Privacy Policy

Last Updated: March 18, 2026

This Privacy Policy describes how RacterMX, operated by Racter Holdings ("RacterMX," "we," "us," or "our"), collects, uses, and protects your personal information when you use our email forwarding services.

1. Data Controller and Data Protection Officer

For the purposes of the General Data Protection Regulation (GDPR), UK GDPR, Brazil's LGPD, and other applicable data protection laws, the data controller is:

Racter Holdings
Email: privacy@ractermx.com

Our designated Data Protection Officer (DPO), who also serves as the Encarregado de Proteção de Dados under Brazil's LGPD, can be contacted at:

Data Protection Officer / Encarregado de Proteção de Dados
Email: dpo@ractermx.com

2. Information We Collect

Account and Registration Data

When you create an account, we collect:

Name and email address
Authentication credentials (password hash)
Organization and tenant associations

Email Service Data

When you use our email forwarding service, we collect and process:

Domain names you configure and their DNS records (SPF, DKIM, DMARC)
Email alias configurations and forwarding rules
Email metadata: sender address, recipient address, subject line, message ID, email headers, message size, delivery status (forwarded, bounced, rejected, spam), bounce reasons
Timestamps: when emails are received and forwarded
Anonymous reply proxy address mappings
Sender blocklist entries you configure

Email Content

RacterMX is an email forwarding service. Email body content passes through our servers during the forwarding process but is not permanently stored. We retain only email metadata (sender, recipient, subject, headers, delivery status) according to your configured retention policy.

Technical and Security Data

We automatically collect:

IP addresses of connecting mail servers (for spam filtering and abuse prevention; not stored long-term or associated with user accounts)
Browser type, operating system, and user agent strings
Login timestamps and session data
API key usage metadata (key name, scopes, creation date, last used timestamp, creator)
SMTP credential usage data (username, daily send counts, last used timestamp)
Webhook endpoint URLs, subscribed events, and delivery logs
Audit trail records of administrative actions

Billing Data

When you subscribe to paid services, we collect:

Billing name and address
Company name and VAT number (if applicable)

Credit card information is processed directly by Stripe. We never receive or store your full credit card information. Stripe complies with PCI-DSS standards. View Stripe's privacy policy at stripe.com/privacy.

Communication Data

We collect communications you send to us through email, contact forms, support tickets, and live chat (powered by Tawk.to).

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6, LGPD Art. 7):

Contract performance — Processing necessary to provide the email forwarding service you signed up for
Legitimate interest — Security monitoring, fraud prevention, abuse detection, service improvement, and maintaining email deliverability
Legal obligation — Compliance with applicable laws, responding to lawful requests through Icelandic courts
Consent — Analytics cookies (Google Analytics) and marketing communications. You may withdraw consent at any time

4. How We Use Your Information

We use your information to:

Provide and maintain email forwarding services
Authenticate users and secure accounts
Process payments and manage subscriptions
Provide customer support (including via live chat)
Send service-related notifications
Improve our services and develop new features
Detect and prevent fraud, spam, and abuse
Maintain email deliverability and sender reputation
Generate aggregate, anonymized usage statistics
Comply with legal obligations

5. Cookies and Tracking

We use the following categories of cookies:

Essential Cookies — Required for authentication, session management, and service functionality. These cannot be disabled.
Analytics Cookies — Google Analytics cookies to understand how users interact with our website. These are loaded only with your consent.
Chat Cookies — Tawk.to cookies for the live chat support widget.
Preference Cookies — Store your theme preference (light/dark mode).

You can control cookie preferences through your browser settings or via the cookie consent banner displayed on your first visit. Disabling essential cookies may affect service functionality. For analytics cookies, you can also install the Google Analytics Opt-out Browser Add-on.

6. How We Share Your Information

We do not sell, trade, or rent your personal information. We share your information only in the following circumstances:

Service Providers (Sub-Processors)

Stripe (United States) — Payment processing. Privacy Policy
Google Analytics (United States) — Website analytics. Privacy Policy
Tawk.to (United States) — Live chat support. Privacy Policy

For sub-processors located outside the EEA, data transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

If you require a Data Processing Agreement (DPA) for your organization's compliance needs, contact dpo@ractermx.com to request one.

Legal Requirements

We may disclose information when required by Icelandic law or to comply with legal processes served through Icelandic courts. As our infrastructure is in Iceland, foreign government data requests must go through Icelandic legal channels. We are not subject to US National Security Letters, the CLOUD Act, or FISA Section 702.

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Data Security

We implement comprehensive security measures to protect your information:

Encryption of data in transit (TLS 1.3) and at rest
DKIM (ED25519), SPF, DMARC, DANE/TLSA, and MTA-STS for email authentication
Regular security audits and monitoring
Role-based access controls and multi-factor authentication
Secure data centers in Iceland with DNSSEC-protected DNS
Audit logging of all administrative actions

No security measures are perfect. We will notify you and the relevant supervisory authority of any personal data breach as required by GDPR Art. 33-34 and applicable law.

8. Data Retention

We retain your data according to the following schedule:

Account data: Retained while your account is active
Email metadata: Configurable per organization; default 90 days (minimum 7 days, maximum 2,555 days). You may also set per-event retention overrides (e.g., different retention for bounced vs. forwarded emails).
Audit logs: 1 year
Webhook delivery logs: 30 days
Billing records: As required by tax and accounting law

You may configure shorter retention periods through your dashboard. You can also delete all of your data at any time using the self-service Privacy & Data dashboard, which allows you to export your data in a machine-readable format (GDPR Art. 20 data portability) and permanently delete your account and all associated records. Upon account deletion, all associated data is permanently removed within 30 days, except where retention is required by law.

