PRIVACY POLICY
issued by TOPOL.io s.r.o., ID No.: 10956123, with its registered seat at Na příkopě 388/1, Staré Město, 110 00 Prague, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague, file No. C 241239 (hereinafter referred to as “us” or “Controller” or “Lettr”).
We take the protection of your personal data very seriously. This Privacy Policy explains the purposes, legal bases, and ways in which we process your Personal Data. It also sets out your privacy rights and how you can exercise them.
If you have any questions about how we process your Personal Data, please contact us by email at hello@lettr.com.
Some Personal Data is necessary for us to perform the purchase agreement; some we process based on our legitimate interests. In other cases, the law requires us to process your data (for example, for accounting). We may engage processors who can access your Personal Data on our behalf. Where required, we will ask for your consent before processing your Personal Data.
To make this Privacy Policy easier to read, we use the following defined terms:
| Agreement | means the contract between you and Lettr that governs your purchase and use of our products and services (including our Terms of Use), and sets out our and your respective rights and obligations; |
|---|---|
| CCPA | means California Consumer Privacy Act of 2018; |
| Customer | an individual who enters into an Agreement with Lettr (or acts on behalf of a business customer), creates a user account, purchases subscriptions/credits, accesses the Platform, manages Team(s), uses the API, or otherwise uses our paid or free Services; |
| Data Subject | any natural person whose Personal Data we process; |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; |
| Job Applicant | an individual who applies for a position with Lettr, participates in our recruitment process, or otherwise provides Personal Data in connection with potential employment or contracting; |
| Personal Data | means any information relating to an identified or identifiable natural person; |
| Platform | means the online interfaces (dashboard) operated by Lettr through which you create and manage your account, Teams, API keys, and templates, and access the Services; |
| Processing | means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| Processor | any natural or legal person that processes Personal Data on Lettr’s behalf and under our documented instructions, based on a data processing agreement; |
| Service | means the products and services provided by Lettr under the name "Lettr", specifically the transactional email infrastructure, API, SMTP services, email editor, AI features, support, and data services; |
| Special Categories of Personal Data | means data that are more sensitive by nature and warrant enhanced protection, for example, information revealing your racial or ethnic origin, sexual orientation, trade union membership, health data, or religious or philosophical beliefs. It also includes genetic and biometric data when processed for the purpose of uniquely identifying a natural person. We do not process this Special Category of Personal Data; |
| Team | an organizational unit within the Platform that groups Users, settings, billing, and data (such as templates, API keys, and domains); |
| User | a natural person to whom Personal Data relate; most often this involves Website Visitors, Customers, users using Platform within Teams or Job Applicants, also referred to as “you”; |
| Website Visitor | any individual who visits, browses, or interacts with our websites, forums or publicly available pages. |
- HOW WE APPROACH THE PROCESSING OF PERSONAL DATA
Your privacy is a priority. We only request the Personal Data that are necessary to provide the Services, and we process them in line with GDPR standards.
If you entrust us with your data, we will handle it in accordance with the applicable data protection laws that apply to you. Our Processing of Personal Data may adapt to specific legal requirements in the countries of processing; however, the GDPR is our minimum standard in all cases. Your rights in relation to Personal Data are described below.
- OUR ROLE IN RELATION TO PERSONAL DATA
Depending on the context, Lettr may act as a Controller or a Processor.
When does this Privacy Policy apply? These Privacy Policy terms apply when Lettr acts as a Controller, unless we explicitly state otherwise. They cover the Processing of Personal Data of Users. They do not govern situations where we process Personal Data as a Processor on someone else’s instructions.
- Lettr as Controller
We act as a Controller in relation to Personal Data that we collect and decide how to use, in particular:
Customers using Service, support, data services (e.g., account data, billing contact, usage logs necessary for security and troubleshooting).
Website Visitors to our public websites and pages (e.g., analytics, cookies - subject to consent where required).
Job Applicants participating in our recruitment.
A list of categories of data, purposes and legal bases is provided below in this Policy.
Our Processors. To deliver our Services efficiently, we engage Processors (e.g., cloud hosting, email delivery, analytics, support tools). We have data processing agreements in place and require appropriate security and confidentiality. Our current processors are listed in Section 5.
- Lettr as Processor
In the context of the Service (transactional emails), we act as a Processor for the data you send through us.
Your Role: You are the Controller. You determine the purpose (e.g., password reset, order confirmation) and the means (via API/SMTP) of processing data of your end-users (recipients).
Our Role: We process this data (recipient email addresses, email bodies, metadata) solely on your behalf to deliver the email and track events (opens, clicks, bounces), in accordance with your instructions and our Data Processing Agreement (DPA).
