← All legal documents

Privacy Policy

Last updated: June 8, 2026 Version: 1.0

This Privacy Policy explains how Kyuzo Corporation, a Nevada corporation doing business as Senders ("Senders," "we," "our," or "us") collects, uses, and discloses personal data in connection with the Senders platform, MCP server, customer portal, APIs, and related services (the "Service"), and with our websites.

The Service is a business-to-business tool. It is not directed to consumers or to anyone under 18.

1. Our two roles: controller and processor

We handle personal data in two distinct roles, and it matters which one applies:

As a controller, we determine how and why we process data about our own customers and website visitors, such as account, billing, support, and usage data, and the data of people who visit our sites.

As a processor on behalf of our customers, we process the data our customers send to and through the Service to run their outbound campaigns. This includes the business contact information of the recipients our customers choose to contact ("Prospect Data"), campaign content, sending and engagement events, and the contents of our customers' connected mailboxes. For this data, our customer is the controller: the customer decides who to contact and why, and is responsible for the lawful basis, for any required notices, and for honoring opt-out and objection requests. We process it only to provide the Service and under our customer's instructions, as described in our Data Processing Addendum.

If you are a recipient of a message sent through the Service and you want your data handled or removed, see Section 12, and note that the sender (our customer) is the controller of that data. You can also use our opt-out page described in Section 12 to stop being contacted through the Service.

2. Data we process

Account and billing data (we are controller). Name, business email, company name, hashed password, plan and subscription details, and invoice and payment records. Payment card details are handled by our payment processor and are not stored on our servers.

Usage data (we are controller). Pages and features used, timestamps, and similar product-usage information, used to operate and improve the Service.

Email infrastructure data. Sending domains, DNS records, authentication status (SPF, DKIM, DMARC), warmup statistics, blacklist status, and domain reputation and traffic statistics retrieved from Google Postmaster Tools when you connect it.

Connected mailbox data (we are processor). When you connect an email mailbox (for example, a Google or Microsoft mailbox), we access it through our connection provider so the Service can send messages and read replies on your behalf. This includes message content, recipient addresses, and reply content for the activity you run through the Service.

Prospect and campaign data (we are processor). The recipient business contact information you upload, import, or source, access, or surface through the Service; the campaign and sequence content you create; and the sending, delivery, open, click, reply, bounce, and unsubscribe events generated by your campaigns. For open and click tracking, we process the recipient's IP address and browser user-agent together with the open or click event.

AI feature inputs (we are processor). When you use the AI Sequence Builder or similar AI features, the inputs you submit, including campaign content and the context you provide, are transmitted to our AI provider to generate a result (see Section 5).

Website and cookie data (we are controller). When you visit our sites we process limited technical data through strictly necessary cookies and, where applicable, analytics. See our Cookie Notice for details.

3. Google API scopes

When you connect Google services, the Service may request the following OAuth scopes, and only these, for the purposes stated:

  • https://www.googleapis.com/auth/postmaster.readonly and https://www.googleapis.com/auth/postmaster.traffic.readonly — read-only access to your Google Postmaster Tools domain reputation and traffic statistics.
  • https://www.googleapis.com/auth/userinfo.email — to confirm the connected account's email address.
  • When you connect a Google mailbox for sending: https://www.googleapis.com/auth/gmail.send, https://www.googleapis.com/auth/gmail.readonly, and https://www.googleapis.com/auth/gmail.modify — to send messages and read and manage replies for the campaigns you run through the Service.

We do not request calendar access against your Google account.

Tokens are stored encrypted and used solely to provide the features you enable. You can revoke access at any time from your Google Account security settings or from within the portal. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. How we use data

We use personal data to: operate, provide, and secure the Service; connect and send from your mailboxes; run and report on your campaigns; verify email addresses and check domains; provide warmup and deliverability features; generate AI content you request; process billing; send service messages, reports, and alerts; provide support; improve the Service using aggregated or de-identified data; and comply with law.

We do not use Prospect Data or connected mailbox content to build, train, enrich, or improve any cross-customer dataset, and we do not pool one customer's data for another customer's benefit.

