← Back to LetterCraft

Privacy Policy

Last updated: 2026‑05‑07

1. Who we are

LetterCraft is operated by Benjamin Zingsem, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE.Benjamin Zingsem acts as the data controller for personal data processed through the LetterCraft service. For privacy questions, please reach out via our contact form.

2. Data we collect

  • Account data: email address and authentication identifiers.
  • Newsletter content you create, source URLs, uploaded documents and images.
  • Recipient lists you import for sending features.
  • Usage data: generation counts, plan and billing identifiers.
  • Technical data: IP address and basic browser headers required to serve requests.
  • Billing data: name, email, billing address and tax identifiers you provide at checkout (collected and processed by Paddle on our behalf — see Section 4).

3. How we use it and legal basis

We use your data to provide the service: generate newsletters, store drafts, send emails on your behalf, enforce plan limits, and contact you about your account. We do not sell personal data and we do not use your newsletter content to train third‑party models.

For users in the EU/UK, we rely on the following legal bases under the GDPR/UK GDPR:

  • Performance of a contract (Art. 6(1)(b)) — to create and operate your account, generate and store newsletters, send emails you schedule, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent fraud and abuse, monitor usage to enforce plan limits, and improve the product.
  • Legal obligation (Art. 6(1)(c)) — to retain billing and tax records, and respond to lawful requests from authorities.
  • Consent (Art. 6(1)(a)) — where required, for optional communications. You can withdraw consent at any time.

4. Subprocessors and data sharing

LetterCraft relies on a small set of subprocessors to deliver the service. They process data only on our instructions and under contractual confidentiality and data‑protection obligations. Current categories of recipients include:

  • Paddle.com Market Ltd ("Paddle") — our Merchant of Record. Paddle processes all payments, subscription billing, taxes, invoicing and refunds, and receives the personal and billing data needed to do so. See Paddle's privacy policy.
  • Hosting and database providers — to run the application and store your content.
  • AI generation providers — to produce newsletter drafts from the inputs you submit.
  • Email delivery providers — to transmit emails you schedule.
  • Professional advisers (legal, accounting) and authorities where required by law.

Some of these providers may process data outside the EU/UK. Where that happens we rely on appropriate safeguards such as the EU Standard Contractual Clauses or equivalent transfer mechanisms.

5. Data retention

  • Account data — kept for the lifetime of your account and deleted within 30 days after account closure (unless we must retain it longer to comply with the law).
  • Newsletter content, drafts, sources and uploads — kept for the lifetime of the project; deleted within 30 days after you delete the project or close your account.
  • Recipient lists — kept until you delete the list or close your account.
  • Sending logs and webhook events — kept for up to 12 months for deliverability, debugging and abuse prevention.
  • Billing and tax records — kept for up to 10 years to satisfy statutory accounting and tax retention requirements.
  • Technical/security logs — kept for up to 90 days.

6. Your rights

Depending on your jurisdiction you may have the right to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent. EU/UK users also have the right to lodge a complaint with their supervisory authority. You can exercise any of these rights through our contact form. We aim to respond within one month.

7. Security

We apply appropriate technical and organisational measures including encryption in transit, access controls, least‑privilege administration and regular review of our subprocessors.

8. Cookies

We use only strictly necessary cookies for authentication and session management. We do not run third‑party advertising or cross‑site tracking cookies.

9. Email sending

When you use LetterCraft to send emails, you remain the data controller for your recipient lists. You are responsible for lawful basis, proper consent, accurate sender information and a working unsubscribe link.