Privacy policy.

Effective 8 May 2026 · NSW, Australia

Plain English version

We collect the minimum we need to run the service. We don't sell your data. We don't do creepy tracking. Detail below.

Who we are

The IT Dept Pty Ltd (ABN 12 665 405 505), Central Coast, NSW, Australia. Contact hello@emailrelay.au.

What we collect

Account information

Name, email address, and a password. Your password is hashed with bcrypt — we can never see it in plain text.

Domain + DKIM key material

Each domain you add gets a DKIM keypair. The private key is encrypted at rest with AES-GCM under a master key only the running server can read. Public DKIM TXT values are, by design, public DNS data.

Email metadata + content

When you send email through our API, we store the From/To/Cc/Subject headers, body (text + HTML), DKIM-signed wire bytes, attempt count, SMTP responses, and timestamps. This is necessary to provide delivery reports, debug failures, and serve the API. The same applies to received mail once inbound ships.

API keys

We store a SHA-256 hash of your API key, not the key itself. We also record the prefix and last-used timestamp so you can identify it in the portal.

Server logs

Our servers log IP addresses, request timestamps, and request paths for operations and security. Retained for a limited period and not shared with third parties.

What we don't collect

No analytics or tracking scripts on this website
No advertising cookies or third-party trackers
No payment card details (Stripe handles that — we never see card numbers)
No data purchases from third parties

How we use your data

To run the service — build, sign, and deliver your mail; show delivery reports; authenticate API requests
To communicate with you — service updates, security notices, account matters
To keep things secure — detect abuse, prevent fraud, protect the service and other customers

Who we share data with

Email content and recipient addresses pass through receiver mailbox providers in order to deliver. That's how SMTP works — there's no way around it.

For payments, Stripe processes card transactions on our behalf and is bound by their own privacy and PCI obligations.

Beyond that, we don't share personal data with anyone unless:

You ask us to
We're legally required to (court order, law enforcement request)
It's necessary to protect our rights or safety

Where your data lives

Our infrastructure is hosted in Australia. Customer data, email content, and DKIM private keys reside on Australian-located Postgres.

How long we keep data

Account data is kept while your account is active. Email metadata + raw bytes are retained for a reasonable period to provide delivery reports and support, after which they're pruned. Closing your account triggers deletion of your data within 30 days, except where law requires retention.

Your rights

Under Australian privacy law, you have the right to:

Access the personal information we hold about you
Request correction of inaccurate information
Ask us to delete your account and data
Complain to the Office of the Australian Information Commissioner (OAIC) if you think we've mishandled your data

Email hello@emailrelay.au to exercise any of these.

Changes to this policy

Updates will be posted here with a new effective date. Significant changes are notified by email.

Questions?

hello@emailrelay.au — happy to answer anything.