Privacy Policy

OneSuite by MailBluster LLC

Effective Date: January 16, 2026

Welcome to OneSuite! Your privacy is important to us, and we are committed to protecting and respecting your personal information. This Privacy Policy explains how Mailbluster LLC (“we,” “us,” or “our”), operating as OneSuite, collects, uses, discloses, stores, and protects your information when you use our services or visit our website at onesuite.io.

By using OneSuite, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our services.

1. Information We Collect

We collect only the information necessary to operate OneSuite effectively and securely. We follow the principle of data minimization and only collect what is required to provide our services.

1.1 Account & Identity Information

When you create an account, we collect:

  • Full name
  • Email address
  • Postal address (if provided)
  • Phone number (if provided)
  • User ID and Business ID
  • Username, password (hashed), and account preferences

1.2 Email Integration Data

When you connect your email account to OneSuite for CRM integration, we collect and store:

  • Email provider information (e.g., Microsoft Outlook)
  • Connected email account identifiers
  • Email metadata: subject line, sender and recipient addresses, CC recipients, thread ID, direction (sent/received), timestamps, and view status
  • Email body content (stored in raw and/or compressed form for CRM display)

Email Sending: OneSuite allows you to send emails on your behalf directly from within the CRM interface. When you send an email through OneSuite, it is transmitted using your connected email account credentials.

1.3 Attachment Information (Metadata Only)

Important: We do NOT store email attachment files. We store only attachment metadata, including:

  • File name
  • File size
  • MIME type
  • Provider attachment ID

Attachment files are fetched on-demand directly from your email provider when you choose to access them. This approach minimizes data storage while maintaining full functionality.

1.4 Authentication & Security Data

For email integrations, we store:

  • OAuth access tokens (encrypted)
  • OAuth refresh tokens (encrypted)
  • Token scopes and expiry information

We never collect or store your email account passwords. Authentication is handled securely through OAuth 2.0 protocols.

1.5 Payment Information

We process subscription payments through Stripe. We do not store complete credit card numbers on our servers. Payment information is handled directly by Stripe in accordance with PCI-DSS compliance standards.

We may store:

  • Last four digits of payment card (for display purposes)
  • Billing address
  • Transaction history
  • Stripe customer ID

OneSuite users can connect their own payment processors (Stripe, PayPal, RazorPay, QuickPay) to accept payments from their clients. Each user is responsible for their own payment processor agreements and compliance.

1.6 Usage Data

We automatically collect certain information when you use our services:

  • IP address
  • Device information and operating system
  • Browser type and version
  • Pages visited and features used
  • Time and date of visits
  • Interaction patterns with our services

1.7 Communications

We retain records of your correspondence with us, including emails, live chats through our support system, and support tickets.

2. Information We Do NOT Collect

We do not collect or store:

  • Email account passwords
  • Email attachment file contents (only metadata)
  • Complete credit card numbers
  • Government-issued ID numbers
  • Health or biometric data
  • Sensitive personal attributes (race, religion, political views, sexual orientation, etc.)

3. How We Use Your Information

3.1 Service Delivery

  • Providing and maintaining our services
  • Email synchronization, management, and CRM integration
  • Enabling email composition, replying, forwarding, and threading
  • Displaying and organizing your email history within the CRM
  • Account creation and management
  • Billing and payment processing
  • Customer support

3.2 Communication

  • Sending service updates, notifications, and important announcements
  • Responding to your inquiries and requests
  • Providing technical support

3.3 Service Improvement

  • Analyzing usage data to improve our services
  • Enhancing user experience
  • Developing new features
  • System performance and reliability monitoring

3.4 Security & Compliance

  • Protecting our services and users from fraud, abuse, and unauthorized access
  • Detecting and preventing security threats
  • Complying with legal obligations
  • Responding to lawful requests from authorities

3.5 Marketing (Optional)

With your explicit consent, we may:

  • Send you newsletters and promotional materials about our services
  • Notify you about new features and updates

You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email or by contacting us directly.

4. How We Process Your Data

  • Emails are fetched securely via official provider APIs (Microsoft Graph API for Outlook)
  • Data is stored in encrypted databases hosted on AWS in the European Union (Ireland)
  • Access is restricted to authorized personnel only on a need-to-know basis
  • Attachments are retrieved on-demand only when you request them
  • OAuth tokens are encrypted and rotated periodically
  • Logs are sanitized to avoid unnecessary exposure of sensitive content

5. Information Sharing

5.1 Service Providers (Sub-processors)

We share limited data with trusted third-party service providers who help us operate OneSuite. These providers act strictly as data processors under our instructions and are contractually obligated to protect your data.

ProviderPurposeData Processed
Amazon Web Services (AWS)Cloud hosting & infrastructureAll application data
Amazon SESTransactional emailsEmail address, email content
StripePayment processingBilling info, payment details
Google AnalyticsWebsite analyticsUsage data, IP address (anonymized)
CrispCustomer support chatName, email, chat messages

5.2 Legal Requirements

We may disclose your information to law enforcement agencies, regulatory authorities, courts, or other government entities when required to:

  • Comply with legal obligations
  • Respond to lawful requests (subpoenas, court orders)
  • Protect our rights and interests
  • Prevent fraud or illegal activity

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity or successor organization. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 What We Never Share

We do not:

  • Sell, rent, or trade your personal data to third parties
  • Share your email content with third parties for marketing purposes
  • Share OAuth tokens or authentication credentials
  • Use your email data to train AI models or for advertising
  • Share your data with business partners for joint promotions without your explicit consent

6. Third-Party API Compliance

6.1 Microsoft Graph API (Outlook Integration)

When you connect your Microsoft Outlook account to OneSuite, we access your email data through the Microsoft Graph API. We comply with Microsoft’s API Terms of Service and data protection requirements.

