Privacy Policy

For personal data about Delyst account holders (you, the customer): eforconection is the data controller. Contact: support@delyst.com.

For personal data about your subscribers (the recipients of the emails you send through Delyst): you are the data controller and Delyst is the data processor. The terms of that processing are set out in our Data Processing Addendum, which is incorporated by reference into our Terms.

• Account data: email address, name, hashed password, language preference, two-factor authentication secret (encrypted).
• Company data: optional company name, address, tax ID, billing country.
• Payment data: we do not receive or store card numbers. Payments are processed by Paddle (Merchant of Record). We receive a transaction reference, subscription status, and the last four digits of the card for reconciliation.
• Usage data: IP address, device and browser metadata, pages visited, feature actions, timestamps. Used for security, debugging, and product analytics.
• Support data: anything you include in a support request.

When you use Delyst to run campaigns, you upload data about your own subscribers (email address, name, custom fields, engagement events). We process this data strictly to operate the Service for you: send mail, track opens and clicks you have enabled, build segments and reports, and surface deliverability insights. We do not mine or resell this data and we do not use it to train AI models.

• Contract (Art. 6(1)(b) GDPR): to deliver the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, product improvement, anti-abuse deliverability controls.
• Legal obligation (Art. 6(1)(c)): tax records, invoicing retention, abuse response, replying to lawful requests from authorities.
• Consent (Art. 6(1)(a)): non-essential analytics and marketing cookies (where required by law). You can withdraw consent at any time without affecting processing done before.

We use a small set of sub-processors, each under a data-protection contract:

• OVH / Hetzner — hosting (EU region).
• Paddle.com Market Limited — payment processing and Merchant of Record (UK / EU).
• OpenAI — processing prompts sent to AI-assisted features (US). We do not send subscriber lists to OpenAI; only the summary metrics or text the AI assistant needs to answer the question. OpenAI does not retain data for training when accessed via the API.
• Sentry — error monitoring (EU region).
• BetterStack — uptime monitoring.
• KumoMTA (self-hosted) — the email-sending MTA, run on infrastructure we control in Europe. No third-party provider sees the content of the emails you send.

We do not sell personal data and we do not share it with advertisers.

When data is transferred outside the EEA (primarily to OpenAI in the United States), we rely on the European Commission's Standard Contractual Clauses, plus additional safeguards where appropriate. You can request a copy of the relevant transfer mechanism by writing to support@delyst.com.

• Account data: for the life of your account and up to 90 days after deletion (for dispute resolution and fraud prevention).
• Campaign / subscriber data: as long as the account is active. Once you delete an account, we permanently erase it within 30 days, except where law requires longer retention (e.g. invoicing records for 10 years under Tunisian commercial law).
• Server logs: 30 days.
• Backups: rotated and overwritten within 35 days.

If you are in the EEA, the UK, or a jurisdiction with comparable rights, you can request:

• Access to the personal data we hold about you.
• Correction of inaccurate data.
• Deletion of your data (subject to legal retention).
• Portability of your data in a machine-readable format.
• Restriction of processing or objection to processing based on legitimate interest.
• Withdrawal of consent where processing is based on consent.

To exercise any of these rights, email support@delyst.com. We respond within 30 days. You also have the right to complain to your local supervisory authority.

Passwords are hashed with bcrypt. Secrets stored in the database (API keys, OAuth tokens, DKIM private keys) are encrypted at rest with AES-256-GCM. Traffic between your browser and Delyst is always over HTTPS. We run automated dependency scanning and error monitoring and keep access to production infrastructure limited and logged.

In the event of a data breach affecting personal data, we notify the relevant supervisory authority within 72 hours and affected users without undue delay.

We use first-party cookies that are strictly necessary for the Service to function (session cookie, active-customer cookie, two-factor cookie). These do not require consent. Non- essential cookies (if any) are opt-in and controlled through a consent banner.

The Service is not intended for individuals under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

We will announce material changes by email and by a banner in the dashboard at least 14 days before they take effect.

Privacy questions and requests: support@delyst.com.