Privacy and Data Retention

TrekMail stores your data to provide the email, file storage, billing, security, and support features of the Service. We do not sell your data or use email or Drive content for advertising.

What We Store

• Account Info: Email, name, billing details.
• Mailbox Data: Email messages, folders, read/unread status.
• Drive Data: Files, folders, file metadata, storage usage, public link settings, and Drive activity needed to provide and secure the feature.
• Usage Logs: SMTP delivery events, bounce logs (for debugging).
• API Tokens: Token name, hashed secret, scopes, domain constraints, expiration, and usage metadata (last used timestamp, IP).
• API Audit Events: Every API action is logged with the token used, resource affected, IP address, request ID, and timestamp.

How Long We Keep It

• Active Accounts: Data is retained indefinitely while your account is active.
• Deleted Accounts: 30-day grace period, then permanent deletion.
• Drive Trash: Deleted Drive files may remain in Trash for a limited recovery period and continue to count against storage until permanently removed.
• Public Links: Active public links remain until they expire, reach their download limit, are revoked, the underlying file is deleted, or access is disabled. Revoked link records may be retained for a limited period for audit and abuse prevention.
• Drive Storage Add-on Non-Payment or Cancellation: If payment retries are exhausted or the Add-on ends, the account enters a 7-day read-only grace period. If the account remains over its remaining storage cap after those 7 days, Drive files may be permanently and irreversibly deleted to bring usage within the available cap. There is no additional 30-day grace period for ended or unpaid Add-on capacity.
• Billing Records: Kept for 7 years for tax compliance.
• API Tokens: Revoked and expired tokens are retained for reference while your account is active. Deleted with the account.
• API Audit Logs: Retained for 90 days, then automatically purged.
• Idempotency Keys: Retained for 24 hours to prevent duplicate API operations.
• Support Ticket Attachments: Automatically deleted 30 days after ticket closure.

Your Rights

• Access: Request a copy of your data via Support.
• Deletion: Delete your account to remove all personal data (including all API tokens and audit logs).
• Portability: Export your emails via IMAP and download Drive files through available product interfaces while the account remains active and accessible.

White Label Lite and data-processor relationships

If you serve mailboxes to your own customers via White Label Lite, the relationship looks like this for data-protection purposes:

• Your end customer is the data subject.
• You (the TrekMail account holder running the branded service) are the data controller for your customers' mailbox content.
• TrekMail is the data processor / sub-processor providing the underlying email infrastructure.

This means your data-protection obligations to your customers (DPAs, breach notification, data-subject access requests) are between you and your customers. We process data on your behalf under the terms of your TrekMail subscription agreement. If your customers need a DPA, you sign it with them; you can reference TrekMail's compliance posture as your sub-processor.