The 60-second version
Submit a request via the form below or email hello@mailapp.app. We respond within 30 days (extendable by 60 days for complex cases). No charge. No discrimination. If you're an end-recipient of one of our customers, contact the customer first — we'll help connect you.
- One request, all rights. Use one form for access, correction, deletion, portability, restriction, or objection.
- Global default. We honour the strongest version of each right regardless of your residence.
- Free. First request per year is always free; manifestly excessive repeats may incur a reasonable fee.
- No discrimination. Exercising a privacy right does not affect price, service, or access.
Your rights at a glance
Every right we honour, with the legal name and a plain-English explanation.
How to submit a request
Four channels, all routed to the same place. Use whichever you prefer.
- Web form: /help/privacy-request — the fastest channel.
- Email: hello@mailapp.app with subject line "Data Rights Request".
Tell us which right you're exercising, the scope (e.g., specific service, specific time range), and how you'd like to receive the response (email, secure link, etc.). If you have a Mailapp account, sign in first — we can verify identity faster.
Identity verification
We don't act on a request from someone we can't reasonably link to the data. We try to do this with minimum data.
- If you have a Mailapp account, we use your authenticated session.
- If you don't, we ask you to provide enough information to match you to records (typically email address used, approximate dates, and one piece of corroborating context).
- For high-risk requests (full data export, deletion), we may ask for additional verification — never more than necessary.
- We do not request government IDs as a default.
Authorised agents
You can ask a lawyer or a privacy-rights tool to act on your behalf. We verify the authority.
You may authorise an agent (including a privacy-management service) to submit a request on your behalf. Provide written authorisation (a signed letter, or a privacy-rights protocol envelope from a supported service). We will verify both the agent's authority and your identity before acting. For requests under CCPA, written authorisation is required even if your agent is registered with the California Secretary of State.
Scope: when Mailapp is the Controller vs. the Processor
If we collected the data directly (you're a customer, prospect, or applicant), we're the Controller and answer your request. If the data belongs to one of our customers' end-recipient lists, our customer is the Controller — talk to them, and we'll help connect you.
Mailapp acts as Controller for the personal data of our account holders, billing contacts, website visitors, prospects, applicants, and support contacts. We will respond directly to rights requests for those categories.
Mailapp acts as Processor for personal data our Customers upload about their end-recipients (subscriber lists, behavioural events, form submissions). If you are an end-recipient and you want to exercise a right concerning data held by one of our Customers, please contact the Customer directly — they are the Controller and they must respond. If you cannot identify the Customer or cannot reach them, send us what you know at hello@mailapp.app and we will assist you and them.
How long it takes
Most requests are answered within 7 business days. Statutory ceilings apply if it takes longer.
Limits, exceptions, and what we cannot do
Some data we can't delete (because we have to keep it by law). Some access is limited (because it would reveal someone else's data).
- We cannot delete data we are legally required to retain (e.g., billing records for 7 years).
- We may redact references to other identifiable people in your access response.
- For security audit logs, we may decline deletion where it would impair our ability to detect and investigate abuse, but we will restrict use to those legitimate security purposes.
- If the request is manifestly unfounded or excessive — particularly because it's repetitive — we may charge a reasonable administrative fee or refuse, and we will explain why and how to escalate.
Regional specifics
Where local law adds extra requirements, we list them here.
- California (CCPA/CPRA): 45-day response, single 45-day extension, free of charge, no retaliation. Sensitive PI: we don't collect any for marketing.
- EU/EEA/UK (GDPR/UK GDPR): 30-day response, single 60-day extension, free of charge.
- Brazil (LGPD): response within 15 days where possible, full within 30 days. Contact hello@mailapp.app.
- Canada (PIPEDA / Law 25 — Quebec): response within 30 days; written explanation if we cannot fulfil.
- South Africa (POPIA): response in a reasonable time. Contact hello@mailapp.app.
- Australia (APP): response within a reasonable period (typically 30 days).
Appeals
If you don't agree with our decision, ask for an internal review. A senior privacy reviewer will look again.
If we deny a request, in part or in whole, you may appeal by replying to our response or by emailing hello@mailapp.app within 30 days. A senior member of the privacy team (not the original reviewer) will respond within 15 business days with the result of the appeal and the reasoning. For US states with a statutory appeal right (e.g., Colorado, Virginia, Connecticut), the response will include the contact for the state attorney general.
Lodging a complaint with an authority
If you're still not satisfied, you can go to your local regulator. We'd appreciate the chance to fix it first.
- EU: any EEA supervisory authority; our lead is the Irish DPC, dataprotection.ie.
- UK: the Information Commissioner's Office, ico.org.uk.
- California: the California Privacy Protection Agency, cppa.ca.gov.
- Brazil: the Autoridade Nacional de Proteção de Dados (ANPD).
- Canada: the Office of the Privacy Commissioner of Canada.
- South Africa: the Information Regulator.
- Australia: the Office of the Australian Information Commissioner.