Privacy policy.

arc-relay ("we", "us", "our") is the email relay service operated at arc-relay.com by Hoopes Group LLC, a limited liability company organized in [STATE_OF_FORMATION], with a registered address at [POSTAL_ADDRESS]. We are the data controller for the personal data described in this policy. To the extent you use the Service to forward mail addressed to your own domain (especially in business-to-business use), you act as the data controller for the envelope metadata of those messages and we act as your data processor — see Section 10.

This policy explains what data we collect, how we use it, the lawful bases on which we rely under EU/UK data-protection law, and the rights you can exercise.

1. What we collect

Account information

• Email address — used for authentication, billing, and service communication
• Password hash — stored securely by Supabase Auth (we never see or store plaintext passwords)
• Billing data — subscription plan, Stripe customer ID, and payment status. Credit card details are stored by Stripe, never by us.

Domain configuration

• Domain names you add for forwarding
• Email aliases and forwarding destinations you configure
• Sender block rules you create
• DNS verification tokens
• DKIM private keys (Pro and Studio plans) — RSA 2048-bit keypairs generated for per-domain DKIM signing, stored encrypted at rest

API & integration data

• API keys — stored as SHA-256 hashes. We cannot recover the plaintext key after creation; only a prefix is retained for identification.
• API usage counts — we track the number of authenticated API requests per month to enforce plan quotas
• Webhook endpoint URLs — the HTTP(S) URLs you register to receive event callbacks
• Webhook delivery logs — HTTP status codes and timestamps for webhook deliveries, retained for debugging
• DNS monitoring configuration — which domains you monitor and your alert email address
• DNS monitoring results — health scores and check results from automated DNS scans

Relay metadata (logs)

When an email is forwarded through arc-relay, we log:

• Sender email address (envelope from)
• Recipient email address (envelope to)
• Domain name
• Delivery status (delivered, rejected, or failed)
• Rejection reason (if applicable)
• SRS-rewritten sender address
• Relay processing latency
• Timestamp

What we do NOT collect

• Email subject lines — never logged or stored by the relay path
• Email body content — never read, stored, or indexed by the relay path
• Attachments — never stored or inspected by the relay path
• Email headers beyond envelope data — not logged

2. How email processing works

arc-relay is a pass-through relay. When an email arrives:

• The raw message is held in server memory (RAM) only
• ARC-Seal headers are computed and prepended
• The envelope sender is rewritten using SRS
• The message is forwarded to the destination mail server
• The in-memory buffer is released (garbage collected)

Email content is never written to disk, stored in a database, or retained in any form by the relay path. The only data persisted is the relay metadata described above. AI Auto-Reply, when you enable it, is a separate optional path documented in Section 6.

Public API (no account required)

The Email Health Score API (GET /api/tools/health/{domain}) is publicly accessible without authentication. When you or anyone queries this endpoint, we receive only the domain name. No personal data is collected, and results are not linked to any account. DNS lookups are performed server-side and cached temporarily.

3. Data retention

• Account data (email, plan, domains, aliases, rules, API keys, webhooks, DKIM keys) — retained for the lifetime of your account
• Relay logs — automatically purged based on your plan, between 7 and 365 days. See the comparison table on /pricing.html for the exact retention period of your plan.
• DNS monitoring history — alert records retained for the lifetime of the monitor; deleted when you remove the monitor or your account
• API usage counters — reset on the 1st of each month; historical counts are not retained
• Postfix mail queue — messages are held temporarily during delivery (typically seconds) and removed after successful delivery or final failure
• Encrypted database backups — retained for up to 30 days for disaster recovery, then permanently deleted

4. Lawful bases (EU/UK)

• Contract performance (GDPR Art. 6(1)(b)) — to provide the Service you signed up for: account creation, email relay, billing, support, and dashboard rendering
• Legitimate interests (Art. 6(1)(f)) — for security logging, abuse prevention, fraud detection, rate limiting, webhook delivery telemetry, and aggregated service analytics. We have balanced these interests against your rights and consider them not to override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requests where legally required
• Consent (Art. 6(1)(a)) — only where we explicitly ask you to opt in (no operational defaults currently rely on consent)

5. How we use your data

• Email relay — to forward messages and enforce plan limits
• Relay logs — to power your Live Logs and Analytics dashboard
• Billing — to manage your subscription via Stripe
• Service communication — to notify you of account issues, DNS monitoring alerts, and weekly health digest emails (Pro and Studio plans). We do not send marketing email.
• Webhooks — to deliver real-time event notifications to endpoints you configure
• DNS monitoring — to check your domain's email authentication records on a schedule and alert you to changes
• API access control — to authenticate API requests and enforce usage quotas
• AI Auto-Reply (when enabled) — to generate replies to inbound messages using your configured persona and knowledge base. See Section 6 for the AI sub-processor.

