opt-out records: kept indefinitely to ensure we never message someone who opted out
• Payment records: kept for 7 years as required by tax law

Your Rights

You can:

• Access your data: Download your subscriber list and campaign history anytime from your dashboard
• Correct your data: Update your account information in settings
• Delete your data: Delete your account, and we'll remove your data within 30 days
• Export your data: Download everything in standard formats (CSV, JSON)

If you're in the EU or California and want to exercise additional rights under GDPR or CCPA, email privacy@cherubemail.com.

Your Subscribers' Rights

Email: Your subscribers can unsubscribe from any email using the unsubscribe link we automatically include. When they unsubscribe, they're removed from your active list and won't receive future email campaigns.

SMS: Your subscribers can opt out of SMS messages at any time by replying STOP to any message. We automatically process these opt-outs and remove them from your SMS list. They can re-subscribe by texting START. These keywords are required by mobile carriers and cannot be changed.

You are responsible for complying with privacy laws regarding your subscribers. This means getting proper consent before adding people to your list (email or SMS), honoring unsubscribe/opt-out requests, and following TCPA requirements for SMS marketing.

Security

We take reasonable measures to protect your data:

• All data is encrypted in transit (HTTPS) and at rest
• Access to production systems is restricted and logged
• We don't store full credit card numbers (Stripe handles that)
• Regular security reviews and updates

No system is 100% secure, but we take this seriously.

Cookies

We use cookies for:

• Keeping you logged in
• Remembering your preferences
• Basic analytics (how people use the site)

We don't use tracking cookies from ad networks or social media platforms.

Children

Cherub Email is not intended for use by anyone under 18. We don't knowingly collect data from minors.

Changes to This Policy

If we make significant changes to this policy, we'll notify you by email. Minor clarifications or updates won't be announced but will be reflected in the "last updated" date.

Contact

Questions about privacy? Email us at privacy@cherubemail.com.