Privacy Policy
1. Introduction
SpamFoo.com ("SpamFoo") is committed to safeguarding the privacy of our website visitors, license holders, customers, and service users. In doing so, we act as Data Controller for the personal data processed from these individuals.
This privacy policy applies where SpamFoo is acting as a Data Controller regarding the personal data of our website visitors and service users; i.e., when we determine the purposes and means of the processing of that personal data.
When processing email data on behalf of our customers, SpamFoo acts as a Data Processor. In this capacity, we process data only according to our customers' instructions and applicable data protection laws. Customers requiring a Data Processing Agreement (DPA) should contact privacy@spamfoo.com. For sanitized, anonymized, or aggregated information that no longer identifies an individual or customer, SpamFoo may act as an independent controller for purposes of improving its services, security, and classification models.
SpamFoo was designed to classify email while minimizing the amount of personal information transmitted outside a customer’s environment. Wherever possible, email processing occurs locally through the SpamFoo Client, and only sanitized information is used by SpamFoo Online Services.
This policy describes what personal data we collect, how we use it, with whom we share it, and your rights regarding your data.
2. Personal Data We Collect
We collect personal data from the following sources:
- Directly from you when you create an account, contact us, or configure our services
- From your use of our services, including technical and usage data
The types of personal data we collect include:
- Account information: name, email address, company name, billing address, payment method
- Communication data: support requests, sales inquiries, feedback submissions
- Configuration data: email server settings, custom rules, allowlists and blocklists
- Service usage data: API call volumes, processing times, classification results
- Technical data: IP addresses, browser type, operating system
For email processing, the SpamFoo Client classifies email entirely on your mail server. Email content, including bodies, subjects, and attachments, is never transmitted to or stored on SpamFoo servers in its original form. When services are used to look up reputation or to enhance SpamFoo's models, we send only sanitized metadata: cryptographically hashed email addresses and text (via industry-standard one-way hashing techniques) processed into mathematical representations (embeddings and vectors) from which the original content cannot reasonably be reconstructed. Sanitized email contents may also be sent to improve our models, but only with the recipient's express consent, which can be granted or revoked at any time through their email client. Sanitization of shared message content removes identifying details such as names, addresses, and account identifiers using automated techniques; it is designed to remove personal information but, like any automated process, cannot guarantee perfect removal in every message.
If you voluntarily submit a .eml file or other email content to SpamFoo outside of the application (for example, in connection with a support request), we may retain that content for the purpose of fulfilling the request and improving our classification models.
3. How We Use Your Data
SpamFoo processes your personal data for the following purposes:
- Service delivery: to provide email classification and reputation services
- Transaction processing: to process payments and manage your subscription
- Communication: to respond to support requests and send service notifications
- Service improvement: to analyze aggregated, anonymized data for improving our classification models
- Legal compliance: to meet our legal and regulatory obligations
We process your data because this is necessary for the performance of a contract with you, for the establishment, exercise, and substantiation of legal claims, for compliance with legal obligations, based on consent granted by you, or based on our legitimate interests. Our legitimate interests include:
- Improving email classification to prevent spam
- Preventing fraud
- Maintaining network security for ourselves and our customers
- Internal analytics for service improvement
When we rely on legitimate interests, we balance our interests against your rights and only proceed where our interests do not override your fundamental rights and freedoms.
Sanitized data used for model improvement is never sold, licensed, or provided to third parties and is used solely to improve SpamFoo services.
4. Data Sharing
SpamFoo does not sell your personal data. We do not share email content or customer data with third parties for marketing, advertising, analytics, or unrelated commercial purposes.
We use the following service providers to operate our business:
- Payment processor (Authorize.Net): processes payment transactions on our behalf
- Reputation providers: we may query external reputation databases using anonymized data only; no personal data is shared
Our cloud infrastructure provider hosts our SpamFoo Online Services but is contractually restricted from accessing customer data except as necessary to provide infrastructure services.
We may disclose personal data to legal authorities when required by law, court order, or governmental regulation.
5. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
- Classification results: 90 days
- Reputation cache: 90 days
- User feedback (anonymized): 2 years
- Audit logs: 1-7 years (jurisdiction-dependent)
- Account and billing records: 7 years (legal requirement)
Upon termination of your subscription, we cease active processing of your data and service-related data (such as classification results and reputation cache) is deleted according to the retention periods described above. We retain your account information in a deactivated state so that you may reactivate your account in the future. You may request complete deletion of your account and all associated personal data at any time by contacting privacy@spamfoo.com.
6. Data Security
SpamFoo implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- All data in transit is protected using TLS 1.3 encryption
- All data at rest is protected using industry-standard encryption, hashing, and encoding techniques
- Multi-factor authentication is required for administrative access
- Role-based access controls enforce the principle of least privilege
7. International Data Transfers
SpamFoo is headquartered in the United States. Personal data may be processed and stored in the United States or other jurisdictions where SpamFoo or its service providers operate. Where required by applicable law, SpamFoo implements appropriate safeguards for international transfers of personal data.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your personal data
- Portability: receive your data in a machine-readable format
- Objection: object to processing based on legitimate interests
- Restriction: request temporary restriction of processing
- Withdraw consent: withdraw consent where processing is based on consent
To exercise any of these rights, contact us at privacy@spamfoo.com. We will respond to your request within four weeks. We may request verification of your identity before processing your request.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
9. Automated Decision-Making
SpamFoo uses automated processing to classify email messages. The SpamFoo Client and SpamFoo Online Services analyze email metadata, sender reputation, authentication results, and other signals to determine whether a message is spam, phishing, or legitimate, and to sort legitimate messages into classifications (e.g., primary, updates, promotions, transactions).
These automated decisions affect the delivery and classification of email messages only. No automated decision-making is applied to customer accounts, billing, access, or any other aspect of your relationship with SpamFoo.
You have the right to:
- Submit corrections when an email is misclassified, which directly improves future classification accuracy
- Configure custom rules, allowlists, and blocklists to override automated decisions
- Contact us regarding concerns about classification decisions, and where reasonably practicable, SpamFoo may investigate reported issues
10. Your California Privacy Rights
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CPRA") provides you with additional rights regarding your personal information.
Categories of personal information we collect:
- Identifiers: name, email address, IP address, account credentials
- Commercial information: billing records, subscription details, payment history
- Internet or electronic network activity: API usage logs, service interaction data, browser type
- Professional or employment-related information: company name, job title (if provided)
Your CPRA rights:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
- Right to correct: You may request that we correct inaccurate personal information we maintain about you.
- Right to opt out of sale or sharing: SpamFoo does not sell or share your personal information as those terms are defined under the CPRA. No opt-out is required.
- Right to limit use of sensitive personal information: SpamFoo does not use or disclose sensitive personal information for purposes beyond those permitted under the CPRA.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CPRA rights.
To exercise your California privacy rights, contact us at privacy@spamfoo.com. We will verify your identity before processing your request and respond within 45 days.
Financial incentives: SpamFoo does not offer financial incentives or price differences in exchange for the retention or sale of personal information.
11. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, SpamFoo will:
- Where required by applicable law, including GDPR, notify applicable supervisory authorities within required statutory timeframes
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Comply with applicable state breach notification laws, including California Civil Code Section 1798.82
Breach notifications will include a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address and mitigate the breach.
12. Cookies
Our website uses only functional cookies that are strictly necessary for the operation of the site. These cookies are required for authentication, session management, and access to the account management and dashboard areas. They cannot be disabled without impairing the functionality of the site.
SpamFoo does not use analytics cookies, third-party tracking cookies, advertising pixels, or cross-site tracking technologies. Because SpamFoo currently uses only strictly necessary functional cookies, we do not presently display a cookie consent banner.
13. Children's Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such information, contact us immediately at privacy@spamfoo.com.
14. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify customers via email at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
15. Contact Us
For questions about this privacy policy or to exercise your data protection rights, contact us:
Email: privacy@spamfoo.com
We will respond to your inquiry within four weeks of receipt.
Version 2.0 | Effective: March 26, 2026