Skip to content
catchotp

Legal

Privacy Policy

Last updated: May 1, 2026 Effective: May 1, 2026

This Privacy Policy describes how [catchotp Ltd. — REGISTERED ENTITY NAME PLACEHOLDER] ("catchotp", "we", "us") collects, uses, discloses, and otherwise processes personal data when you use our website, our APIs, SDKs, CLI, dashboard, and related services (the "Service"). It also explains your rights under the EU/UK General Data Protection Regulation ("GDPR") and other applicable privacy laws.

1. Who we are

catchotp is the data controller for personal data processed in relation to your account, your use of our website, and our marketing activities. catchotp is a data processor (on your behalf) for personal data contained in inbound email messages received through your inboxes — see our Data Processing Agreement for details.

Our registered address is [REGISTERED ADDRESS PLACEHOLDER], Tel Aviv, Israel. You can contact our privacy team at privacy@catchotp.com.

2. What personal data we collect

We collect the following categories of personal data:

  • Account data. Email address, name (optional), organization, password hash, and authentication metadata. If you sign in via a third-party identity provider, we receive your name, email, and provider account ID.
  • Billing data. Plan tier, subscription status, billing email, country, and tax information. Payment card details are collected and stored by our payment processor, Stripe — we never see or store full card numbers.
  • Service data. The contents of email messages received in your inboxes (including sender addresses, subjects, bodies, and attachments), API request and response metadata, IP addresses (for security and abuse prevention), user-agent strings, and timestamps. Email message content is processed on your behalf as Customer Data; see the DPA.
  • Usage data. Pages and features accessed, errors, and aggregated metrics we use to operate, secure, and improve the Service.
  • Cookies. A small number of strictly necessary cookies for authentication, session integrity, and CSRF protection. See our Cookie Policy for the full list. We do not use third-party advertising or analytics trackers.
  • Communications. Emails, support tickets, and other messages you send to us, along with our responses.

3. Why we collect it

We process personal data to:

  • provide, operate, and maintain the Service;
  • create and manage your account, authenticate you, and protect your sessions;
  • process payments, calculate taxes, and issue invoices;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • respond to support requests, comply with legal obligations, and enforce our terms;
  • send service announcements, security notices, and (with your consent or where permitted) product updates;
  • improve and develop the Service through aggregated analysis.

4. Lawful basis (GDPR)

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR:

  • Performance of a contract — to provide the Service you have signed up for and to bill for usage.
  • Legitimate interests — to keep the Service secure, prevent fraud and abuse, comply with legal demands, and improve our product. We balance these interests against your rights and freedoms.
  • Consent — for any non-essential marketing communications. You can withdraw consent at any time.
  • Legal obligation — where we are required to retain or disclose data by law (e.g., tax records, lawful court orders).

5. How we share personal data

We do not sell personal data and we do not share it for cross-context behavioral advertising. We share personal data only with:

  • Subprocessors who provide infrastructure on our behalf (hosting, billing, DNS, edge security). The current list is published at /legal/subprocessors and is updated 30 days before any change.
  • Professional advisors such as auditors, lawyers, and accountants under duties of confidentiality.
  • Authorities where required by valid legal process. We assess every request and notify you when permitted.
  • Acquirers in the event of a merger, acquisition, financing, or sale of assets, subject to standard confidentiality and continuity of this Policy.

6. International data transfers

The Service is hosted on Amazon Web Services in the United States (us-east-1 region). When you use the Service from outside the United States, your personal data is transferred to and processed in the United States and other jurisdictions where our subprocessors operate. Where required, we rely on Standard Contractual Clauses ("SCCs") approved by the European Commission, supplemented by additional safeguards. Copies of executed SCCs are available on request from privacy@catchotp.com.

7. How long we keep personal data

We retain personal data only as long as necessary for the purposes described in this Policy. Specifically:

  • Email message content is retained for the retention window of your plan tier (24 hours on Free, up to 90 days on Team, custom on Enterprise). After expiry, message bodies are deleted from our database and object storage.
  • Audit-log metadata (sender, timestamp, message ID, no body) is retained for 365 days for compliance and abuse investigation.
  • Account data is retained for the life of the account and for 30 days after account closure, after which it is deleted (subject to legal-hold and tax-record retention requirements, typically 7 years for invoices).
  • Backups follow a 35-day point-in-time recovery window managed by AWS.

8. Your rights

Depending on your jurisdiction, you have rights over your personal data, including the rights to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete your data, subject to legal retention obligations;
  • port a copy of your data in a machine-readable format;
  • object to or restrict certain processing;
  • withdraw consent for processing based on consent;
  • lodge a complaint with your local data-protection authority.

To exercise these rights, email privacy@catchotp.com. We will respond within thirty (30) days, or sooner where required by law. We may need to verify your identity before responding to substantive requests.

9. Children

The Service is not directed to children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@catchotp.com and we will delete it.

10. How we protect personal data

We implement appropriate technical and organizational measures, including encryption in transit (TLS 1.3) and at rest (AES-256 with AWS KMS), least-privilege access, MFA on all administrative accounts, audit logging, and secure software-development practices. See our Security overview for details. No system is perfectly secure, and we cannot guarantee absolute security.

11. Changes to this Policy

We may update this Policy from time to time. For material changes, we will give at least thirty (30) days' notice via email or in-product notification. The "Last updated" date at the top of this Policy reflects the latest revision.

12. Contact us

Questions, requests, or complaints? Email privacy@catchotp.com. Once appointed, our Data Protection Officer can be reached at the same address.