Privacy Policy

This Privacy Policy applies to SenderOps, also referred to as Copland in some product and billing systems. It covers the website, application, APIs, support interactions, alerts, billing flows, and related services.

For account registration, billing, support, product analytics, security, and direct customer administration, the operator of SenderOps acts as the controller of personal data. When a customer uses the service to process workspace, domain, client, sender, or invited-user data on behalf of its own organization or clients, we process that data as a processor or service provider for the customer, as described in our agreement with that customer.

Privacy requests can be sent to the contact address shown below or through product support. We do not publish a physical address here where one has not been provided in the product or a signed agreement.

We collect information you provide, information generated through use of the service, and limited information from third-party providers needed to operate the product.

Account and workspace data includes name, email address, authentication details, workspace membership, roles, invitations, organization or agency relationships, support messages, preferences, consent choices, usage limits, subscription status, and audit/admin activity.

Domain and deliverability data includes domain names, DNS records and verification status, SPF, DKIM, DMARC, MX, reverse DNS, and authentication checks, blacklist check results, inbox placement and warmup signals, sending identity details, recommendation history, alert settings, webhook URLs, exports, and operational metadata related to monitored domains.

• Billing data: plan, subscription status, Stripe customer and subscription identifiers, invoices, payment status, tax-related details, and billing contact information. Full payment card details are handled by Stripe and are not stored by us.
• Technical and log data: IP address, device and browser information, session and authentication events, API requests, errors, queue/job activity, security events, performance data, and approximate location derived from technical signals.
• Communications data: transactional emails, alerts, invites, support requests, feedback, and related delivery metadata.

We use information to provide, maintain, secure, and improve SenderOps; authenticate users; manage workspaces and invitations; run DNS, authentication, blacklist, inbox placement, warmup, alerting, and recommendation workflows; process subscriptions; send transactional emails; respond to support requests; prevent abuse; and comply with legal obligations.

Where the GDPR applies, our lawful bases include performance of a contract for providing the service and billing customers, legitimate interests for security, product reliability, fraud prevention, customer support, service improvement, and business administration, consent for non-essential cookies and certain marketing activities, and legal obligation for tax, accounting, compliance, and dispute handling.

We may use aggregated or de-identified information to understand service reliability, feature adoption, deliverability trends, and product performance. We do not use aggregated or de-identified information to identify an individual.

• Contract: account access, workspace administration, monitoring workflows, subscription management, support, and service communications.
• Legitimate interests: security logging, abuse prevention, diagnostics, internal analytics, reliability, and product improvement.
• Consent: optional analytics cookies, marketing cookies, and marketing communications where consent is required.
• Legal obligation: accounting, tax, regulatory, dispute, and compliance records.

We use cookies, local storage, and similar technologies for security, authentication, session continuity, preferences, and consent records. Necessary cookies and storage are required for the site and application to function.

Our cookie consent controls separate cookies into necessary, analytics, and marketing categories. Analytics and marketing cookies are off unless you choose them, and you can change those preferences through the cookie preferences link in the product.

Analytics cookies help us understand aggregate product and website usage. Marketing cookies help us measure campaigns and tailor marketing communications. Browser settings may also allow you to block or delete cookies.

We share information with service providers and subprocessors that help us operate SenderOps, including hosting and infrastructure providers, database and queue infrastructure, authentication providers, Stripe for subscription billing and payment processing, Resend for transactional emails where configured, analytics and error monitoring tools, support tools, and AI providers used for AI-assisted recommendations where enabled.

We may also share information with your authorized workspace users, admins, agency or client workspace relationships, and integrations you configure, such as alert webhooks. We may disclose information when required by law, to protect rights and security, to investigate abuse, in connection with a business transaction, or with your instructions or consent.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising unless you have consented through the relevant cookie or marketing controls.

We keep personal data and workspace data for as long as needed to provide the service, maintain security, support customers, comply with legal and accounting obligations, resolve disputes, enforce agreements, preserve auditability, and operate backups.

Account and workspace records are generally retained while the account or workspace is active. Domain diagnostics, alerts, recommendations, logs, and audit records may be retained for a reasonable period after deletion or termination to support security, billing, troubleshooting, legal compliance, and backup recovery. Billing and tax records are retained for the periods required by applicable law.

Workspace owners may request deletion of accounts, workspaces, or domains through support. We may need to verify identity and authority before completing a request, and some information may remain where retention is required or permitted for legal, billing, security, fraud prevention, dispute, or backup reasons.

We use technical and organizational safeguards designed to protect accounts, workspaces, domain diagnostics, billing identifiers, logs, and support data. These safeguards include access controls, authentication, least-privilege operational access, encryption in transit, monitoring, backups, audit records, and provider security controls appropriate to the service.

No internet service is perfectly secure. Customers should use strong authentication practices, keep invited users current, restrict admin access, protect webhook URLs and credentials, and contact us promptly if they suspect unauthorized access or security issues.

If you are in the European Economic Area, the United Kingdom, Switzerland, or another region with similar privacy rights, you may have the right to access, correct, delete, restrict, or export your personal data, object to certain processing, withdraw consent where processing is based on consent, and lodge a complaint with your local supervisory authority.

You can make a request using the privacy contact below or through product support. We may verify your identity and workspace authority before acting on a request. If we process your data on behalf of a customer, we may refer your request to that customer or act on the customer's instructions.

SenderOps and our service providers may process information in countries outside your country of residence, including outside the European Economic Area or the United Kingdom. Those countries may have data protection laws that differ from yours.

Where required, we use appropriate safeguards for international transfers, such as standard contractual clauses, data processing agreements, transfer impact assessments, provider security commitments, and other lawful transfer mechanisms.

Customers that need a data processing agreement for GDPR or similar requirements may contact us using the privacy contact below. A signed DPA or order form may include additional details about processing instructions, subprocessors, audits, security measures, and assistance with data subject requests.

We use subprocessors and service providers only where they support operation of the service or related business functions. We remain responsible for selecting providers appropriate to their role and for putting contractual protections in place where required.

SenderOps is intended for business use and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to the service, contact us so we can take appropriate action.

We may update this policy as the service, providers, laws, or data practices change. When changes are material, we will take reasonable steps to notify affected customers, such as updating the effective date, providing in-product notice, or sending email to account or workspace contacts.

The version posted on this page applies from the effective date shown above.

Questions, privacy requests, DPA requests, and complaints can be sent to the contact address shown below or through the support options available in the product.