Skip to content

Stickr Privacy Policy

Effective Date: 01/25/2025

Welcome to Stickr (“Stickr,” “we,” “us,” or “our”). Stickr is a Software-as-a-Service (SaaS) email security platform designed to enhance email authenticity and protect against phishing by embedding unique security codes (“scodes”) in outbound emails. Our platform integrates with Gmail and Google Workspace environments.

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you use our website(s), applications, or services (collectively, the “Services”). It also explains your rights and choices regarding this information, and how you can contact us.

By using Stickr, you consent to the practices described in this Privacy Policy.

1. Scope and Definitions

  • “Personal Data” or “Personal Information” means any information relating to an identified or identifiable individual, as defined under relevant data protection laws including the GDPR.
  • “Processing” means any operation or set of operations performed on Personal Data, such as collection, use, storage, or disclosure.
  • “User” or “You” means any individual accessing or using Stickr’s Services, including Administrators of Google Workspace domains and end users who send or receive emails processed by Stickr.

This policy applies to Personal Data we collect:

  1. Through our Services, such as email interception, routing, scode insertion, and verification;
  2. Through Stickr websites, web applications, or related web portals where you log in to manage your account.

2. Summary of Our Role (GDPR)

Under the EU General Data Protection Regulation (GDPR), Stickr may act as:

  • A Data Processor when we process email content and associated Personal Data on behalf of our Google Workspace customers.
  • In limited circumstances, Stickr may also act as a Data Controller for Personal Data related to our own business operations (e.g., billing details for customers, user account data for authentication).

Where Stickr acts as a Data Processor, we process Personal Data solely under the instructions of our customers (the Data Controllers) and as required by our contractual obligations and applicable law.

3. Information We Collect

3.1 Data from Email Processing

  • Email Headers and Metadata: We collect and process certain email headers (e.g., sender, recipient, date) to facilitate routing and to embed security verification information.
  • Email Body and Attachments: Stickr may temporarily store and process the body and attachments of emails if they require security codes insertion or phishing protection checks.
  • scodes and Verification Data: We generate a unique security code and insert it into outbound emails. We may store the mapping of scodes to verification results.

3.2 User Account Data

  • Google Workspace Profile Data: If you authenticate via Google OAuth 2.0, we may receive your name, email address, and certain profile details to associate your Stickr account with your Google Workspace identity.
  • Account Credentials and Tokens: We may store OAuth tokens or refresh tokens to securely integrate with Gmail and Google Workspace (with your permission).

3.3 Technical and Usage Data

  • Log Data: We automatically collect system logs, diagnostic information, IP addresses, and timestamps when you interact with our Services.
  • Cookies and Similar Technologies: Our website may use cookies, beacons, or similar technologies to enhance user experience and analyze usage. You can manage cookie preferences in your browser.

4. How We Use Personal Data

We use the information described above to:

  1. Provide and Maintain the Services:

    • Embed security codes (scodes) into outbound emails.
    • Intercept, process, and route emails via our SMTP proxy or Gmail API integration.
    • Verify email authenticity and display security verification pages.

  2. Authenticate and Secure Accounts:

    • Manage user sessions and permissions via OAuth tokens.
    • Monitor usage to detect and prevent suspicious or unauthorized activities.

  3. Improve and Develop Our Services:

    • Analyze usage to enhance features, improve security algorithms, or debug issues.
    • Conduct internal research or perform statistical analyses.

  4. Comply with Legal Requirements:

    • Fulfill obligations under GDPR, HIPAA, or other applicable laws.
    • Respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.

5. HIPAA Compliance

If Stickr processes Protected Health Information (PHI) on behalf of a covered entity (or its business associates) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we commit to implementing appropriate safeguards, as follows:

  1. Business Associate Agreement (BAA): We will enter into a BAA with covered entities and/or their business associates if required.
  2. Safeguards: We apply administrative, physical, and technical safeguards to protect PHI from unauthorized access or disclosure.
  3. Use and Disclosure: We will not use or disclose PHI except as permitted by the BAA, this Privacy Policy, or as required by law.
  4. Breach Notification: In the event of a security incident or data breach involving PHI, we will notify the covered entity without undue delay, as outlined in the BAA or as required by law.

6. Legal Basis for Processing (GDPR)

We rely on the following lawful bases under the GDPR:

  • Contractual Necessity: To provide our Services under the contract with our customers (e.g., processing emails to embed scodes, verifying email authenticity).
  • Legitimate Interests: To protect against fraud and ensure the security of our systems and emails.
  • Consent: Where required by law (e.g., certain marketing communications, optional cookies).

7. Data Retention

  • Email Content: We store email content only as long as needed for security processing and verification or as required to troubleshoot deliverability issues. Typically, we minimize or delete logs and email bodies promptly after verification is complete.
  • scodes and Verification Records: We may retain logs containing scodes and verification events for an appropriate period to audit potential phishing attempts and security incidents.
  • User Account Data: We retain user profile information and OAuth tokens as long as your account remains active or as required to fulfill contractual, legal, or compliance obligations.

8. Data Sharing and Transfers

We do not sell personal data. We may disclose personal data in the following scenarios:

  1. Service Providers: We engage trusted third-party vendors for infrastructure hosting, email delivery, or data analytics who process data on our behalf (sub-processors).
  2. Compliance with Laws: We may disclose data if required to do so by law or in response to valid requests by public authorities.
  3. Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, subject to confidentiality and appropriate safeguards.

If we transfer Personal Data outside of the EEA, UK, or Switzerland, we will ensure an adequate level of protection through standard contractual clauses or other lawful mechanisms.

9. Data Security Measures

We use reasonable technical and organizational measures to protect Personal Data, including:

  • Encryption: TLS encryption for data in transit.
  • Access Controls: Role-based access and least privilege principles to restrict data access to authorized personnel.
  • Intrusion Detection: Monitoring and alerting systems for detecting unauthorized access or suspicious activities.
  • Regular Audits: Periodic security assessments and penetration tests.

Despite these measures, no security method is foolproof. We cannot guarantee absolute security of your data.

10. Your Rights and Choices

Depending on your jurisdiction, you have certain rights regarding your Personal Data:

  • Access, Correction, Deletion: You can request access to, correction, or deletion of your Personal Data.
  • Portability: In certain cases, you may request a copy of Personal Data in a structured, machine-readable format.
  • Restriction or Objection: You may object to, or request restriction of, certain processing.
  • Withdraw Consent: If we rely on your consent, you have the right to withdraw it at any time.

Contact the Data Controller (usually your organization’s Google Workspace admin) to exercise these rights. Where Stickr acts as the Data Processor, we will assist the Data Controller in responding to individuals’ rights requests under GDPR.

11. Children’s Privacy

Our Services are not directed to children under the age of 16. We do not knowingly collect Personal Data from children. If you believe we have inadvertently collected such data, please contact us so we can promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website and indicating the date of the latest revision at the top. We encourage you to review this page periodically to stay informed about how we protect your data.

13. Contact Us

If you have questions or concerns about this Privacy Policy, or if you wish to exercise any legal right, please contact us at:

  • Email: austin@stickrmail.com

For GDPR inquiries, our Data Protection Officer (DPO) or EU Representative can be reached at the same contact details above. For HIPAA-related concerns or BAA inquiries, please reference “HIPAA Request” in your subject line.

Disclaimer

This Privacy Policy template is provided for informational purposes only and does not constitute legal advice or create any contractual relationship. You should consult with a qualified attorney to adapt it to your specific business model and legal requirements.

Last Updated: 01/25/2025