We only access the data necessary to provide email synchronization and CRM integration features, specifically:

  • Reading your emails to sync them with your CRM
  • Sending emails on your behalf when you compose messages in OneSuite
  • Accessing your profile information to identify your connected account

You can revoke OneSuite’s access to your Microsoft account at any time through your Microsoft account settings or by disconnecting the integration within OneSuite.

6.2 Google API Services (Gmail Integration)

When Gmail integration becomes available, OneSuite’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You can review Google’s policy at: https://developers.google.com/terms/api-services-user-data-policy

We will only use Google user data to provide and improve user-facing features that are prominent in the requesting application’s user interface. We will not transfer this data to others except as necessary to provide and improve these features, comply with applicable laws, or as part of a merger, acquisition, or sale of assets.

7. Data Storage & Security

7.1 Data Location

Your data is stored on Amazon Web Services (AWS) servers located in the European Union (Ireland region, eu-west-1). This location provides compliance with EU data protection regulations.

7.2 Technical Security Measures

We implement industry-standard security practices to protect your information:

  • Encryption at rest and in transit (TLS 1.2+)
  • Role-based access control
  • Secure secrets management for OAuth tokens
  • Multi-factor authentication for system access
  • Token rotation and revocation mechanisms
  • Regular security assessments
  • Data backup and recovery systems

7.3 Organizational Security Measures

  • Access restricted to authorized personnel only on a need-to-know basis
  • Security awareness training for staff
  • Incident response procedures
  • Audit logging and monitoring

Important: While we take strong measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

⚡️See also: Report anyvulnerabilities to OneSuite systems

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our services.

Cookie TypePurposeDescription
EssentialAuthenticationRequired to keep you logged in and maintain your session. Cannot be disabled.
AnalyticsUsage trackingHelp us understand how you use our services (Google Analytics). Can be disabled via cookie settings.
MarketingAdvertisingUsed to deliver relevant advertisements and measure campaign effectiveness. Can be disabled via cookie settings.

You can control cookie preferences through your browser settings or our cookie consent banner. Note that disabling certain cookies may affect the functionality of our services.

9. Data Retention

We retain your data only as long as necessary to provide our services:

  • Account data: Kept while your account remains active
  • Email integration data: Kept while your email account is connected
  • OAuth tokens: Stored only while integrations remain connected
  • Payment records: Retained as required for accounting and legal compliance (typically 7 years)

Data Deletion

Your data is deleted when:

  • You delete specific emails or data within the platform
  • You disconnect your email provider
  • You delete your account

When you delete your account, all associated data is permanently deleted immediately. We do not retain your data after account deletion, except where required by law.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Right of Access: Request access to the personal information we hold about you
  • Right to Rectification: Correct any inaccuracies in your personal information
  • Right to Erasure: Request deletion of your personal information under certain circumstances
  • Right to Restriction: Restrict the processing of your personal information in certain situations
  • Right to Object: Object to the processing of your personal information for specific purposes
  • Right to Withdraw Consent: Withdraw consent for processing your personal information, where applicable
  • Right to Data Portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format
  • Right to Complaint: Lodge a complaint with your local data protection authority

To exercise these rights, please contact us at privacy@onesuite.io. We will respond to your request within 30 days.

11. GDPR Compliance

For users in the European Economic Area (EEA) and United Kingdom, we comply with the General Data Protection Regulation (GDPR). Our data practices align with the following principles:

  • Lawfulness, fairness, and transparency: We process data lawfully and transparently
  • Purpose limitation: We collect data only for specified, explicit purposes
  • Data minimization: We collect only the data necessary for our purposes
  • Accuracy: We keep data accurate and up to date
  • Storage limitation: We retain data only as long as necessary
  • Integrity and confidentiality: We ensure appropriate security of personal data

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract: Processing necessary to fulfill our contract with you (providing OneSuite services)
  • Consent: Processing based on your explicit consent (marketing communications)
  • Legitimate interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement)
  • Legal obligation: Processing required to comply with applicable laws

12. International Data Transfers

Your data is primarily stored on AWS servers in the European Union (Ireland). However, some of our service providers may process data in other countries, including the United States.

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • EU-US Data Privacy Framework certifications where applicable

13. Security Incident Handling

In the event of a data breach that affects your personal information:

  • We will investigate promptly
  • We will notify affected users within 72 hours in accordance with GDPR requirements
  • We will take immediate steps to contain and remediate the breach
  • We will implement measures to prevent recurrence
  • We will cooperate with relevant data protection authorities

14. Children’s Privacy

OneSuite is designed for business use and is not intended for use by children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly. If you believe we have inadvertently collected information from a child, please contact us immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • New features or services
  • Legal or regulatory requirements

When we make material changes:

  • The updated policy will be posted on our website
  • The effective date will be revised
  • We will notify you via email or prominent notice in the application

Continued use of our services after changes take effect constitutes acceptance of the updated policy. We encourage you to review this policy regularly.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us:

Company: Mailbluster LLC (doing business as OneSuite)

Email: security@onesuite.io

General Inquiries: contact@onesuite.io

Address: 2810 N Church St, Wilmington, Delaware, United States, 19802

Website: https://onesuite.io

Last Updated: January 16, 2026

© Mailbluster LLC. All rights reserved.