Privacy Policy

Last updated: 27 February 2026

This Privacy Policy describes how OctusRelay ("we", "us", "our"), part of the OctusCloud ecosystem, collects, uses, and protects personal data when you use our email delivery services, website, and APIs (collectively, the "Service").

1. Data Controller

OctusRelay, operated by OctusCloud, is the data controller for personal data processed in connection with your use of the Service. For questions about data processing, contact us via our contact form.

2. Data We Collect

Account Information

When you create an account, we collect your name, email address, company name, and billing information. This data is necessary to provide the Service and manage your subscription.

Email Metadata

When you send email through OctusRelay, we process and store metadata including sender and recipient addresses, subject lines, timestamps, delivery status, and message identifiers. We do not store the body content of emails beyond the time required for delivery (typically under 60 seconds).

Usage Data

We collect technical data about your use of the Service, including API call logs, IP addresses, user agent strings, and access timestamps. This data is used for security monitoring, debugging, and service improvement.

Website Analytics

Our website collects standard web analytics data including pages visited, referral source, browser type, and approximate location. We do not use third-party tracking cookies or advertising networks.

3. How We Use Your Data

We use your personal data for the following purposes:

• Providing and maintaining the email delivery Service
• Processing delivery analytics and generating reports
• Communicating with you about your account, billing, and service updates
• Detecting and preventing abuse, fraud, and unauthorised access
• Monitoring and improving service reliability and performance
• Complying with legal obligations

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Contract: Processing necessary to provide the Service under our Terms of Service
• Legitimate interest: Security monitoring, fraud prevention, and service improvement
• Legal obligation: Tax records, regulatory compliance
• Consent: Marketing communications (where applicable)

5. Data Storage and Retention

All data is stored in European data centres operated by Hetzner Online GmbH and OVH SAS. No data is transferred outside the European Economic Area.

We retain account data for as long as your account is active and for 90 days after deletion. Email delivery metadata is retained for 30 days. Billing records are retained for seven years as required by applicable tax law.

6. Data Sharing

We do not sell personal data. We share data only with the following categories of recipients:

• Infrastructure providers: Hetzner and OVH for server hosting (EU data centres only)
• Payment processor: For billing and subscription management
• Legal authorities: When required by law or valid legal process

7. Your Rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict processing of your personal data
• Data portability (receive your data in a structured format)
• Object to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)

To exercise these rights, contact us via our contact form. We will respond within 30 days.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest, access controls, and regular security audits. All SMTP connections require TLS encryption.

9. Cookies

Our website uses only essential cookies required for the Service to function (session management, authentication). We do not use advertising or tracking cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. Data Processing Agreements

Enterprise customers may request a Data Processing Agreement (DPA) that complies with Article 28 of the GDPR. Contact us to request a signed DPA.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email to account holders. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

For privacy-related enquiries:
Use our contact form for all enquiries.
General enquiries: Contact page