Where we act as a Processor, we may engage Subprocessors in accordance with the applicable DPA. Access to Personal Data is limited and governed by contractual and technical safeguards.
- WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?
How do we process Personal Data? We process your Personal Data only to the extent necessary to achieve the purpose for which the data was collected, and we observe technical and organizational security rules during processing. The Personal Data processing process is automated, but we do not conduct profiling.
→ First and last name or nickname → Contact details (specifically email address, phone number) and other information voluntarily provided within the user interface |
→ User account name and login, including behavior within the account (specifically data entered by the User, registration time, and date of the last profile update) |
|---|---|
| → Billing information and bank details (data necessary for accounting purposes and payment processing) | → Information contained in inquiries sent by a Customer or other persons |
| → Comments added by you to our social media posts (specifically Facebook, LinkedIn), as well as your profile name (handle) and any publicly available information on your profiles | → Information disclosed during communication with us (specifically your questions, our responses, and general correspondence) |
| → Cookies and IP address, activity data (including information about your device or operating system) | → Operational data, primarily indicating Platform error states (time and address of the error incident) |
Special Categories of Personal Data. We do not process any Personal Data of a sensitive nature about you.
Processing of Personal Data by AI. In the context of processing Personal Data, we also use artificial intelligence (AI) in justified cases. However, we do not use it for automated decision-making or profiling within the meaning of the GDPR (in particular Article 22). All processing of Personal Data is subject to human decision-making, AI itself does not make any decisions about you. We use artificial intelligence primarily for the provision of HR Services, especially for research and optimization, and we also use it for our internal HR.
- SUMMARY OF REASONS AND PURPOSES FOR PROCESSING YOUR PERSONAL DATA
We understand that it can sometimes be difficult for you to navigate through the amount of text explaining how and why we process your Personal Data. To provide you with basic information about the processing of your Personal Data quickly and clearly, we have summarized everything in this clear table:
| Why? | What Personal Data? | Which Users? | How long? |
|---|---|---|---|
| Website Visit. Ensuring basic functions of our website, analytics, improving our Services and our promotion. Preferences can be set in the cookie bar. | Pseudonymized identifiers of registered Users, IP address. | Website Visitors | The processing duration varies according to individual cookie types. Some process data only for the duration of the session (visit), others for a longer period. |
| Sending an Inquiry and Communication. We process Personal Data based on consent to handle the inquiry, or we have a legitimate interest, or we are fulfilling a legal obligation. | Name, surname, e-mail, other Personal Data you communicate to us. | Users who contact us via the form on our website, or contact us directly via e-mail listed on the website. | Closed inquiries are regularly deleted, but no later than 3 years after your inquiry. |
| Sending Commercial Communications (direct marketing). If you are our Customer (we have a legitimate interest) or have subscribed (consent granted), we will send you a newsletter. | Name, surname and e-mail address. | Users who have subscribed to our newsletter and/or our Customers. | Data is processed for 2 years from the last active viewing of the newsletter, unless you unsubscribe sooner. |
| Service Notifications & Contractual Communication. To inform you about important updates related to the performance of the Agreement, such as new features, planned downtime, pricing changes, or updates to our Terms. We process your Personal Data on the legal basis of performance of the Agreement. | Name, surname and e-mail address. | Customers and Users with an active account. | For the duration of the contractual relationship and thereafter for a period of 4 years from the end of the Agreement. |
| User Account & Team Management. To create accounts, manage Teams, roles (Admin/Member), and authenticate Users (SSO). We process your Personal Data on the legal basis of performance of the Agreement. | Email, password, name, SSO tokens, company details, country, timezone, role within Team. | Users who sign up or are invited to a Team. | For the duration of the account's existence and subsequently for 4 years after the end of the Agreement. |
| Provision of Service. To provide you with Service, operate the Platform, manage domains, and store templates, we process your Personal Data on the legal basis of performance of the Agreement. | User identifiers, API keys, domain reputation data, service logs (API requests). | Customers and Users using the Services. | Data is processed for the duration of the Agreement and subsequently for 4 years after the end of the Agreement. Technical logs (e.g., API access logs) are retained for a shorter period (3 months) for security and debugging. |
| Security & Domain Blocking. To prevent spam, fraud, and ensure Platform integrity. We process your Personal Data based on our legitimate interest. | Domain verification data, website content checks, sending history, IP addresses, and sample content of sent emails. | Customers and Users sending emails. | For the duration of the Agreement and as needed to protect our rights (e.g. in case of blocking). |
| Comments on Social Networks. You can also write to us on our social networks. We process your Personal Data based on consent. | Name, surname, username, Personal Data published by you. | Users who publish a post on our social network profile. | We leave your comments on the post for as long as it is published on our profile. |
| Recruitment. You can find current vacancies on our website. | Data you provide to us in the submitted CV. Name and surname, address, date of birth, phone number, e-mail address, potentially a link to a social network, data on former employment, education, interests, skills, certifications. | Job Applicants who apply for a position with Lettr or send us their CV. | Based on legitimate interest, we may keep Personal Data of Job Applicants for 4 years. The reason is the possibility that we may have an interesting job offer for you later. |
| Accounting. We keep accounts for the purpose of fulfilling legal obligations. | Personal Data on the invoice – name, surname, e-mail address, billing address, or other identification of the Customer and performance under the Agreement. | Customers who purchase Services. | We have a legal obligation to archive or keep the relevant document; the period depends on what the law requires (specifically 3 to 10 years for accounting and tax documents). |
| Compliance with Legal Obligations. In certain cases, we must process your Personal Data to fulfill obligations established by law. | Specifically, this may involve name, surname, e-mail address, billing details, or other identification of the Data Subject. | Users whose Personal Data we are obliged to process based on relevant legal regulations. | We process your Personal Data for the period established by relevant legal regulations. |
- WHO ARE OUR PROCESSORS?
