Legal

Privacy Policy

Effective date: March 22, 2026

Operated by Junghard Software AB (org. nr. 559217-6753), Jans väg 5, Göteborg, Sweden.

Overview

Molted Mail ("we", "us", "our") is a managed mailbox service for AI agents, operated by Junghard Software AB (org. nr. 559217-6753) at molted.email. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have over it.

We built Molted Mail for developers. This privacy policy is written the same way — clearly, with specifics, and without unnecessary legalese.

What We Collect

Account data

When you sign up, we collect your email address and password. Your password is salted and hashed — we never store it in plaintext. On signup we also generate a tenant identifier, a default mailbox, and API credentials tied to your account.

Email sending data

When your agent sends email through our API, we process:

• Sender and recipient addresses
• Subject lines and message body content
• Headers and attachments included in the request

We retain email metadata (sender, recipient, subject, timestamps, delivery status, provider used) for analytics and debugging. Message body content is not stored after successful delivery unless you explicitly enable the content storage feature on your mailbox.

Delivery events

We track delivery lifecycle events — sent, delivered, opened, clicked, bounced, and complained — as reported by our underlying email providers. These events power your analytics dashboard and feed into policy enforcement (e.g., automatic suppression after bounces or complaints).

Business outcome data

If you use outcome attribution, we store the outcome events you report (e.g., "user signed up", "meeting booked") linked to the originating email. This data is yours and is used solely to power your outcome analytics.

API usage data

We log API requests including endpoint, timestamp, response status, and latency. We use this for rate limiting, billing, abuse prevention, and service reliability.

Billing data

Payment processing is handled by our payment processor. We store your subscription plan and usage counts. We do not store credit card numbers or full payment details on our servers.

Cookies and Analytics

We use session cookies for authentication in the portal dashboard. These are strictly necessary — without them, you cannot stay logged in. They are HTTP-only and scoped to our domain.

For website analytics, we use Plausible Analytics, which is cookie-free and does not track individual users. No personal data is sent to Plausible. We do not use Google Analytics, Facebook pixels, or any advertising trackers.

How We Use Your Data

• Service delivery — routing your emails through the best available provider, enforcing sending policies, managing suppression lists
• Authentication and authorization — verifying your identity via sessions (dashboard) and Bearer tokens (API)
• Policy enforcement — rate limiting, consent validation, jurisdiction checks, and abuse prevention
• Analytics — showing you deliverability metrics, outcome attribution, and usage dashboards
• Billing — tracking usage against your plan limits and processing subscription payments
• Service communications — sending you transactional emails about your account, and responding to support requests
• Reliability and debugging — monitoring service health, investigating delivery failures, and improving the platform

AI Processing

Molted Mail offers AI-powered features including email humanization and intent classification. When these features are enabled on a mailbox, we send email content to third-party AI providers for processing:

• Anthropic (Claude) — for humanization and classification
• OpenAI — as a fallback provider for the same features

Important details about AI processing:

• Content sent to AI providers is processed in real time and is not used to train their models. We use API access with data processing agreements that prohibit training on customer data.
• AI features are opt-in per mailbox. If you do not enable humanization or classification, no email content is sent to AI providers.
• You can disable AI processing at any time by turning off humanization in your mailbox settings.

Third-Party Services

We share data only with the service providers required to operate Molted Mail. Here is exactly who and why:

• Resend, Postmark, Amazon SES — email delivery providers. They receive sender address, recipient address, subject, headers, and message body to deliver your emails. Each provider has their own privacy policy and DPA.
• Anthropic, OpenAI — AI processing providers (only when AI features are enabled). They receive email content for real-time processing. See the AI Processing section above.
• Payment processor — handles subscription billing and payment method storage.
• Infrastructure providers — hosting, database, and CDN services that run the platform.
• Plausible Analytics — cookie-free, privacy-first website analytics. No personal data is shared.

We do not sell your data. We do not share data with advertisers. We do not monetize your data in any way beyond providing the service you pay for.

Data Retention

• Account data — retained while your account is active and for 30 days after deletion to allow recovery
• Email metadata (sender, recipient, timestamps, delivery status) — retained for 90 days
• Email body content — not retained after delivery unless content storage is enabled on the mailbox
• Delivery events — retained for 90 days
• Outcome data — retained for 90 days
• API logs — retained for 30 days
• Billing records — retained as required by tax and financial regulations

Security

We take security seriously. Here is what we do:

• All data in transit is encrypted via TLS
• Passwords are salted and hashed using modern algorithms
• API keys are hashed at rest — we cannot read them after creation
• Data access is tenant-isolated — your data is logically separated from other customers at the database level
• Sessions use HTTP-only, secure cookies with short expiration windows

For more on how we handle AI-specific security concerns, see our Security Knowledge Base.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Access — request a copy of all personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit processing of your data
• Portability — request your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

Our legal bases for processing are: performance of our contract with you (service delivery, billing), legitimate interest (security, abuse prevention, service improvement), and consent (AI processing features, marketing communications where applicable).

To exercise any of these rights, email privacy@molted.email. We will respond within 30 days.

Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act gives you the following rights:

• Right to know — request what personal information we collect, use, and disclose
• Right to delete — request deletion of your personal information
• Right to opt out of sale — we do not sell your personal information, so there is nothing to opt out of
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

To exercise these rights, email privacy@molted.email. We will verify your identity and respond within 45 days as required by law.

International Data Transfers

Molted Mail is operated by Junghard Software AB from Sweden. Our infrastructure and third-party email delivery providers may process data in various regions, including the United States, depending on their infrastructure. We ensure appropriate safeguards are in place for international transfers through standard contractual clauses and data processing agreements with our providers, in accordance with GDPR requirements.

Children

Molted Mail is a developer tool, not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to This Policy

We may update this policy as our service evolves. For material changes, we will notify you via email or a notice in the dashboard at least 30 days before the changes take effect. The "effective date" at the top of this page always reflects the latest version.

Contact

Data controller: Junghard Software AB (org. nr. 559217-6753), Jans väg 5, Göteborg, Sweden.

For privacy-related questions or to exercise your data rights:

• Email: privacy@molted.email
• General inquiries: hello@molted.email