We do not sell, share, or provide your data to third parties for advertising, profiling, or any purpose unrelated to operating the service.

6. Sub-processors

We engage the following sub-processors to operate the Service. Each has signed a data-processing agreement with us that incorporates the EU Standard Contractual Clauses (or an equivalent transfer mechanism) for international transfers.

• Supabase Inc. — database, authentication, file storage. United States (AWS). Privacy policy
• Stripe, Inc. — payment processing, subscription billing. United States and Ireland. Privacy policy
• x.AI Corp. — AI Auto-Reply generation, only when you enable Auto-Reply for a domain. United States. Privacy policy
• Internet Security Research Group (Let's Encrypt) — TLS certificates for HTTPS connections. United States. Privacy policy

AI Auto-Reply (Pro+). When you enable Auto-Reply for a domain, the inbound message and your knowledge-base content are sent to x.AI for response generation. Per our agreement with x.AI, message content is not retained beyond the request and is not used to train models. Auto-Reply is off by default; you can disable it at any time in domain settings.

We will give existing customers at least 30 days' notice before adding or replacing a sub-processor that handles your personal data. The list above is authoritative. To subscribe to sub-processor change notices, email [email protected].

We use no analytics trackers, advertising pixels, or social media widgets on arc-relay.com.

7. International data transfers

arc-relay is operated from the United States. If you access the Service from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States by us and by the sub-processors named in Section 6.

The lawful basis for those transfers is the European Commission's Standard Contractual Clauses (SCCs), which we have entered into with each sub-processor. Where applicable we rely on the UK Addendum to the SCCs and the Swiss adequacy framework. Copies of the relevant SCCs and our transfer impact assessment are available on request from [email protected].

We do not transfer personal data to jurisdictions that lack an adequacy decision and an SCC-equivalent safeguard.

8. Data security

• All web traffic encrypted via HTTPS (TLS 1.2+)
• All SMTP traffic encrypted via STARTTLS where supported by the receiving server
• Passwords hashed by Supabase Auth (bcrypt)
• Database access governed by Row-Level Security policies
• API keys hashed with SHA-256 before storage — plaintext keys are never retained
• DKIM private keys stored encrypted at rest with AES-256-GCM
• API rate limiting to prevent abuse
• Webhook payloads signed with HMAC-SHA256 to prevent forgery
• Stripe webhook signatures verified cryptographically
• Privacy by design — message bodies, subjects, and headers (other than envelope routing) are never written to disk; relay processing is in-memory only

Security incident notification. If a personal-data breach is reasonably likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay (Art. 34). Material incidents are posted at arc-relay.com/status.

9. Your rights

You have the following rights with respect to your personal data, regardless of your jurisdiction. We do not require you to cite a specific regulation to exercise them.

• Access — view your data in the dashboard, or download a full export from Settings
• Rectification (correct) — update your email aliases, domains, sender rules, and account email at any time through the dashboard
• Erasure (delete) — the "Delete account" button in Settings permanently and irreversibly removes all your data (account, domains, aliases, rules, logs, and auth credentials)
• Portability (export) — the "Download my data" button in Settings provides a structured JSON export of all account data, domains, aliases, rules, webhooks, and relay logs
• Restriction — ask us to limit processing while a dispute is resolved
• Objection — object to processing based on legitimate interests; we will stop unless we can demonstrate compelling grounds
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of past processing
• Lodge a complaint — you may complain to your local supervisory authority (see Section 15)

We will respond to verified requests within 30 days, extendable by up to 60 additional days for complex or numerous requests with notice. To submit a request, email [email protected] from the address on the account.

