EmailAlias is a product of LLMView IT Services ("we," "us," or "our"), operated at emailalias.io. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email alias and forwarding service. By using EmailAlias, you consent to the data practices described in this policy.

1. Information We Collect
   We collect information that you provide directly and information generated through your use of the service:
   Account information: Your email address when you create an account. We use passwordless authentication (magic links) — no passwords are stored.
   Usage data: Information about how you interact with the service, including alias creation, forwarding activity, domain verification, and feature usage.
   Email metadata: Sender addresses, recipient addresses, timestamps, and subject lines associated with emails processed through your aliases. We do not collect or store the content (body) of your emails.
   IP addresses: We store the IP address you signed up from, the IP address of your most recent login, and the IP address of your most recent paid checkout. These are used for fraud prevention, abuse investigation, and account security. We keep only the latest value for each — no IP history is retained. Server access logs may also record IPs transiently for rate limiting and incident response.
   Device and browser data: Browser type, operating system, and referring URLs for security and analytics purposes.
   Payment information: If you subscribe to a paid plan, payment details are collected and processed by Stripe, our third-party payment processor. We store only the last 4 digits and brand of your card for display purposes. We never store your full card number.
   API keys: If you generate API keys, we store a cryptographic hash of the key. The raw key is shown only once at creation and cannot be retrieved.
   Browser extension data: When you use the EmailAlias browser extension, the extension stores locally in your browser: your authentication credentials (API key or JWT tokens), a cache of your alias list, and a hostname-to-alias map (capped at 500 entries) so revisiting a site offers the existing alias instead of creating a duplicate. This data never leaves your browser except in authenticated requests to our API. Signing out of the extension clears all of it.
2. How We Use Your Information
   To provide, operate, and maintain the EmailAlias service, including alias generation, email forwarding, and spam filtering.
   To forward emails from your aliases to your designated inbox securely and reliably.
   To detect and alert you to potential data exposures or breaches involving your aliases (Exposure Intelligence).
   To filter spam, malware, and malicious content before forwarding emails to your inbox using SpamAssassin and our content filtering engine.
   To remove tracking pixels, UTM parameters, and other tracking mechanisms from forwarded emails to protect your privacy.
   To process payments and manage your subscription via Stripe.
   To communicate with you about service updates, trial expiration reminders, security alerts, and support requests.
   To prevent fraud, abuse, and unauthorized access through rate limiting, bounce tracking, and suspicious behavior detection.
3. Zero-Knowledge Architecture
   EmailAlias operates on a zero-knowledge privacy model:

We never read, analyze, or store the content (body or attachments) of emails forwarded through our service.
Emails are processed in real-time through encrypted channels and are not stored after successful delivery.
We retain only email metadata (sender, recipient, timestamp, subject line, delivery status) for your analytics dashboard and troubleshooting.
Tracking pixels and UTM parameters are stripped from forwarded emails before delivery to prevent third parties from tracking you.
4. Data Storage and Security
Your data is stored in encrypted MySQL databases hosted on secure infrastructure. We employ industry-standard security measures, including:

AES-256 encryption at rest and TLS 1.3 encryption in transit.
SPF, DKIM, and DMARC authentication on all domains.
Custom MAIL FROM domains to prevent spoofing.
API keys hashed using SHA-256 before storage.
Rate limiting and abuse detection on all endpoints.
SpamAssassin inbound filtering before email forwarding.
Bounce blacklisting and complaint auto-blocking.
Emergency kill switch for immediate outbound email suspension.
5. Third-Party Services
Amazon Web Services (AWS SES): For sending and receiving emails. Subject to AWS Privacy Policy.
Stripe: For processing subscription payments. Subject to Stripe Privacy Policy.
Redis: For caching, rate limiting, and real-time abuse detection. Data stored in Redis is ephemeral and automatically expires.
We do not sell, rent, or share your personal information with third parties for their marketing purposes.

1. Data Retention
   Account data: Retained for as long as your account is active. When you delete your account, all personal data including aliases, domains, email logs, API keys, and subscription data is permanently deleted immediately via cascading deletion.
   Email metadata logs: Retained for 90 days and then automatically deleted by our cleanup system.
   IP addresses: Only the latest signup, last-login, and last-purchase IP are stored on the account record. Each new login or checkout overwrites the previous value — we do not keep an IP history. All IP fields are deleted when the account is deleted.
   Bounce blacklist: Bounced recipient addresses are retained indefinitely to prevent future delivery failures and protect sender reputation.
   Rate limiting data: Stored in Redis with automatic expiration (24 hours for daily counters, 2 minutes for per-minute counters).
2. Your Rights
   Depending on your jurisdiction (including GDPR and CCPA), you have the following rights:

Access: Request a copy of the personal data we hold about you.
Deletion: Delete your account and all associated data from Settings → Delete Account.
Portability: Export your alias and account data in a machine-readable format.
Correction: Update your email address from Settings.
Opt-out: Disable any alias to stop receiving forwarded emails. Unsubscribe from service communications via the link in every email.
To exercise any of these rights, contact us at privacy@emailalias.io.

1. Cookies
   EmailAlias uses minimal cookies and browser storage:

Authentication tokens stored in localStorage to keep you signed in.
No tracking cookies, third-party advertising cookies, or analytics cookies are used.
No data is shared with advertising networks or data brokers.
9. Children's Privacy
EmailAlias is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

1. International Data Transfers
   Your data may be processed and stored on servers located in the United States (AWS us-west-2 region). By using our service, you consent to the transfer of your data to the United States. We ensure appropriate safeguards are in place for international data transfers.
2. Changes to This Policy
   We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the effective date at the top of this page and by sending an email notification. We encourage you to review this policy periodically.
3. Contact Us
   If you have any questions about this Privacy Policy, please contact us:

Privacy inquiries: privacy@emailalias.io
General support: support@emailalias.io
Website: emailalias.io