Privacy Policy

Effective date: March 1, 2024

sGPT is built privacy-first: every customer runs on their own VPS (provided by us), we have zero access to your content, and end-to-end encryption is the default. We're a software vendor, not an ESP—you control your data, we only process billing information.

Single-Tenant VPS

Your own isolated server

Zero Access

We revoke our keys after setup

E2E Encrypted

We can't see your content

What We Are / Aren't

We ARE

A software vendor shipping an automation tool you deploy to your own VPS (provided by us).

We AREN'T

Your ESP, list host, wallet custodian, data broker, or mail relay.

Information We Collect (Minimal)

We collect only what's necessary for billing and license enforcement—nothing else.

Billing only: Company name, billing email, plan, invoice/transaction IDs.
Minimal metrics: Instance-hours, version number, success/fail counts (no message content).
No content access: We cannot see your contacts, templates, emails, or campaign data.

Data & Privacy Architecture

Your data lives on your own VPS under your domain. We never centralize or access your content.

Data residency: All customer data lives on your VPS under your domain.
No content access: We can't see your contacts, templates, or emails.
No central logs: We don't centralize message logs.
Suppression local-only: Unsubscribes/bounces/complaints stored on your VPS only.
Customer-held keys: Encryption keys are yours. Lose them = we cannot recover data.

Security (How It's Built)

E2E by Default

Client-side encryption for lists/templates/content.

Per-Tenant Domains

Mandatory customer CNAMEs for tracking/unsub (or disable tracking entirely).

No Shared Infrastructure

No shared tracking links or pooled IPs that can taint other tenants.

Access Revocation

Installer auto-removes bootstrap users/keys and emits a signed "access revoked" receipt.

Logging & Retention

✗

We don't keep message logs, recipient lists, or content.

✓

We do keep minimal billing records for tax/audit periods.

✓

On your VPS: you control system logs; defaults use short retention.

Payments & Billing

Crypto-Only

Stablecoins or BTC via supported gateways; we never custody your funds.

What We Keep

Company name, billing email, plan, invoice/tx IDs—that's it.

Refunds

Crypto refunds sent back to customer-provided address (subject to AML/sanctions checks).

Hosting & Jurisdiction

Recommended regions: CH primary; EU edge (NL/DE) for latency.

Law follows the users: Your marketing compliance depends on where you email, not where the VPS sits.

Company status: sGPT acts as a software vendor; if you enable optional features that process personal data on our infra, we'll offer a DPA.

Compliance Posture (Who Does What)

You are the sender/controller

Under GDPR, CAN-SPAM, CASL, and other regulations, you control recipient data and decide when to send. We process only billing info.

We're the software licensor

We provide the tool. We can't see your contacts or content. If you enable optional analytics that touch our servers, we'll sign a DPA.

Deliverability rules enforced

We block obvious spam patterns (purchased lists, no unsubscribe link, blacklisted domains) to protect our IP reputation pool.

Business Logic (How the App Behaves)

The software performs pre-flight checks and real-time health monitoring to protect deliverability:

Pre-flight checks: DMARC/SPF/DKIM, sender domain reputation, required headers (List-Unsubscribe).
Rate & health controls: Automatic pausing if bounce rate >5%, complaint rate >0.1%, or blacklist detection.
Diagnostics without PII: We may see aggregate metrics (open%, bounce%) but never email addresses or message content.

Customer Responsibilities

You must comply with applicable laws and regulations when using sGPT:

✓

Obtain valid consent before sending (GDPR, CASL, etc.)

✓

Include working unsubscribe links in every message

✓

Honor opt-outs within 10 days (CAN-SPAM) or 30 days (GDPR)

✓

Configure SPF, DKIM, and DMARC for your sending domains

✓

Keep your VPS and software updated (we'll notify you of critical patches)

✓

Maintain backups of your data (we provide daily snapshots, but you own the data)

✓

Secure your encryption keys (lose them = permanent data loss)

Acceptable Use (Hard Lines)

We terminate accounts immediately for:

✗

Purchased, scraped, or rented email lists

✗

Phishing, malware, or fraudulent content

✗

Spam complaints >0.3% sustained over 7 days

✗

Attempts to bypass pre-flight checks or rate limits

✗

Sending without consent or to suppression-listed addresses

✗

Adult content, gambling, payday loans, or crypto schemes (case-by-case review)

Violations may result in immediate suspension without refund. Serious abuse reported to authorities.

Our Commitments

✓

We will never sell, share, or monetize your customer data

✓

We will notify you of any security incidents within 72 hours

✓

We will provide 30 days notice before material privacy policy changes

✓

We will maintain SOC 2 Type II compliance once achieved

✓

We will delete your billing data within 90 days of account closure (unless required for tax/audit)

Your Rights

Depending on your location, you may have rights to access, correct, delete, or restrict the use of your data. Submit requests through the privacy center in the dashboard or email [email protected]. We respond within 30 days.

Changes to This Policy

We will post any updates on this page and notify workspace owners in-app at least 30 days before changes take effect. Material changes require your acceptance to continue using the service.

Contact

Privacy questions? Email [email protected] or write to sGPT Labs, Neue Bahnhofstr. 12, 10245 Berlin, Germany.

We are GDPR compliant and pursue SOC 2 Type II certification. Details are available in our security addendum.