Last updated: June 3, 2026
EASYMAILING CLOUD SERVICES, S.L. (hereinafter, "EASYMAILING"), with registered office at Población de Campos, 2, 28050 Madrid (Spain) and tax ID number (NIF) B-01996396, informs users, through this Privacy Policy, about the processing of personal data collected in the course of its activities, in compliance with the GDPR (Regulation (EU) 2016/679) and Spanish Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
This Policy describes the categories of data processed, the purposes and legal bases for processing, the retention periods, the recipients of the information, any international transfers that may take place, and the rights available to data subjects.
1. Data Controller
Your personal data will be processed by:
Company name: EASYMAILING CLOUD SERVICES, S.L. (hereinafter, "EASYMAILING")
NIF: B-01996396
Registered office: Población de Campos, 2, 28050 Madrid, Spain
Website: https://easymailing.com
Contact email: hola@easymailing.com
Data protection contact: dpo@easymailing.com
2. Scope of Application
This Privacy Policy applies to all personal data processed by EASYMAILING in the context of:
Use of our public website https://easymailing.com.
Registration and use of the EASYMAILING email marketing platform (hereinafter, the "Platform").
The contracting of our services.
Commercial and informational communications we send.
Technical support and customer service.
This policy does not cover the processing of data that you, as an EASYMAILING customer, carry out through the Platform in relation to your own subscribers or recipients. In that case, EASYMAILING acts as data processor and you act as controller; that relationship is governed by our Terms and Conditions of Use (Clause Eleven — Data Protection).
3. Categories of Data We Process
Depending on your relationship with us, we may process the following categories of data:
3.1. Website Visitor Data
Browsing data collected through cookies (see Cookie Policy).
IP address, browser type, device, operating system, and pages visited.
Data you voluntarily provide through contact forms, demo requests, or resource downloads.
3.2. Registered Customer Data
Identification data: first and last name, company, job title.
Contact data: email address, telephone, postal address, web domain.
Account data: username, encrypted password, preferences (time zone, language, industry, currency).
Billing data: company name, tax identification number (CIF/NIF), billing address, payment method. Bank card data is never stored by EASYMAILING; it is handled directly by our payment provider (Stripe) under the PCI-DSS standard.
Usage data: aggregated Platform statistics, campaigns sent, templates used.
Technical and security data: access IP, logs, audit records.
3.3. Data We Do NOT Process
EASYMAILING does not voluntarily request or process special categories of data under Article 9 of the GDPR (health, religion, sexual orientation, biometric data, political opinions, trade union membership, etc.). We ask that you do not enter this type of data into the Platform or in communications with our team.
3.4. Source of Data
All data we process comes directly from you. We do not acquire data from third parties or public sources for commercial purposes.
4. Purposes of Processing and Legal Bases
We process your data for the following purposes and on the following legal grounds:
# | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
1 | Management of user registration and provision of contracted Services | Performance of a contract (Art. 6.1.b) |
2 | Invoicing, payment collection, and accounting management | Performance of a contract (Art. 6.1.b) and legal obligation (Art. 6.1.c) |
3 | Handling enquiries, technical support, and complaints | Performance of a contract (Art. 6.1.b) or legitimate interests (Art. 6.1.f) when the requester is not a customer |
4 | Sending commercial communications about our services and updates | Consent (Art. 6.1.a) or legitimate interests (Art. 6.1.f) for active customers (soft opt-in) |
5 | Platform security, fraud prevention, and regulatory compliance | Legitimate interests (Art. 6.1.f) and legal obligation (Art. 6.1.c) |
6 | Compliance with legal obligations (tax, commercial, labour) | Legal obligation (Art. 6.1.c) |
7 | Aggregated statistical analysis of website and Platform usage | Consent (cookies) or legitimate interests (aggregated server-side analysis) |
8 | Provision of artificial intelligence-assisted features within the Platform (voluntary activation by the customer) | Performance of a contract (Art. 6.1.b) when the customer activates these features |
5. Retention Periods
We retain your data for the minimum time necessary to fulfil the purposes for which it was collected:
Type of data | Retention period |
|---|---|
Active customer account data | Duration of the contractual relationship |
Customer data after service cancellation | 6 years from cancellation (tax and commercial obligations) |
Billing data | 6 years (Art. 30 of the Spanish Commercial Code and tax regulations) |
Commercial contact data (non-customer leads) | 2 years from the last interaction or until unsubscription |
Consent records and data protection communications | 5 years |
Technical logs and security records | For as long as necessary to ensure service security, incident detection, and compliance with legal obligations |
Cookies | Specific periods are detailed in the Cookie Policy |
Once these periods have elapsed, data is irreversibly deleted or anonymised.
