!
MailBreach
Back to home

Legal

Privacy Policy

Effective date: March 22, 2026

The short version

MailBreach scans your email provider's configuration settings only — things like forwarding rules and inbox filters. We never read or store the content of any email messages. Your data is protected by enterprise-grade infrastructure and strict tenant isolation.

1. Who We Are

MailBreach ("we," "us," or "our") operates a security monitoring platform that helps organizations detect unauthorized email forwarding rules and other email configuration risks across Microsoft 365 and Google Workspace environments.

This Privacy Policy describes what information we collect, how we use it, how we protect it, and your rights in relation to it. It applies to all users of the MailBreach platform.

If you have questions about this policy, contact us at [email protected].

2. Information We Collect

We collect information in two categories:

Account and organization information

  • Name and email address of the account holder and invited team members
  • Organization name and primary domain
  • Subscription plan and billing history (payment details are handled entirely by our third-party payment processor — we do not store card numbers or banking information)
  • IP addresses and browser information collected automatically when you use the platform

Email configuration metadata

When you connect a Microsoft 365 or Google Workspace environment, we read and store email configuration data including:

  • Mailbox forwarding rule configurations (destination addresses, domains, conditions)
  • Inbox rule settings (criteria, actions, priorities)
  • Email filter configurations and their associated actions
  • User account identifiers (email addresses) associated with the above configurations
  • Timestamps of when configurations were first and last observed

This metadata is the minimum necessary to detect potentially unauthorized email routing.

3. Information We Do Not Collect

We explicitly do not collect, access, or store:

  • The content of any email messages (body, subject line, attachments, or inline images)
  • Email headers beyond what is part of a forwarding or routing rule configuration
  • Personal communications of any kind
  • Information about email recipients or senders beyond what is part of a rule definition

Our systems are designed to read only the configuration layer of your email environment. Message content is never requested, transmitted, or retained.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Detect email configuration patterns that may indicate security risks
  • Generate findings reports and remediation recommendations for your organization
  • Send you transactional communications (security alerts, billing receipts, service notifications)
  • Process subscription payments
  • Enforce our Terms of Service and comply with legal obligations
  • Analyze aggregated, anonymized usage patterns to improve the platform (this analysis never identifies individual organizations)

We do not sell your data. We do not use your data for advertising purposes.

5. How We Store and Protect Your Information

All Customer Data is stored with enterprise-grade cloud infrastructure providers that maintain industry-standard security certifications and practices. These providers operate with strict data handling agreements and provide controls including encryption at rest and in transit, access logging, and high availability.

Authentication and identity data — including login credentials, session tokens, and organization membership — is managed by an enterprise-grade authentication infrastructure provider, keeping sensitive identity data separated from application data.

Our application-level security measures include:

  • All data transmitted between your browser, our servers, and cloud providers is encrypted using TLS
  • Strict tenant isolation: each organization's data is logically separated and can only be accessed by authenticated members of that organization
  • All administrative actions are recorded in a tamper-evident audit log
  • Access controls limit which personnel can access production systems

No security system is perfect. While we take these precautions seriously, we cannot guarantee that unauthorized access, disclosure, or loss will never occur.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your data with third parties for their own commercial purposes.

We may share your information only in the following limited circumstances:

  • With enterprise-grade infrastructure and service providers who process data on our behalf under strict data processing agreements (database infrastructure, authentication, payment processing, email delivery)
  • When required by law, court order, or valid legal process
  • To protect the rights, property, or safety of MailBreach, our customers, or the public
  • In connection with a merger, acquisition, or sale of assets, provided the successor entity agrees to honor this Privacy Policy

7. Data Retention

We retain your account and configuration data for as long as your subscription is active. If you cancel your subscription, we will retain your data for up to 90 days to allow for account reactivation or data export, after which it is permanently deleted.

Audit logs are retained for up to 12 months to support compliance and security investigations. Anonymized, aggregated statistics may be retained indefinitely.

You may request earlier deletion of your data by contacting [email protected]. We will process such requests within 30 days, subject to any legal retention obligations.

8. Your Rights

Depending on your location, you may have rights under applicable data protection law, including:

  • The right to access the personal information we hold about you
  • The right to correct inaccurate information
  • The right to request deletion of your information
  • The right to object to or restrict how we process your information
  • The right to receive your data in a portable format

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

Because MailBreach is a business-to-business service, most personal data we hold relates to organizational administrators and team members. If you are an employee whose email address appears in a finding (because a forwarding rule targets your address), contact your organization's MailBreach administrator first — they control what data their organization collects.

9. Cookies and Tracking

We use a minimal set of cookies and similar technologies necessary to operate the platform, including session cookies for authentication state and basic analytics to understand how the product is used. We do not use third-party advertising trackers.

You can disable cookies in your browser, but doing so may prevent you from logging in or using the Service.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the platform at least 14 days before the change takes effect, and we will update the effective date at the top of this page.

Your continued use of the Service after a change becomes effective constitutes your acceptance of the updated policy.

11. Contact

For privacy-related questions, requests, or concerns, please contact us at:

MailBreach

Email: [email protected]