10. GDPR, UK GDPR, and Swiss FADP

This section provides additional information for residents of the European Economic Area, the United Kingdom, and Switzerland. References to "GDPR" include the UK GDPR and the Swiss Federal Act on Data Protection (FADP) where applicable. Lawful bases are listed in Section 4; data subject rights are listed in Section 9; international transfer mechanisms are described in Section 7.

Right to lodge a complaint

EEA residents may complain to their local data-protection authority — a directory is available at edpb.europa.eu. UK residents may complain to the Information Commissioner's Office (ico.org.uk). Swiss residents may complain to the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). AI Auto-Reply, where enabled by you, generates content but does not make decisions about you in the GDPR Art. 22 sense.

EU/UK representative

Hoopes Group LLC has not currently appointed a representative in the EU under GDPR Art. 27 or in the UK under UK GDPR Art. 27. EU/UK data subjects may contact us directly at [email protected] for any data-protection matter, and may at any time lodge a complaint with the supervisory authorities listed above.

Data Processing Agreement (B2B customers)

If you use arc-relay to process personal data on behalf of your own users (for example, an organization forwarding employee mail), you act as the data controller and arc-relay acts as your processor under GDPR Art. 28. Our standard Data Processing Agreement, which incorporates the EU Standard Contractual Clauses for international transfers and the UK Addendum, is incorporated into our Terms of Service by reference and a signed counterpart is available on request from [email protected].

11. California (CCPA / CPRA)

This section is for California residents. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

Categories of personal information collected (last 12 months)

• Identifiers — email address, account ID, IP address (in request logs)
• Customer records — billing information processed by Stripe
• Commercial information — subscription plan, transaction history
• Internet/network activity — API request logs, dashboard activity, relay metadata (envelope sender/recipient, status, latency, timestamps)
• Inferences — none
• Sensitive personal information — none beyond authentication credentials, used only for the limited purposes permitted by Cal. Civ. Code § 1798.121

Sources, recipients, and purpose

• Sources: directly from you, and automatically from your use of the Service
• Recipients: the sub-processors listed in Section 6 (Supabase, Stripe, x.AI, Let's Encrypt). We do not disclose personal information to other third parties for any purpose other than as described in this policy.
• Business purpose: providing and securing the Service, billing, support, and complying with law

Your California rights

• Right to know — request the categories and specific pieces of personal information we have collected
• Right to delete — request deletion of personal information (also exercisable via the "Delete account" button)
• Right to correct — request correction of inaccurate personal information
• Right to limit use of sensitive personal information — n/a (we do not use SPI beyond limited purposes permitted by law)
• Right to opt out of sale or sharing — n/a (we do neither)
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a CCPA right

To exercise any of these rights, email [email protected] from the address on your account, or use an authorized agent who provides written authorization signed by you. Retention periods are described in Section 3.

12. Cookies and local storage

arc-relay uses only strictly-necessary functional storage:

• Authentication tokens (managed by Supabase Auth) to keep you signed in
• A theme preference (arc-relay-theme) so light/dark mode persists between visits
• A service worker for offline functionality and update delivery

We do not use analytics cookies, advertising cookies, fingerprinting, or any cross-site tracking technologies. Because all storage is strictly necessary to deliver the Service you have requested, no consent banner is shown under the ePrivacy Directive's "strictly necessary" exemption.

13. Children's privacy

arc-relay is not directed at children. You must be at least 16 years old, or the lower age of digital consent permitted under your country's law (which can be as low as 13 in the United States and in some EEA member states), to create an account. We do not knowingly collect data from anyone below the applicable threshold. If we learn that we have, we will delete it promptly.

14. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page, and for substantive changes affecting your rights, by email to the address on your account at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.

15. Contact and complaints

Data controller: Hoopes Group LLC, [POSTAL_ADDRESS], [STATE_OF_FORMATION], United States.

Privacy contact: [email protected] — for privacy questions, data subject requests, sub-processor change subscriptions, and DPA requests.

Right to complain: EEA residents may complain to their local data-protection authority (see edpb.europa.eu). UK residents may complain to the ICO (ico.org.uk/make-a-complaint). California residents may also complain to the California Privacy Protection Agency or the California Attorney General.