9. International Data Transfers

Your data is primarily stored and processed in Iceland, which is a member of the European Economic Area (EEA) and provides an adequate level of data protection recognized by the European Commission.

Where we use sub-processors located outside the EEA (such as Stripe and Google Analytics in the United States), we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or other mechanisms approved under GDPR Chapter V.

10. Automated Decision-Making

RacterMX uses automated systems for spam detection, sender reputation scoring, and abuse prevention. These systems may automatically reject or flag incoming emails based on sender reputation, content analysis, and blocklist matching. These automated decisions relate to email processing, not to decisions about your account or rights as a data subject.

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you as defined under GDPR Art. 22. If you believe an automated decision has adversely affected you, contact privacy@ractermx.com.

11. Your Privacy Rights

Regardless of your location, you have the right to access, update, export, and delete your personal information through your account dashboard. You can exercise these rights self-service via the Privacy & Data dashboard, which provides data export (in machine-readable JSON format) and full account deletion. You can opt out of marketing emails by clicking the unsubscribe link in any marketing message.

12. GDPR Rights (EEA, Iceland, Liechtenstein)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

Right of access (Art. 15) — Obtain a copy of your personal data
Right to rectification (Art. 16) — Correct inaccurate data
Right to erasure (Art. 17) — Request deletion ("right to be forgotten")
Right to restrict processing (Art. 18) — Limit processing in certain circumstances
Right to data portability (Art. 20) — Receive your data in a machine-readable format
Right to object (Art. 21) — Object to processing based on legitimate interest
Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time
Right to lodge a complaint — File a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is, or with your local supervisory authority

To exercise these rights, use the self-service Privacy & Data dashboard for data portability and erasure, or contact privacy@ractermx.com. We will respond within 30 days.

13. UK GDPR Rights (United Kingdom)

If you are in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation and the Data Protection Act 2018. You can exercise your rights to data portability and erasure self-service via the Privacy & Data dashboard, or contact privacy@ractermx.com. Your supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

Iceland is recognized by the UK as providing an adequate level of data protection, meaning your data can be transferred to our Icelandic infrastructure without additional safeguards.

14. LGPD Rights (Brazil) / Direitos LGPD (Brasil)

If you are in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018):

Confirmation of the existence of processing
Access to your personal data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Portability of data to another service provider
Deletion of personal data processed with your consent
Information about public and private entities with which your data has been shared
Information about the possibility of denying consent and the consequences thereof
Revocation of consent

Our legal bases for processing under LGPD include: performance of a contract (Art. 7, V), legitimate interest (Art. 7, IX), and consent where applicable (Art. 7, I). You can exercise your rights to data portability and erasure self-service via the Privacy & Data dashboard, or contact our Encarregado at dpo@ractermx.com.

🇧🇷 Aviso aos Usuários no Brasil (LGPD — Lei nº 13.709/2018)

Se você está localizado no Brasil, seus dados pessoais são protegidos pela Lei Geral de Proteção de Dados (LGPD). Como titular de dados, você tem direito a:

Confirmação da existência de tratamento de dados
Acesso aos seus dados pessoais
Correção de dados incompletos, inexatos ou desatualizados
Anonimização, bloqueio ou eliminação de dados desnecessários ou excessivos
Portabilidade dos dados a outro fornecedor de serviço
Eliminação dos dados pessoais tratados com o seu consentimento
Informação sobre entidades públicas e privadas com as quais seus dados foram compartilhados
Informação sobre a possibilidade de não fornecer consentimento e as consequências da negativa
Revogação do consentimento

As bases legais para o tratamento de seus dados incluem: execução de contrato (Art. 7, V), legítimo interesse (Art. 7, IX) e consentimento, quando aplicável (Art. 7, I).

Encarregado de Proteção de Dados: dpo@ractermx.com

Painel de autoatendimento: Privacy & Data (portabilidade e exclusão de dados)

Autoridade competente: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd

15. PIPEDA Rights (Canada)

If you are in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to:

Access your personal information held by us
Challenge the accuracy and completeness of your data and have it amended
Withdraw consent for the collection, use, or disclosure of your information (subject to legal or contractual restrictions)

We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate. You can access and export your data, or delete your account, via the Privacy & Data dashboard. You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

16. Australian Privacy Principles (Australia)

If you are in Australia, your personal information is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. You can access, export, and delete your data via the Privacy & Data dashboard. You may file a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

17. CCPA/CPRA Rights (California, USA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know what personal information is collected, used, and disclosed
Right to delete personal information
Right to correct inaccurate personal information
Right to opt-out of the sale or sharing of personal information
Right to non-discrimination for exercising your privacy rights

We do not sell your personal information. To exercise these rights, use the self-service Privacy & Data dashboard or contact privacy@ractermx.com. We will respond to verifiable consumer requests within 45 days as required by the CCPA.

18. Children's Privacy

Our services are not intended for users under 16 years of age. We do not knowingly collect information from children under 16. If you believe we have collected data from a child under 16, please contact us immediately at privacy@ractermx.com and we will delete it.

19. Third-Party Links

Our services may contain links to third-party websites. We are not responsible for the privacy practices of these websites.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered account address and by updating the "Last Updated" date at the top of this page. We will provide at least 30 days' notice before material changes take effect.

21. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights:

Privacy and data protection: privacy@ractermx.com
Data Protection Officer / Encarregado: dpo@ractermx.com
Security concerns: security@ractermx.com
General inquiries: ractermx.com/contact

Our lead supervisory authority is the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is.