Privacy Policy

This Privacy Policy describes how Edgeworks LLC ("we," "us") collects, uses, stores, and shares personal data in connection with the EdgeMail WordPress plugin, the website at edgemailapp.com, the licence server at api.edgemailapp.com, and related services. We are the data controller for the personal data described in this policy.

01Who we are

Edgeworks LLC, registered in Tbilisi, Georgia. Contact: info@edgemailapp.com or +44 131 564 0150 (email preferred).

If you are in the European Economic Area, the United Kingdom, or Switzerland and have questions about how we handle your personal data, you may reach us at the same address. (Edgeworks LLC may, depending on transaction volumes from the EEA, be required to appoint an Article 27 representative. Once appointed, their contact details will be listed in this section.)

02What this policy covers — and what it doesn't

This policy covers personal data we collect as a data controller. It does not cover:

• Email data processed by your WordPress site through EdgeMail. When the plugin is installed on your site, you (the site operator) are the data controller for the recipient addresses, email contents, and tracking events that pass through the plugin. EdgeMail acts as a processor for you only to the extent it transmits that data to Cloudflare for delivery.
• Payment data. Purchases are processed by Paddle.com Market Limited as Merchant of Record. Your payment card details, billing address, and tax information are collected and stored by Paddle under Paddle's Privacy Notice, not by us. We receive only a limited set of post-purchase information from Paddle (see below).
• Email delivery. Once an email leaves your WordPress site via EdgeMail, it is transmitted to the Cloudflare Email Service for delivery. Cloudflare's handling of that data is governed by the Cloudflare Privacy Policy.

03What we collect, and why

A. Marketing website (edgemailapp.com)

Data	Purpose	Legal basis (GDPR)
IP address, user-agent, referrer, basic request logs	Security, abuse prevention, aggregate traffic analytics	Legitimate interests
Email address, message content (contact form, if used)	Respond to your enquiry	Legitimate interests / pre-contractual steps

The marketing site does not set advertising or cross-site tracking cookies. We use privacy-respecting, aggregate traffic analytics and do not profile individual visitors.

B. Pro licence purchase and licence server

Data	Purpose	Legal basis (GDPR)
Customer email address, licence key, tier, subscription status, Paddle subscription ID, Paddle transaction ID	Create, validate, and manage your licence; send the licence key; handle renewals, cancellations, and refunds	Contract performance
Activation records: site URL (host only), anonymised site hash, plugin/WordPress/PHP versions, activation and last-check timestamps	Enforce the per-tier site limit; diagnose compatibility issues; serve plugin updates	Contract performance / legitimate interests
Download events: licence ID, plugin version, requesting IP address, timestamp	Detect abuse of the update-distribution system	Legitimate interests
Webhook events from Paddle (transaction, subscription, refund events)	Keep your licence status in sync with your subscription	Contract performance / legal obligation

C. Customer support

When you contact us at info@edgemailapp.com, we receive your email address and the content of your message. We retain support correspondence so that we can help with follow-up questions and investigate recurring issues. Legal basis: legitimate interests, and contract performance where the request relates to your licence.

D. What the Pro plugin sends back to us from your WordPress site

When you activate a Pro licence inside the plugin, and periodically thereafter, the plugin contacts our licence server at api.edgemailapp.com and transmits:

• Your licence key
• Your site's host URL (canonicalised)
• Plugin version, WordPress version, and PHP version

The plugin does not transmit email bodies, recipient lists, open/click events, or any customer data from your WordPress database to Edgeworks. Those remain on your site.

04Who we share data with

• Paddle.com Market Limited — our Merchant of Record, based in the United Kingdom, for payment processing, tax handling, and buyer support in relation to payments. Paddle shares a limited subset of transaction data with us (customer email, product purchased, transaction ID, country for tax purposes, subscription status).
• Cloudflare, Inc. — operates our licence server infrastructure (Cloudflare Workers, D1, R2) and the Email Service that delivers emails from your WordPress site. We use Cloudflare's standard terms and Data Processing Agreement.
• Transactional email providers — we use Cloudflare Email Service (dog-fooding) to deliver licence-key emails and, for Pro customers, any operational communications about your subscription.
• Professional advisers — lawyers, accountants, and auditors, as necessary and under a duty of confidentiality.
• Legal and regulatory authorities — where required by law, court order, or to protect our rights, users, or the public.

We do not sell personal data, and we do not share it with advertising networks or data brokers.

05International transfers

Our infrastructure runs on Cloudflare's global edge network, which processes requests at the data centre closest to the visitor. As a result, personal data may be processed outside your country of residence, including in the United States, the European Economic Area, and the United Kingdom. Where data leaves the EEA or UK, we rely on the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate, to provide an adequate level of protection.

06How long we keep it

• Licence records — for the life of the subscription, plus up to 7 years afterwards to comply with tax and accounting obligations and to resolve disputes or refund requests.
• Activation records — for the life of the licence; deleted when the licence is permanently deactivated, plus up to 90 days of grace for support purposes.
• Download event logs — 90 days.
• Webhook event logs — 12 months.
• Support correspondence — up to 3 years after the last contact.
• IP addresses in logs — anonymised after 30 days.

07Your rights

Depending on where you live (in particular, if you are in the EEA, UK, Switzerland, or a U.S. state with a comprehensive privacy law such as California, Colorado, or Virginia), you have some or all of the following rights in respect of your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, subject to legal retention obligations (for example, tax records).
• Restriction — ask us to limit how we use your data while a query is resolved.
• Portability — ask for your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
• Complain to a supervisory authority — in your country of residence. We would appreciate the chance to resolve the issue directly first.

To exercise any of these rights, email info@edgemailapp.com from the address associated with your account. We will respond within 30 days.

08Security

We protect personal data with industry-standard technical and organisational measures: TLS in transit, encryption at rest for sensitive fields (such as licence keys stored in plugin options), strict access controls on the licence server, HMAC-signed download URLs, and signature verification on all webhook traffic. No online service is perfectly secure — if we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with applicable law.

09Cookies

The marketing site uses only strictly necessary cookies and similar storage. We do not use advertising, retargeting, or third-party analytics cookies that would require consent under the ePrivacy Directive. If this changes in the future, we will update this policy and, where required, present a consent banner.

10Children

The Service is intended for business users — WordPress site operators, agencies, and developers — and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11Changes to this policy

We may update this Privacy Policy from time to time. The "Effective" date at the top of the page reflects the latest version. Material changes that affect how we use your personal data will be announced on the website and, for active Pro customers, by email at least 14 days before they take effect.

12Contact