Legal — Privacy Policy

Privacy Policy

Effective date: 22 January 2026

This Privacy Policy explains how FluentCart Inc. ("Company," "we," "us," or "our") collects, uses, stores, and discloses personal information in connection with the toSend website, APIs, applications, and related services (collectively, the "Service"). It also describes the rights you have over that information and how to exercise them.

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, please do not use the Service.

1. Who we are

FluentCart Inc. is the controller of personal data processed about you in connection with your toSend account. Our registered address is 131 Continental Dr, Suite 305, Newark, Delaware 19713, USA. You can reach our privacy team at support@tosend.com.

2. Information we collect

2.1 Information you provide

  • Account data: your name, email address, company name, billing address, and password when you sign up.
  • Payment data: billing details processed by our payment provider (Stripe). We do not store full card numbers on our systems.
  • Support and communications: messages you send to us, and any attachments or context you include.

2.2 Information generated by your use of the Service

  • Sending metadata: sender and recipient addresses, subject lines, message IDs, timestamps, delivery and bounce status, and webhook events.
  • Message content: the raw body of emails you submit to the Service. Stored encrypted at rest and retained for a limited period (see Retention below).
  • Usage data: API request logs, IP addresses, user-agent strings, and dashboard activity — used for security, troubleshooting, and abuse detection.

2.3 Cookies and similar technologies

We use a small number of first-party cookies for authentication and to remember your session. We do not use third-party advertising or tracking cookies. The dashboard uses localStorage for non-sensitive preferences such as UI state.

3. How we use your information

  • To provide, operate, and maintain the Service.
  • To authenticate you and secure your account.
  • To process billing and manage credit balances.
  • To send service-related notices (e.g., security alerts, policy changes, incident notifications).
  • To detect, prevent, and respond to abuse, fraud, or violations of our Terms.
  • To improve and develop new features, in aggregated or anonymized form.
  • To comply with applicable legal obligations.

4. Legal bases for processing (EEA/UK users)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract: to provide the Service you signed up for.
  • Legitimate interests: to secure the Service, prevent abuse, and improve our product.
  • Legal obligation: to comply with applicable laws.
  • Consent: where we ask for it (e.g., optional product updates).

5. Recipient data and your responsibilities as a sender

When you use toSend to send emails, you submit recipient addresses and message content to us. With respect to that data, you are the controller and toSend acts as a processor on your behalf, governed by our Data Processing Agreement, which is binding when you accept the Terms of Service. You are responsible for obtaining any necessary consents, providing privacy notices to your recipients, and complying with applicable anti-spam and data-protection laws (including CAN-SPAM, GDPR, PECR, and others).

6. Subprocessors and service providers

We use a small set of vetted subprocessors to operate the Service:

  • Amazon Web Services (AWS): email delivery (SES) and underlying compute.
  • Cloudflare: edge network, API gateway, data layer (Workers, D1, R2, KV, Queues), and hosting for the public marketing website.
  • Hetzner Online GmbH: hosting for the customer dashboard at dash.tosend.com, where account, domain, API key, and billing management happens (EU-based).
  • Stripe: payment processing and subscription billing.

Customer support and our own outbound account emails (onboarding, notifications) are handled on self-hosted tools and through toSend itself — no third-party processes those communications on our behalf.

Each subprocessor is bound by confidentiality and data-protection obligations and processes data only on our documented instructions. See our Subprocessors page for purpose, location, and DPA links for each, and for our notice policy when the list changes.

7. International transfers

The Service is operated primarily from the United States. If you access the Service from outside the US, your personal data may be transferred to and stored in the US. Where required, such transfers are made under appropriate safeguards (including the EU Standard Contractual Clauses).

8. Retention

  • Email bodies: stored for up to 14 days to power deliverability diagnostics, then deleted from object storage.
  • Send logs / metadata: retained for 14 days by default; longer retention available for enterprise accounts by agreement.
  • Account and billing records: retained for the life of your account and for the period required by tax and accounting law after account closure.
  • Suppression list entries: retained to protect sender reputation — see our Terms for retention periods by bounce type.

9. Security

We apply industry-standard measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and routine security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

10. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to legal retention requirements).
  • Restrict or object to certain processing.
  • Port your data to another provider.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, email support@tosend.com. We respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and/or an in-product notice. The "Effective Date" at the top of this page reflects the most recent revision.

13. Contact us

FluentCart Inc. (toSend)
131 Continental Dr, Suite 305
Newark, DE 19713, USA
support@tosend.com