Privacy Policy

1. Information we collect

We collect the following types of information:

• Account data: When you register, we collect your email address, full name, and password. We also store your preferences such as timezone, language, and theme settings.
• Contact data: You upload and manage journalist and media contact information, including names, email addresses, companies, positions, phone numbers, locations, and other professional details.
• Email content: We store the email campaigns, messages, and follow-ups you create and send through our platform, including subject lines, body content, and attachments.
• Usage data: We collect information about how you use the platform, including campaign statistics and interaction patterns.
• Cookies: We use HttpOnly authentication cookies to maintain your login session. A non-HttpOnly flag cookie indicates login status to the frontend. We do not use third-party advertising or analytics cookies.

2. How we use your information

We use the information we collect to:

• Provide and maintain the Neshys platform, including contact management, campaign creation, and email delivery.
• Send campaign emails on your behalf using our email delivery provider (Mailgun) to deliver your pitches and follow-ups to your media contacts.
• Send you transactional emails (such as email verification, password resets, and account notifications) using our transactional email provider (Resend).
• Provide campaign analytics, including delivery rates, open rates, click rates, and bounce tracking.
• Enforce subscription limits, usage tracking, and billing for your workspace.
• Validate email addresses by checking DNS records (MX lookups) when contacts are created or imported.

3. Email tracking

When you send campaigns through Neshys, we use tracking features provided by our email delivery provider to give you campaign analytics:

• Open tracking: Emails may contain a small transparent tracking pixel. When a recipient's email client loads this image, we record an open event.
• Click tracking: Links in HTML emails may be routed through our tracking service to record click events before redirecting to the original destination.
• Delivery and bounce tracking: We receive webhook notifications from our email provider about delivery successes, bounces, and spam complaints. This data is used to maintain email deliverability and manage suppression lists.
• Unsubscribe: Every campaign email includes a List-Unsubscribe header (RFC 8058) allowing recipients to opt out. Unsubscribed addresses are added to a workspace-scoped suppression list and will not receive further emails from that workspace.

These analytics are available to you as the campaign sender to measure the effectiveness of your outreach. Recipients are not individually identified to third parties through this tracking.

4. Data sharing and service providers

We share your data only with the following service providers (sub-processors), as necessary to operate the platform:

• Mailgun (Sinch): We use Mailgun for campaign email delivery. Your email content, recipient addresses, and sender information are processed through Mailgun's infrastructure. Mailgun also sends us delivery event data (bounces, complaints, opens, clicks) via webhooks. We use Mailgun's European Union region for data processing.
• Resend (Plus Five Five, Inc.): We use Resend for transactional email delivery — specifically, account verification emails and password reset emails. Your email address and the email content (generated from our templates) are processed through Resend's infrastructure. Emails are dispatched from the EU (Ireland), while account data is stored in the United States. Resend is certified under the EU-US Data Privacy Framework.
• Hetzner Online GmbH: We use Hetzner for server hosting and compute infrastructure. All application data passes through Hetzner's servers during processing. Hetzner is based in the European Union (Germany/Finland).
• Ubicloud: We use Ubicloud for our managed PostgreSQL database. All persistent application data — including user accounts, contacts, campaigns, and email events — is stored in Ubicloud's infrastructure. Ubicloud is hosted in the European Union.
• Amazon Web Services (AWS): We use Amazon S3 for file storage. Campaign attachments and email signature images are stored in S3. AWS data centers are located in the European Union.
• Google: If you choose to sign in with Google, your Google account identifier and email address are received from Google's Identity Services to authenticate your account. No contact or campaign data is shared with Google.
• DNS providers: We query public DNS servers (such as Google DNS and Cloudflare DNS) to validate email domains during contact creation and to verify custom sending domains. Only domain names are queried — no personal data is shared.

We do not sell, rent, or trade your personal data or your contacts' data to any third parties. We do not share your data with advertisers or data brokers.

A complete list of our sub-processors is maintained at our Sub-processors page. We will notify users of any material changes to this list.

5. Data security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

• All data is encrypted in transit using TLS/HTTPS.
• Data at rest is encrypted using industry-standard encryption.
• User passwords are securely hashed using bcrypt and are never stored in plain text.
• Authentication uses HttpOnly cookies with short-lived access tokens (30 minutes) and rotating refresh tokens. Refresh tokens are stored as SHA-256 hashes.
• CSRF protection is enforced on all state-changing requests for cookie-authenticated sessions.
• Rate limiting is applied to authentication endpoints and sensitive operations to prevent abuse.
• Access to your workspace data is controlled through role-based permissions (Owner, Admin, Editor, Viewer, Sender).

6. International data transfers

Some of our service providers are based outside the European Economic Area (EEA). When your personal data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place:

• Mailgun (European Union): Campaign email content and recipient addresses are processed by Mailgun in the EU region. No international transfer is required.
• Resend (United States): Transactional email data (your email address and verification/reset email content) is processed by Resend in the US. Resend is certified under the EU-US Data Privacy Framework and also provides Standard Contractual Clauses.
• Google (United States): If you use Google sign-in, authentication data is processed by Google under their privacy framework commitments.

Most of our infrastructure (Mailgun, Hetzner, Ubicloud, AWS) processes data within the EU. For providers based in the US (Resend, Google), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as legal mechanisms for international data transfers.

7. Your rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete personal data.
• Right to erasure: You can request deletion of your personal data, subject to legal obligations we may have to retain certain records.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format. Our contact export feature (CSV/Excel) supports this right.
• Right to object: You can object to the processing of your personal data in certain circumstances.
• Right to restrict processing: You can request that we limit how we use your data in certain situations.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. Data retention

• Account data: We retain your account information for as long as your account is active. You may request deletion of your account and associated data at any time.
• Contact data: Contact information you upload is retained within your workspace until you delete it or request account deletion. Contacts with campaign history are soft-deleted (marked as removed but retained for campaign record integrity).
• Email events: Campaign delivery data (sends, opens, clicks, bounces) is retained for analytics purposes. After the retention window, personal data in email events (recipient email addresses, IP addresses, user agents) is anonymized — anonymized aggregate statistics (delivery counts, open/bounce rates) are retained indefinitely. Suppression list entries (bounces, complaints, unsubscribes) are retained indefinitely to protect email deliverability.
• Campaign content: Email campaign content (subjects, pitches, messages) is retained for your reference and follow-up threading. You may delete campaigns while they are in draft status. Completed campaign visibility is limited by your subscription plan (3 months for Starter, 12 months for Pro, unlimited for Agency/Enterprise). After the retention window (minimum 12 months), personal data is automatically anonymized: recipient identity links are severed, email addresses are removed, and campaign attachments are deleted. Anonymized delivery statistics (send counts, open rates, bounce rates) are preserved for analytics. Plans with unlimited history are never anonymized.

9. Cookies and browser storage

Neshys uses three cookies for authentication: an HttpOnly access token cookie (30-minute expiry), an HttpOnly refresh token cookie (7-day expiry, scoped to the authentication endpoint), and a JavaScript-readable login flag cookie. We do not use third-party advertising or analytics cookies. No personal data is shared with third-party cookie providers.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or through an in-app notification.

11. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

[email protected]