Skip to main content
MailSprout

Last updated: May 27, 2026

Privacy Policy

MailSprout (“we,” “us”) is a self-service custom-domain email service operated by Florida Sound Man LLC doing business as MailSprout. This policy explains what data we collect, how we use it, and the choices you have.

What we collect

We collect the minimum information needed to provide the service:

  • Account info: your email address and authentication identifier from our sign-in provider (Clerk). We do not store passwords ourselves.
  • Billing info: handled by Stripe. We receive a customer ID and subscription status from Stripe but do not store your full credit card details.
  • Domain and account configuration: the domain names you add to MailSprout and the name (the bit before the @) of each email account you create.
  • Email content: your inbound and outbound email is stored on our backend provider MxRoute's servers in the United States. We do not read, scan, or train machine-learning models on your email content.
  • Operational logs: minimal access logs for security and abuse prevention. We store IP address and user agent only as HMAC-SHA256 hashes (not the raw values) so logs cannot be used to re-identify visitors. Operational access logs are retained for 30 days.
  • Send-volume counters: we keep per-account monthly send totals for billing, fair-use enforcement, and abuse detection. These are aggregate counts, not message contents.
  • Consent records: when you accept our Terms, AUP, and this Privacy Policy, we keep a permanent record (user ID, consent version, timestamp, hashed IP, and hashed user agent). Required as legal evidence of your agreement.
  • Referral relationships: if you sign up via a friend's referral link, we store the link between your account and the referrer so we can apply the mutual one-month credit. You can use the referral program without giving us any extra information.
  • Email migration: MailSprout links to the free imapsync web app (imapsync.lamiral.info) for copying mail from a previous provider. That tool runs entirely in your browser and connects directly between your old provider and MailSprout — your source-mailbox credentials are never sent to MailSprout's servers.

Lawful basis for processing (GDPR)

We process account data and email content on the basis of contract performance (GDPR Art. 6(1)(b)). Consent records, abuse logs, and operational metadata are processed on the basis of legitimate interests (GDPR Art. 6(1)(f)) and, where applicable, legal obligation (GDPR Art. 6(1)(c)).

What we don't collect

  • We do not sell your data. Ever.
  • We do not run ads against your email content.
  • We do not use third-party analytics that profile individual users. We use Vercel Web Analytics, which is first-party, cookieless, and does not follow you across other sites.
  • We do not ourselves require a physical address or phone number to use MailSprout. The one place these can be collected is Stripe Checkout, which gathers billing-address details (and, in some cases, a phone number for fraud screening) on behalf of card networks. That data lives with Stripe and is shared back to us as part of standard payment processing. See the Stripe subprocessor entry below for their policy.

Subprocessors

We rely on these third parties to provide MailSprout. Each has its own privacy policy:

Email migration

MailSprout provides migration guides and links to the free imapsync web app (opens in a new tab) for copying mail from Gmail, Microsoft 365, iCloud, Zoho, or any IMAP-based provider. The imapsync web app runs in your browser and transfers mail directly between your old provider and MailSprout. Your source-mailbox password is entered into imapsync's interface and is never transmitted to MailSprout's servers.

Anti-fraud and anti-spam data sharing

Our mail infrastructure provider, MxRoute (a service of TuxByte, LLC), uses two third-party services for fraud and spam enforcement that may involve sharing your account data:

  • FraudLabs Pro. Our mail infrastructure provider, MxRoute, uses FraudLabs Pro to screen its own reseller-customer base for fraud risk. This is a backend operational check by MxRoute, not a per-signup screen by MailSprout. We do not send user-level signup data directly to FraudLabs Pro. See fraudlabspro.com/privacy-policy (opens in a new tab) for FraudLabs Pro's own data handling.
  • FraudRecord.com is queried at signup and receives account data (name, email, phone, address, IP address, signup domain, and the billing email registered with our payment processor) when an account is terminated for intentional spam or files a chargeback. This sharing is performed by MxRoute under their published terms at mxroute.com/terms (opens in a new tab). See fraudrecord.com/privacy (opens in a new tab).

We do not share your email content with either service. They only receive account metadata necessary for fraud and abuse prevention.

International data transfers and DPA

MailSprout stores and processes data in the United States. Our subprocessors (listed above) are US-based, so if you are located outside the US your data is transferred to and processed in the US.

If you are a business customer who acts as a data controller under the GDPR or UK GDPR, you can request a Data Processing Addendum (DPA) by emailing support@mailsprout.io. For EU and UK personal data, MailSprout relies on appropriate safeguards such as the Standard Contractual Clauses with its US-based subprocessors to provide a lawful basis for the transfer.

Your rights

You can access, export, correct, or delete your data at any time by emailing support@mailsprout.io, or by using the Delete account flow in your dashboard Settings. We respond to verified requests within 30 days.

For formal data subject requests under GDPR, CCPA, or other applicable privacy law, you may also email privacy@mailsprout.io. We respond within 30 days.

If you're in the EU/UK, you have additional rights under GDPR/UK GDPR including access, rectification, erasure, restriction, portability, and objection.

Your California rights and Do Not Sell or Share

If you're in California, you have rights under the CCPA/CPRA including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit use of sensitive personal information, and the right to non-discrimination. We do not sell or share your personal information.To exercise any of these rights, email privacy@mailsprout.io and we will respond within 30 days.

Data retention

Email content is retained as long as your subscription is active. If you cancel, you have 30 days to export your data before we permanently delete your accounts and stored email. Billing records may be retained longer where required by tax law.

Security

All connections to MailSprout and to your email accounts use TLS 1.2+. Passwords are hashed at rest by Clerk and by our mail backend. We'll notify affected users within 72 hours of confirming any breach involving personal data.

Cookies

We use only the cookies strictly necessary for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

Children

MailSprout is intended for businesses and is not offered to anyone under 18. We do not knowingly collect data from anyone under 18.

Changes to this policy

We'll post any changes on this page and update the “Last updated” date. Material changes will be emailed to active subscribers at least 30 days before taking effect.

Contact

Florida Sound Man LLC d/b/a MailSprout
Email: support@mailsprout.io

Read the Terms of Service →