Privacy Policy

ARC-Relay ("we", "us", "our") operates the email relay service at arc-relay.com. This policy explains what data we collect, how we use it, and your rights.

1. What We Collect

Account Information

• Email address — used for authentication, billing, and service communication
• Password hash — stored securely by Supabase Auth (we never see or store plaintext passwords)
• Billing data — subscription plan, Stripe customer ID, and payment status. Credit card details are stored by Stripe, never by us.

Domain Configuration

• Domain names you add for forwarding
• Email aliases and forwarding destinations you configure
• Sender block rules you create
• DNS verification tokens

Relay Metadata (Logs)

When an email is forwarded through ARC-Relay, we log:

• Sender email address (envelope from)
• Recipient email address (envelope to)
• Domain name
• Delivery status (delivered, rejected, or failed)
• Rejection reason (if applicable)
• SRS-rewritten sender address
• Relay processing latency
• Timestamp

What We Do NOT Collect

• Email subject lines — never logged or stored
• Email body content — never read, stored, or indexed
• Attachments — never stored or inspected
• Email headers beyond envelope data — not logged

2. How Email Processing Works

ARC-Relay is a pass-through relay. When an email arrives:

• The raw message is held in server memory (RAM) only
• ARC-Seal headers are computed and prepended
• The envelope sender is rewritten using SRS
• The message is forwarded to the destination mail server
• The in-memory buffer is released (garbage collected)

Email content is never written to disk, stored in a database, or retained in any form. The only data persisted is the relay metadata described above.

3. Data Retention

• Account data (email, plan, domains, aliases, rules) — retained for the lifetime of your account
• Relay logs — automatically purged after 90 days
• Postfix mail queue — messages are held temporarily during delivery (typically seconds) and removed after successful delivery or final failure

4. How We Use Your Data

• Email relay — to forward messages and enforce plan limits
• Relay logs — to power your Live Logs and Analytics dashboard
• Billing — to manage your subscription via Stripe
• Service communication — to notify you of account issues (we do not send marketing email)

We do not sell, share, or provide your data to third parties for advertising, profiling, or any purpose unrelated to operating the service.

5. Third-Party Services

• Supabase (database and authentication) — stores account data and relay logs. Supabase Privacy Policy
• Stripe (payment processing) — processes payments and stores credit card data. Stripe Privacy Policy
• Let's Encrypt (TLS certificates) — provides encryption certificates for secure connections

No analytics trackers, advertising pixels, or social media widgets are used on arc-relay.com.

6. Data Security

• All web traffic encrypted via HTTPS (TLS 1.2+)
• All SMTP traffic encrypted via STARTTLS
• Passwords hashed by Supabase Auth (bcrypt)
• Database access governed by Row-Level Security policies
• API rate limiting to prevent abuse
• Stripe webhook signatures verified cryptographically

7. Your Rights

You have the right to:

• Access your data — view it in the dashboard, or download a full export from Settings
• Export your data — the "Download My Data" button in Settings provides a structured JSON export of all account data, domains, aliases, rules, and relay logs
• Delete your account — the "Delete Account" button in Settings permanently and irreversibly removes all your data (account, domains, aliases, rules, logs, and auth credentials)
• Correct your data — update your email aliases, domains, and sender rules at any time through the dashboard

These rights apply regardless of your jurisdiction. We do not require you to cite a specific regulation to exercise them.

8. GDPR Compliance (EU Users)

• Legal basis: contract performance (we process data to provide the service you signed up for)
• Data portability: available via the JSON export in Settings
• Right to erasure: available via account deletion in Settings
• Data minimization: we collect only what is necessary to operate the relay (no content, no subjects, no tracking)
• Retention limits: relay logs automatically deleted after 90 days

9. CCPA Compliance (California Users)

• We do not sell personal information
• We do not share personal information for cross-context behavioral advertising
• You may request deletion of your data at any time via the Settings page

10. Children's Privacy

ARC-Relay is not directed at children under 13. We do not knowingly collect data from children. If we learn that a child under 13 has provided us with personal data, we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance.

12. Contact

For privacy questions or data requests, contact us at:
support@arc-relay.com