Skip to content
Sendora Cloud
Create account
Legal

Privacy Policy

This policy describes how Sendora Cloud collects, uses, and protects personal information. Last updated 2026-06-03.

What we collect

Account information (name, email, billing) and the data customers send us via our APIs and SDKs.

Product telemetry necessary to operate the service: request logs, error traces, and audit events.

How we use it

To provide, maintain, and improve Sendora Cloud.

To send service announcements and responses to support requests.

To comply with legal obligations.

Your rights

Access, correction, deletion, portability. Email privacy@sendoracloud.com and we will respond within 30 days.

You can delete your Sendora Cloud account at any time from Settings → Account. The action is permanent and follows the retention schedule below.

Deletion and retention

When you delete your account or an organization, we immediately hard-delete every subject-scoped record: profiles, events, messages (email/push/SMS/in-app bodies), support tickets, workflow runs, API keys, member invites, and all configuration tied to the account. Organizations enter a 7-day grace period before the hard delete runs so accidental deletions can be reversed by contacting support; personal account deletions are immediate and irreversible.

Three categories of data are kept for statutory reasons, with PII scrubbed (email replaced by a one-way hash, actor IDs nulled): (a) audit logs — kept 2 years for SOC 2 and legal-claims defence under GDPR Art. 17(3)(e); (b) subscription and invoice records — kept 7 years for tax and accounting obligations; (c) email suppressions — kept indefinitely because CAN-SPAM, CASL, UK PECR, and the EU ePrivacy Directive all require us to honour opt-outs forever.

Downstream processors: when you delete an account tied to a paid subscription we call Stripe's customer-delete API so our sub-processor erases their copy too. Email service providers receive no identifying data beyond the recipient address, which is no longer reachable after erasure.

This approach aligns with GDPR / UK GDPR Art. 17, CCPA / CPRA, LGPD (Brazil), PIPL (China), PDPA (Singapore / Thailand), APPI (Japan), CASL (Canada), and the Australia Privacy Act.

Data residency

Customer data is stored in the region selected at sign-up (US or EU). We do not move data across regions without explicit consent.