6. Recipients of Your Data
6.1. Sub-processors
To provide our services, we engage technology providers who act as data processors (sub-processors) under a data processing agreement pursuant to Article 28 of the GDPR. These providers process data solely in accordance with our instructions and only to the extent strictly necessary to provide the services:
Provider | Legal entity | Purpose | Location | Safeguards |
|---|---|---|---|---|
Google Cloud | Google Ireland Ltd. / Google LLC | Cloud infrastructure (compute, databases) | EU — Belgium ( | Data in EU. Cloud DPA with SCCs 2021/914. |
Amazon Web Services | Amazon Web Services EMEA SARL / Amazon Web Services, Inc. | Public DNS (Route 53) | EU — Ireland ( | Data in EU. GDPR DPA with SCCs 2021/914. |
Sered.net | Soluciones Web On Line, S.L.U. | Hosting of the mail transfer agent (MTA) server | Spain | Data in EU. Data processing agreement (Art. 28 GDPR). |
CloudAMQP | 84codes AB | Message queue (RabbitMQ) — technical metadata without personal content | EU — Sweden | Data in EU. DPA with SCCs 2021/914. |
BulkGate | TOPefekt s.r.o. | SMS sending (optional channel for campaigns and notifications) | EU — Czech Republic | DPA under Art. 28 GDPR. |
Stripe | Stripe Payments Europe, Ltd. | Payment gateway (billing data) | EU — Ireland; operational copies in the US | Stripe DPA with SCCs 2021/914 and adherence to the EU-US Data Privacy Framework. PCI-DSS tokenisation (we do not store card data). |
Sentry | Functional Software, Inc. (dba Sentry) | Platform error and performance monitoring (technical logs, with PII filtering enabled) | US | DPA with SCCs 2021/914 (Modules 2 and 3), UK Addendum, and adherence to the EU-US Data Privacy Framework. |
OpenAI | OpenAI Ireland Ltd. | Optional artificial intelligence features within the Platform (only if activated by the customer) | Ireland / UK / US depending on module | DPA with SCCs 2021/914 (Modules 2 and 3) and UK Addendum. Under the OpenAI API data usage policy, data sent via the API is not used to train its models. |
This list is updated when a sub-processor is added or replaced. Changes are published on this same page at least 30 calendar days before the effective date of the change. During that period, data subjects may object to the change by contacting dpo@easymailing.com.
6.2. Other Recipients
In addition to sub-processors, your data may be disclosed to:
Public authorities where required by a legal obligation (Spanish Tax Agency (AEAT), Social Security, judicial authorities).
Banking institutions for payment and invoicing management.
Professional advisors (legal, tax, accounting) under a duty of confidentiality, when strictly necessary.
EASYMAILING does not sell, rent, or transfer your data to third parties for commercial purposes.
7. International Data Transfers
Most processing takes place within the European Economic Area (EEA). In some specific cases, certain sub-processors (Sentry, OpenAI, Stripe operational copies) may transfer data to the United States or the United Kingdom.
These international transfers are carried out with the following safeguards pursuant to Article 46 of the GDPR:
Standard Contractual Clauses (SCCs) approved by the European Commission — Implementing Decision (EU) 2021/914 of June 4, 2021, Modules 2 (Controller-to-Processor) and 3 (Processor-to-Sub-Processor) as applicable.
UK International Data Transfer Addendum (IDTA) for recipients in the United Kingdom.
EU-US Data Privacy Framework (adequacy decision of July 10, 2023) where the provider is certified.
You may request a copy of these safeguards by writing to dpo@easymailing.com.
8. Data Subject Rights
Pursuant to Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:
Access your personal data.
Rectification of inaccurate or incomplete data.
Erasure ("right to be forgotten") when data is no longer necessary.
Restriction of processing in the legally provided circumstances.
Object to processing, including objecting to commercial communications (which you may exercise at any time by clicking the "Unsubscribe" link in our emails).
Data portability in a structured, commonly used, and machine-readable format.
Not to be subject to automated individual decisions with significant legal effects.
Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
How to Exercise Your Rights
You may exercise any right by sending an email to dpo@easymailing.com stating:
Your first and last name.
The right you wish to exercise.
Sufficient information to verify your identity (we may request a copy of your national ID or other document if necessary).
We will respond within a maximum period of one month, extendable by a further two months if the request is particularly complex.
