Email Art
Email Art
Pricing

Legal

Privacy Policy

Last updated: 30 May 2026

Email Art ("we", "us", "our") is operated by Aquafruit Pty Ltd. This policy explains what personal data we collect when you use Email Art, why we collect it, how we store, share and protect it, the legal bases on which we rely, and the rights you have over your information.

1. Owner and data controller

Aquafruit Pty Ltd, trading as Email Art, Sydney, New South Wales, Australia.
Privacy contact: privacy@emailart.io
General contact: hello@emailart.io

For the purposes of the EU and UK GDPR, Aquafruit Pty Ltd is the data controller of personal data collected about visitors to emailart.io and account holders, and a data processor in respect of personal data uploaded by Customers into their Workspaces.

2. Data we collect

2.1 Account data

Email address, display name, hashed authentication credentials, OAuth provider identifiers (Google, Microsoft), workspace membership and assigned role.

2.2 Signature content

Information you enter into a signature — full name, job title, contact details, social links, uploaded logos and the rendered HTML you produce. This may include personal data about your employees, contractors and other end users.

2.3 Operational data

Workspace settings, API keys (stored as one-way hashes), domain verification records, audit log entries, and standard server logs (IP address, user agent, request timestamps) used for security, abuse prevention and troubleshooting.

2.4 Billing and payment data

Plan, billing cycle, Seat counts, invoice metadata, billing contact and billing address. Payment instrument data (card number, expiry, CVC) is collected directly by our payment processor Stripe and never traverses or is stored on our systems; we receive only a token, the card brand, last four digits and a status. See section 6 for details on Stripe.

2.5 Communications

Support requests, sales enquiries and any other correspondence you send us, along with our responses.

2.6 Usage and analytics

Aggregated, pseudonymised information about how you interact with the Service (pages viewed, features used, errors encountered) collected via first-party analytics and limited third-party tools described in section 7.

3. How we use your data

  • Deliver, operate, secure and support the Service, including syncing signatures and serving them via your API endpoints;
  • Authenticate Users, isolate tenants and enforce role-based access controls;
  • Process payments, manage Subscriptions, calculate Seat usage and issue invoices;
  • Send transactional communications (invitations, security alerts, billing receipts, important service notices) — you cannot opt out of these while you have an active account;
  • Send product updates and marketing where you have consented or where permitted by law; you can opt out at any time;
  • Diagnose errors, improve performance and develop new features;
  • Detect, investigate and prevent fraud, abuse and security incidents;
  • Comply with legal obligations and respond to lawful requests from regulators, courts or law-enforcement authorities.

4. Legal basis (GDPR / UK GDPR)

Where European or UK data-protection law applies, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you or your Workspace signed up for and to administer billing;
  • Legitimate interests — to keep the Service secure, prevent fraud and abuse, perform product analytics, and communicate with existing customers about similar services; balanced against your rights and freedoms;
  • Consent — for optional marketing communications and for non-essential cookies and trackers; you may withdraw consent at any time;
  • Legal obligation — to retain tax, accounting and audit records and to respond to lawful requests;
  • Vital interests / public interest — only in exceptional cases such as protecting the safety of an individual.

5. Tenant isolation and access controls

Workspaces are strictly isolated. Data belonging to one Workspace is never accessible to another. Access is enforced server-side via authenticated server functions and row-level security policies — not by client-side checks. Customer admins control who is invited, what role each User has, and what data each role may see.

6. Sub-processors

We use a small number of vetted sub-processors to operate Email Art. Each is bound by a written data-processing agreement and approved data-transfer mechanism. Current sub-processors include:

  • Cloud infrastructure and database hosting — for application hosting, primary database, file storage and backups (primary regions: Australia and the European Union).
  • Stripe Payments Australia Pty Ltd and Stripe, Inc. — payment processing, card tokenisation, subscription management, tax calculation, fraud detection. Stripe is a PCI DSS Level 1 service provider. Stripe processes data globally, including in the United States, under Standard Contractual Clauses where applicable. Stripe's privacy notice is available at stripe.com/privacy.
  • Transactional email provider — for delivery of invitations, password resets, billing receipts and security notices.
  • Authentication providers — Google and Microsoft, where the User elects to sign in with those identities.
  • Error monitoring and product analytics — to detect, diagnose and improve the Service; data is pseudonymised where practical.

A current and complete list of sub-processors is available on request from privacy@emailart.io. We will give reasonable prior notice of any new sub-processor that processes Customer personal data.

