We’re committed to providing the best, most secure API for our customers while giving privacy the prominence it deserves.

Ensuring the security of the data that passes through our email, calendar, and contacts API has always been a foundational principle at Mailbook. Our email API handles data that by nature contains highly sensitive, personally identifiable information (PII), and the handling, processing, and management of this data needs to be regulated closely.

Introduction

Mailbook is a strong advocate for privacy. We care about our users' rights. Leading up to the implementation of the GDPR (the new EU privacy law since 25 May 2018), we have been hard at work building numerous features that give customers more control of the data that is stored on our platform. We have designed and enabled these features for all our customers, regardless of whether the GDPR specifically impacts them.

We built this document to present you how the GDPR will apply to your use of Mailbook and what we have done to ensure we are compliant with the new rules.

We recommend that you review this document carefully and present it to your privacy team.

Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.

What is the General Data Protection Regulation (GDPR)?

The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and make companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.

What personal data does Mailbook collect and how is it used?

What personal data does Mailbook collect and how is it used? We are committed to be transparent in how we handle and process personal data. As one of our customers, you should be aware of how we handle personal data on your behalf. We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services.

How have we engaged in complying with the GDPR?

As a processor, we have specific obligations under the GDPR. In this section, we highlight how we handle personal data and what efforts we are making to ensure you, as one of our customers, can trust us.

In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the new requirements. First of all, we have gathered a dedicated team of data protection and security specialists who review Mailbook processing of personal data and ensure we have always privacy in mind.

Is Mailbook a controller or a processor?

If your data processing activities fall under the scope of the GDPR, one of the first question you should ask yourself is “Am I a data controller or a data processor?". The answer to this question will help you determining what are your compliance obligations under the GDPR. The controller is the organization that determines the purposes and means of processing. As a customer of Mailbook, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed lawfully and that you are using processors, such as Mailbook, that provide sufficient guarantees to meet key requirements of the GDPR. Mailbook is considered a processor. We act on the instructions of the controller (you), which come in the form of API or SMTP requests. Similar to controllers, processors are expected to comply with the GDPR.

What About US Privacy Laws?

In the US, there is no single comprehensive federal law that rivals the GDPR and protects personal data. Instead there are a number of federal laws that cover particular pieces of information, such as:

The Federal Trade Commission Act (“FTC Act”) is a federal consumer protection law that prohibits unfair and deceptive practices. More recently, the FTC Act has been applied by the Federal Trade Commission in enforcement cases against companies for failing to comply with their data privacy policies and unauthorized disclosure of personal data; The Children’s Online Privacy Protection Act, also enforced by the FTC, applies to the online collection of information from children; Banks and other financial institutions are subject to Regulation P, Regulation S-P and Regulation S-ID which limit how consumer information is shared among affiliates and service providers, require disclosure of how information is shared, allow consumers to opt out of sharing and set standards for destruction of consumer information; The Health Insurance Portability and Accountability Act regulates the privacy of medical information. Specifically, the Act includes requirements for sharing, collecting, transmitting and protecting medical information; and, The Electronic Communications Privacy Act, which regulates the interception of electronic communications and computer tampering.

In addition to the federal laws, all 50 states have enacted laws which require notification of security breaches involving personal data and others have enacted more stringent cybersecurity regulations. Mailbook closely monitors this changing regulatory landscape and ensures that it complies with all applicable laws.