Processors. We use only verified Processors with whom we have concluded a written agreement, and who provide us with at least the same guarantees as we provide to you. The data that Processors may process, including the purpose and legal title for processing, have been listed above.
| Website Operation, Docs | Wordpress, Google, Mintlify |
|---|---|
| Payments & Order Processing | ABRA Software, Stripe, Freelo Bay |
| Customer Support & Communication | HubSpot, Intercom, Google |
| Provision of Services & Infrastructure | AWS, AWS Lambda, Cloudflare, SparkPost, OpenAI, TOPOL.io, GitHub, Linear, Bugsnag, Anthropic, Zaptime |
| Accounting | Countin, ABRA Software |
| Analytics & Performance | Google Analytics, PostHog |
| Social Networks & Content | LinkedIn, Reddit Pixel, Instagram, X |
| Recruitment | jobs.cz, Startupjobs, LinkedIn |
Legal Obligations. In addition to the Processors listed above, we may transfer Personal Data to third parties if required by law or in response to lawful requests by public authorities or upon court request in legal disputes.
Processing outside the EEA. If data is transferred from the EEA to other countries, we ensure a high standard of Personal Data protection through standard contractual clauses approved by the European Commission, or equivalent standard contractual clauses for the United Kingdom, for transfers to countries that are not subject to an adequacy decision by the European Commission or your local legislator
- WHAT MEASURES HAVE WE TAKEN TO PROTECT YOUR PERSONAL DATA?
Our Users can influence the scope of processing within the provision of Services through their own settings through Platform in the User account.
Technical measures. Security is very important to us, and therefore we continuously work to ensure your Personal Data is protected. When choosing measures, we take into account the scope of processing, the risk of processing, or the state of our technology.
we regularly back up data;
we update our antivirus software systems;
we encrypt data using SSL/TLS („secure sockets layer / transport layer security“) for all data transmissions;
we use secure https protocol;
our server data is encrypted;
we develop our technology with privacy by design in mind;
access passwords to information systems (where Personal Data will be processed) and access permissions are controlled at the individual level.
Organizational measures. We have adopted and are committed to the following measures:
our employees and our service providers are bound by confidentiality;
our employees are properly trained and also receive further regular training on GDPR and are familiar with the rules of safe working on work equipment;
in case of API key retention, we remove authorization data;
access to all systems including the IT system is personalized and covered by secure passwords;
Passwords in the operational environment are stored in a separate location (safe store), where logs are logged, so that we can control employee access to individual Users' Personal Data.
- YOUR RIGHTS AND POSSIBILITY TO SUBMIT A REQUEST REGARDING PERSONAL DATA PROTECTION
You can exercise your rights at the e-mail hello@lettr.com.
How quickly will we handle your request? We will answer you no later than within one month. If providing information would jeopardize the privacy of other persons, or if providing it would be disproportionate to the risks or costs of providing it, it is possible that we will not be able to comply with your request. To handle your request as soon as possible, we may need to verify your identity. In the case of a repeated request, the Controller will be entitled to charge a reasonable fee for a copy of Personal Data.
