Privacy Policy

Warmy (“we”, “our”, or “us”) operates the Warmy email warmup service at warmy.io. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service. By accessing or using Warmy, you agree to the terms described here.

1. Information we collect

We collect the minimum data necessary to provide the warmup service:

• •Account information: your name, email address, and hashed password (or OAuth identity token if you sign in with Google or Microsoft).
• •Connected inbox credentials: OAuth 2.0 refresh tokens for Gmail and Outlook are stored encrypted at rest using AES-256-GCM. SMTP / IMAP passwords are also encrypted with AES-256-GCM before being written to the database. We never store credentials in plaintext.
• •Usage analytics: warmup volume, health score history, feature usage events (e.g., dashboard views, inbox connections). We use this data in aggregate to improve the product.
• •Billing data: payment is processed by Paddle. We store only a Paddle customer ID and subscription status — we never see or store your raw card details.
• •Log data: IP addresses, browser user agent, and timestamps of authenticated API requests, retained for 30 days for security monitoring.

2. How we use your information

We use collected data solely to operate and improve Warmy:

• •Authenticating with your email provider to send and receive warmup emails on your behalf.
• •Calculating your inbox health score and detecting blacklist listings.
• •Sending transactional emails (e.g., alerts when your health score drops).
• •Aggregate, anonymised analytics to identify product improvements.
• •Complying with legal obligations.

We do not sell your personal data to third parties, use it for advertising, or share it with any party except as described in this policy.

3. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will permanently delete your personal information within 30 days, except where we are required to retain it by law (e.g., billing records retained for 7 years for tax compliance). Encrypted inbox credentials are deleted immediately upon inbox disconnection or account deletion.

4. Data sharing and sub-processors

We share your data only with the following sub-processors, each bound by data processing agreements:

• •Supabase — database and authentication infrastructure (EU region).
• •Paddle — payment processing (Merchant of Record).
• •Vercel — application hosting.
• •Resend — transactional email delivery.

5. Security

All data is encrypted in transit using TLS 1.2 or higher. Sensitive credentials (OAuth tokens and SMTP passwords) are encrypted at rest using AES-256-GCM with per-record keys. Our database enforces Row Level Security (RLS) so each user can only access their own data. We do not store Gmail or Outlook passwords — we use OAuth 2.0 exclusively for those providers.

6. Your rights (GDPR & CCPA)

Depending on your location, you may have the following rights with respect to your personal data:

• •Access: request a copy of the personal data we hold about you.
• •Correction: request that we correct inaccurate data.
• •Deletion: request deletion of your data (“right to be forgotten”).
• •Portability: receive your data in a structured, machine-readable format.
• •Restriction / objection: object to or restrict certain types of processing.
• •Opt-out of sale (CCPA): we do not sell personal data, so no opt-out is required, but you may contact us to confirm.

To exercise any of these rights, email us at privacy@warmy.io. We will respond within 30 days.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking pixels.

8. Children's privacy

Warmy is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before they take effect. Your continued use of Warmy after that date constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions, requests, or concerns, contact our privacy team at privacy@warmy.io.