Complaints to the Supervisory Authority
If you consider that the processing of your data infringes the GDPR or the LOPDGDD, or if you are not satisfied with the response received when exercising your rights, you may lodge a complaint with:
Agencia Española de Protección de Datos (AEPD) (Spanish Data Protection Agency)
C/ Jorge Juan, 6 — 28001 Madrid
Electronic office: https://sedeagpd.gob.es
9. Use of Artificial Intelligence (AI)
The EASYMAILING Platform incorporates features assisted by generative artificial intelligence models that help customers perform certain tasks within the service environment. These features are optional and may be used, among other things, for:
Assistance in creating email marketing campaigns.
Generation and optimisation of copy (subject lines, email bodies, calls to action, descriptions).
Creation and suggestion of email templates.
Configuration of automation workflows.
Drafting and summarising results reports.
Other auxiliary productivity tasks within the administration panel.
9.1. Provider
These features are provided through OpenAI Ireland Ltd. (and, where applicable, its affiliates), with whom EASYMAILING has signed a Data Processing Agreement (DPA) incorporating Standard Contractual Clauses (SCCs) 2021/914 (Modules 2 and 3) and the UK International Data Transfer Addendum.
9.2. Usage Principles
Voluntary activation: AI features are always optional. Data is only transmitted to the provider when the customer performs an explicit action that requires it.
Minimisation: only the information strictly necessary to perform the task requested by the customer is transmitted to the provider.
No use for training: in accordance with the OpenAI API usage policies, data transmitted via the API is not used to train or improve the artificial intelligence models.
Limited retention: the provider retains requests for a reduced maximum period, exclusively for abuse prevention and security purposes, after which they are deleted.
Human oversight: AI-generated content is indicative in nature and must be reviewed and validated by the customer before use or sending. Final responsibility for published or sent content lies with the customer.
No automated decisions with legal effects: AI features do not produce automated individual decisions that have significant legal effects on data subjects within the meaning of Article 22 of the GDPR.
9.3. Prohibition on Entering Sensitive Data in Requests
The customer undertakes not to enter or send, through the AI features, data falling within the special categories set out in Article 9 of the GDPR (health, religion, sexual orientation, biometric data, political opinions, trade union membership, etc.), as well as data from identification documents (national ID, passport, social security number), third-party financial data, or any other particularly sensitive information. Failure to comply with this obligation shall be the exclusive responsibility of the customer.
9.4. Information for End Recipients of Communications
If you are a recipient of communications sent through the EASYMAILING Platform by one of its customers, please note that:
The data controller for your data is the sender of the communication, not EASYMAILING.
To exercise your rights or resolve queries about the processing of your data, you must contact the sender directly, whose contact details appear in every commercial communication sent from the Platform.
EASYMAILING acts in that context solely as data processor and, where legally required or authorised by the sender, will cooperate by providing the necessary information to the recipient.
10. Automated Decisions
EASYMAILING does not carry out automated individual decisions that produce significant legal effects on you, nor does it carry out profiling with such effects, except where:
It is necessary for the conclusion or performance of the contract between you and EASYMAILING.
It is authorised by applicable legislation.
It is based on your explicit consent.
In such cases, we will guarantee your right to obtain human intervention, express your point of view, and contest the decision.
11. Minors
EASYMAILING's Services are directed exclusively at persons aged 18 and over and at entities with legal capacity to contract. EASYMAILING does not knowingly collect data from minors. If you become aware that a minor has provided data through our Services, please notify us at dpo@easymailing.com so that we may proceed with its deletion without undue delay.
12. Data Security
EASYMAILING applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control and the principle of least privilege.
Multi-factor authentication for administrative access.
Audit logs.
Regular backups and disaster recovery procedures.
Ongoing data protection training for staff.
Periodic security assessments and incident response.
In the event of a security breach affecting your personal data and posing a risk to your rights and freedoms, EASYMAILING will notify the AEPD within a maximum of 72 hours of becoming aware of it and, where appropriate, will notify you without undue delay.
13. Cookies
The use of cookies and similar technologies is governed by our Cookie Policy, which forms an integral part of this Privacy Policy.
14. Links to Third-Party Sites
Our website may contain links to third-party websites whose privacy policies are independent of EASYMAILING. We recommend that you review their policies before providing your data on those sites. EASYMAILING is not responsible for the processing carried out by such third parties.
15. Changes to This Policy
EASYMAILING may update this Privacy Policy to reflect legal, technical, or service feature changes. Any material changes will be communicated with reasonable prior notice through the Platform itself, by email, or through a prominent notice on the website. The date of the last update always appears at the beginning of this document.
16. Acceptance
Use of the website and the Platform implies acceptance of this Privacy Policy on the terms set out herein.