| Right of access | You have the right to information about the purposes of processing, categories of Personal Data, recipients to whom they are disclosed, and the processing period. You have the right to know if any right has already been exercised. A prerequisite is also that the rights and freedoms of other persons will not be adversely affected. |
|---|---|
| Right to rectification | You have the right to request the correction of inaccurate Personal Data. You can correct some data in your user profile. |
| Right to erasure | If there is no other reason to continue processing this data, we will delete or anonymize the data requested by you. |
| Right to restriction of processing | Please contact us if you believe we are processing data incorrectly. Whether it concerns the reasons for processing or its scope. |
| Right to notification of rectification, erasure, or restriction | In the event that you contact us with a request, we will inform you of the result. Sometimes it may happen that we cannot comply. |
| Right to portability | We will provide your Personal Data, which you provided to us in a structured and machine-readable format, to another controller upon your request. |
| Right to object | For direct marketing, we will stop processing immediately. For other interests, in the event that your objection is justified, we will stop processing the Personal Data and take further necessary steps. |
| Right to withdraw consent | If you have changed your mind, please let us know. Processing concerning marketing and business purposes can be revoked at any time. |
| Automated individual decision-making including profiling | Do you not want a computer to decide about you? We respect your right, therefore we do not conduct profiling. We provide Services, and thus your Personal Data may be processed automatically. |
- INTERNATIONAL PROVISION OF SERVICES
If we use Processors who are based abroad, we ensure that we comply with the requirements of the relevant legislation. In particular, where there are transfers of data from the EEA to other countries, we ensure a high standard of protection for Personal Data through standard contractual clauses approved by the European Commission, or the equivalent standard contractual clause for the United Kingdom (UK General Data Protection Regulation (UK GDPR)), for transfers to countries that are not subject to an adequacy decision by the European Commission or your local legislator.
We follow the standards of the GDPR and the protection of Personal Data is very important to us. We also provide our Services outside of the EEA market, so your rights related to the protection of Personal Data depend on the applicable legislation that applies to you.
CALIFORNIA CONSUMER PRIVACY ACT
If you are a California resident or resident of other states of the United States of America, you are subject to the CCPA legislation and have the right to know how we process your data.
What data do we process? In order to provide our Service to you, we need your data. What personal data this is and for what purpose we process it is set out above. We may retain this personal data for as long as needed for the purposes for which it was collected, and only for the necessary period. This will depend on our business, legal and regulatory needs, but it will always be for a reasonable period of time.
| What are your rights? | The CCPA guarantees you the following rights. |
|---|---|
| Right to information | You have the right to request information about what Personal Data we collect, use, disclose, share, and sell about you, where we obtained it from and for what purpose we process it. |
| Right to erasure | You have the right to request that we delete your Personal Data and require our Processors to do the same. We will delete your data unless we have a legal obligation to retain your data or one of the other exceptions applies. |
| Right to refuse sale or sharing | You have the right to refuse to allow us to sell your data. As we share personal data with our Processors, this operation may be considered a sale of personal data under the CCPA. |
| Right to rectification | You have the right to request the correction of inaccurate personal data. You can correct certain data in your user account. |
| Right to restrict the use and disclosure of sensitive personal information | You may request that we use your sensitive data (birth number, bank account information, etc.) only for the purpose of providing you with Services. |
| Prohibition of discrimination | You have the right not to be subjected to discriminatory treatment as a result of exercising your rights. |
How can you exercise your rights? You can exercise your rights by email at hello@lettr.com or by post at our registered office.
We may require verification of your identity in order to process your request, depending on the nature of the right you are exercising. If a representative is exercising rights on your behalf, we will need to see proof of their authority to do so. We will also require your representative to identify themselves. We take these steps to ensure the highest possible standard of protection of your Personal Data.
- CONCLUSION
These Personal Data Processing Principles can only be changed in writing. You will be informed about this through our website. Therefore, please check these principles regularly. By continuing to use the Services, you agree to the changes in these principles.
If you are not satisfied, you can always submit a suggestion or complaint to the office address according to the country you come from. Below are the contacts for the offices in the countries from which most of our Users come:
Czech Office for Personal Data Protection, with its registered office at Pplk. Sochora 727/27, 170 00 Prague 7 – Holešovice, Czechia (more at www.uoou.cz),
Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27, Slovak Republic (more at https://dataprotection.gov.sk/uoou/),
Spanish Data Protection Agency (AEPD), with its registered office at Jorge Juan, 6, 28001 Madrid, Spain (more at www.aepd.es),
Italian Data Protection Authority (Garante), with its registered office at Piazza Venezia 11 - 00187 Roma, Italy (more at www.garanteprivacy.it),
Germany Federal Commissioner for Data Protection and Freedom of Information (BfDI), with its registered office at Graurheindorfer Str. 153, 53117 Bonn, Germany (more at www.bfdi.bund.de)
or to another personal data protection authority located in the place of your habitual residence.
These Personal Data Protection Principles are effective from 15 February 2026.