7. Cookies and similar technologies

Cookies and similar technologies are small data files stored in your browser that help operate the Service. We use:

  • Strictly necessary cookies — for session, authentication, security, load balancing and CSRF protection. These cannot be disabled.
  • Preference cookies — to remember settings such as theme and language.
  • Analytics cookies — used only where permitted under your consent or local law, to understand aggregate usage and improve the Service.
  • Payment cookies — set by Stripe during checkout to detect fraudulent activity and complete payments.

For more detail and to manage your preferences, see our Cookie Policy. We do not respond to "Do Not Track" browser signals; you can rely on the controls in our Cookie Policy and in your browser settings instead.

8. Sharing and disclosure

We do not sell personal data. We share personal data only with: (a) the sub-processors listed in section 6, strictly to provide the Service; (b) other Users of your Workspace as part of normal Workspace operation; (c) professional advisers (lawyers, accountants, auditors) under confidentiality; (d) authorities, where we are legally required to do so or where disclosure is reasonably necessary to enforce our Terms, prevent fraud or protect the rights, property or safety of any person; and (e) a successor entity, in the event of a merger, acquisition, financing or sale of all or part of our business, subject to the receiving party honouring this policy.

9. International data transfers

Email Art primarily processes data within Australia and the European Union. Some sub-processors (including Stripe) may process data in other jurisdictions, including the United States. Where personal data is transferred outside your country of residence, we rely on Standard Contractual Clauses, the UK Addendum, adequacy decisions, or other lawful transfer mechanisms as appropriate. You can request details of the safeguards applied to any specific transfer by emailing privacy@emailart.io.

10. Data retention

  • Account and signature data — retained for the life of your Workspace.
  • Audit logs — retained for twelve (12) months.
  • Billing and invoice records — retained for at least seven (7) years to meet Australian tax and accounting obligations.
  • Server logs — retained for up to ninety (90) days.
  • Marketing data — retained until you withdraw consent or three (3) years of inactivity, whichever is shorter.

When you delete a Workspace, Customer Content is purged from primary storage within thirty (30) days and from backups within ninety (90) days, except where retention is required by law or to enforce our Terms. Once a retention period expires, the corresponding rights of access, erasure, rectification and portability cannot be exercised because the data no longer exists.

11. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you and receive a copy;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten") in certain circumstances;
  • Restrict or object to processing based on legitimate interests, including direct marketing (you may object to direct marketing at any time, without justification);
  • Portability — receive your data in a structured, commonly used, machine-readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your local data-protection authority — for Australian residents, the Office of the Australian Information Commissioner (OAIC); for EU residents, your national supervisory authority; for UK residents, the Information Commissioner's Office (ICO).

Where you are a User of a Workspace controlled by a Customer, please direct requests concerning Customer Content to that Customer first; we will assist the Customer in responding. To exercise any right with us directly, email privacy@emailart.io. Requests are processed free of charge and within thirty (30) days, or sooner where required by law. We may decline requests that are manifestly unfounded, excessive, jeopardise the privacy of others, or that we are not legally required to fulfil.

12. Security

We use industry-standard safeguards including TLS in transit, encryption at rest, hashed credentials, application-level encryption of sensitive fields, least-privilege service roles, audit logging, network isolation, dependency scanning, and regular review of access. No system is perfectly secure. If a breach materially affects your personal data, we will notify affected Customers and, where required, the relevant supervisory authority, without undue delay.

13. Children

The Service is not directed at children under the age of sixteen (16) and we do not knowingly collect personal data from them. If we learn we have collected such data, we will delete it.

14. Marketing and your choices

We may send you marketing about Email Art where you have consented or where allowed by law (for example, to existing customers about similar services). You can unsubscribe at any time via the link in any marketing email or by emailing privacy@emailart.io. Transactional and service-related messages (billing receipts, security notices, invitations) are not optional while your account is active.

15. Automated decision-making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects concerning you.

16. Legal action and lawful disclosure

Your personal data may be used by us in court or in the stages leading to possible legal action arising from improper use of the Service. You acknowledge that we may be required to disclose personal data on lawful request of public or governmental authorities.

17. Changes to this policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the latest revision. Material changes will be communicated by email to Workspace admins and/or by in-product notice at least fourteen (14) days before they take effect. Where required, we will obtain fresh consent.

18. Contact

Privacy enquiries: privacy@emailart.io. Postal address available on request.