5. AI providers

Some features send data to third-party AI providers:

  • OpenAI — powers the customer-facing AI Sequence Builder and certain internal processing features. When you use the AI Sequence Builder, the campaign content and context you submit are sent to OpenAI's API to return a generated sequence.
  • Anthropic — used only in internal administrative tools (for example, processing internal feedback). Customer campaign data and Prospect Data are not routed to Anthropic in the ordinary operation of the Service.

These providers process data through their APIs to return results to us and, under their API terms, do not use data submitted through their APIs to train their models by default. You are responsible for the content you submit to AI features and for reviewing AI output before use.

6. Sub-processors

We use third-party sub-processors to provide the Service. The current list, with each sub-processor's role and processing location, is maintained in our Data Processing Addendum and includes, by category:

  • Sending and mailbox connection: SendGrid (outbound delivery), our mailbox connection provider (Unipile; Nylas during migration), and Postmark (system and billing email).
  • Prospect data and verification: Apollo (business contact data) and MillionVerifier (email verification).
  • Deliverability and warmup: MailReach.
  • AI: OpenAI and Anthropic (as described in Section 5).
  • Monitoring: Sentry (application error monitoring).
  • Payments: Stripe.
  • Operations and support: providers used to run our business and communicate with customers, which process account and relationship data but not the recipient send pipeline.

We require sub-processors to protect personal data consistent with this Policy and the DPA.

7. Tracking in emails and on our sites

Emails you send through the Service may include open-tracking pixels and click-tracking links, which record open and click events along with the recipient's IP address and user-agent. This processing is performed on behalf of, and under the instructions of, our customer as controller. On our own websites we use strictly necessary cookies and, where applicable, analytics, as described in our Cookie Notice.

8. How we share data

We share personal data only: with sub-processors as described above; with our customer (for data we process on their behalf); when required by law or legal process, or to protect rights, safety, or the integrity of the Service; and in connection with a merger, acquisition, or sale of assets, subject to this Policy. We do not sell personal data, and we do not share it for cross-context behavioral advertising.

9. International transfers

We and our sub-processors process data in the European Union and the United States. Our primary application hosting, database, and backups are located in the European Union; certain sub-processors are located in the United States. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK Addendum, as set out in the DPA.

10. Data retention

We retain personal data as follows:

  • Account and billing data: for the life of your contract plus 12 months, except that billing and invoice records are retained for 7 years to meet tax and audit obligations.
  • Deliverability and monitoring history: 90 days.
  • Prospect, campaign, and reply data: deleted within 90 days after your account is closed.
  • AI Sequence Builder history: 12 months.
  • Suppression and opt-out records: retained indefinitely, because honoring an opt-out requires keeping a permanent record of it.

These periods are enforced in the Service. We may retain limited data longer where required by law or to resolve disputes.

11. Security

We protect personal data with administrative, technical, and organizational measures, including TLS in transit, application-level AES-256 encryption of stored access tokens and sensitive credentials, password hashing, daily automated backups, and access controls limiting production access to authorized personnel. No system is perfectly secure, and we cannot guarantee absolute security.

12. Your rights and choices

Depending on where you are, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, to object to processing, and to withdraw consent. U.S. state-law rights may include the right to know, delete, correct, and opt out of sale or sharing, and the right not to be discriminated against for exercising those rights.

If you are a Senders customer or website visitor, you can exercise these rights by emailing [email protected]. We will verify and respond as required by applicable law.

If you are a recipient of a message sent through the Service, the sender (our customer) is the controller of your data, and we will refer your request to them or act on their instructions. You can stop being contacted through the Service at any time using our public opt-out page at /opt-out, which suppresses your address across sending through the Service. This page also serves as our "Do Not Sell or Share My Personal Information" mechanism and as a means to object to processing.

You may also have the right to lodge a complaint with your data protection authority.

13. Children

The Service is for business use and is not intended for anyone under 18. We do not knowingly process the personal data of minors.

14. Changes to this Policy

We may update this Policy by posting a revised version and updating the "Last updated" date. Material changes will be communicated as required by law.

15. Contact

Kyuzo Corporation d/b/a Senders Privacy and data requests: [email protected] General: [email protected]