Privacy Policy

Effective Date: January 3, 2026

plop.email ("Plop," "we," "us," or "our") is operated by Comonad Limited, a company registered in England and Wales (company number: 15713725), registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We respect your privacy and are committed to protecting the personal data we process when you use the plop.email service (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

1. Data Controller

Comonad Limited is the data controller responsible for your personal data. For any data protection queries, contact us at privacy@comonad.co.uk.

2. Data We Collect

When you use the Service, we may collect and process the following categories of information:

• Account information: Name, email address, organization details, authentication data, and billing metadata.
• Inbox content: Email messages, headers, metadata, and attachments that you route to Plop inboxes for storage and processing. This may include personal data of third parties if contained in test emails.
• Usage data: Log data about how you interact with the Service, including IP addresses, device and browser data, API request metadata, timestamps, and feature usage.
• Configuration data: Settings you provide such as mailbox names, tags, routing preferences, and webhook targets.
• Payment information: Billing address and payment method details (card details are processed directly by our payment processor and not stored by us).
• Support communications: Information you share when contacting support or collaborating with us.

3. How We Use Your Data

We use your data to:

• Provide, operate, and maintain the Service.
• Store, index, and deliver inbox content per your instructions.
• Process payments and manage subscriptions.
• Improve reliability, performance, and security.
• Communicate about product updates, support, billing, and service changes.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms.

4. Legal Bases for Processing

We process personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have subscribed to (account data, inbox content, configuration data).
• Legitimate interests: Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your rights.
• Legal obligation: Processing required to comply with applicable laws, such as financial record-keeping and responding to lawful requests.
• Consent: Where required, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.

5. Data Sharing & Sub-processors

We share data with trusted third-party service providers ("sub-processors") who help us operate the Service:

• Supabase Inc. (United States) — Database hosting and authentication
• Cloudflare Inc. (United States) — CDN, DNS, and email routing infrastructure
• Vercel Inc. (United States) — Application hosting
• Polar.sh (European Union) — Payment processing and subscription management
• Resend Inc. (United States) — Transactional email delivery
• OpenPanel (European Union) — Privacy-focused analytics

We may also share data with:

• Legal authorities: When required by law, court order, or to protect the rights, safety, and security of Plop and our users.
• Business transfers: If we undergo a merger, acquisition, or asset sale, your data may be transferred as part of that transaction.
• Professional advisors: Lawyers, accountants, and auditors as necessary for business operations.

We do not sell your personal data. We require all sub-processors to process data only on our instructions and maintain appropriate security measures.

6. International Transfers

Some of our sub-processors are located outside the UK and European Economic Area (EEA), primarily in the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU/UK Commission-approved clauses for transfers to countries without adequacy decisions.
• Adequacy decisions: Where the destination country has been deemed to provide adequate protection.
• Additional measures: Technical and organizational measures to protect data during transfer and processing.

You may request a copy of the safeguards we use by contacting us at the address below.

7. Data Retention

We retain data for as long as needed to provide the Service:

• Account data: Retained while your account is active and for up to 6 years thereafter for legal and accounting purposes.
• Inbox content: Retained according to your plan (Starter: 14 days, Pro: 90 days, Enterprise: as agreed). After the retention period, content is automatically deleted.
• Usage and log data: Retained for up to 90 days for security and debugging purposes.
• Payment records: Retained for 7 years to comply with UK tax and accounting requirements.

Backups containing your data may be retained for up to 30 additional days for disaster recovery purposes.

8. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data in certain circumstances ("right to be forgotten").
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at privacy@comonad.co.uk. We will respond within one month. We may need to verify your identity before processing your request.

Right to complain: If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Employee training on data protection

No system is completely secure. You are responsible for maintaining the security of your account credentials and API keys. Please notify us immediately at security@comonad.co.uk if you suspect any unauthorized access.

10. Cookies

We use cookies and similar technologies to provide functionality and improve the Service. For details on the cookies we use and how to manage your preferences, please see our Cookie Policy.

11. Third-Party Personal Data

If you route emails to Plop that contain personal data of third parties (for example, in test emails), you are responsible for ensuring you have the appropriate legal basis to process and transfer that data to us. The Service is designed for test and development purposes; avoid routing production emails containing real user data unless you have appropriate data processing agreements in place.

12. Children's Privacy

The Service is not intended for individuals under 18, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new effective date and, where appropriate, by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.