Privacy Policy

HEADS UP — TEMPLATE. A real privacy policy needs to match what your service actually does, what data it actually collects, and what your jurisdiction (GDPR, CCPA, etc.) requires you to disclose. This document is a reasonable starting point but MUST be reviewed by a lawyer before publication. The author is not your lawyer.

Last updated: 2026-05-15

This Privacy Policy describes how Talking Unicorn ("we", "us") handles your information when you use our hosted email service ("Service"). The Talking Unicorn service is operated by Talking Unicorn Inc., a Florida corporation, which is the data controller for personal information processed under this Policy.

TL;DR

We host your mail and the data needed to run a mail service.
We don't read your mail. We don't sell anything. We don't show ads.
We use sub-processors for infrastructure (hosting, payments, optionally offsite backups). They're listed below.
You can export everything and delete your account at any time.

What we collect

Account information

Your email address (the admin contact for your tenant).
Your domain name.
Your name, if you provide one.
Your payment information, which is processed by Stripe — we never see your card number directly.
Your IP address at the time of signup and on subsequent logins, for security and abuse-prevention purposes.

Mail and content

All email messages you send and receive, while they're stored in your account. Mail is stored on encrypted disks; we do not separately read, index for advertising, or analyze the content.
Files you save to the PDF Vault.
Calendar events and contacts, if you use the calendar/contacts features.

Service operation data

Authentication logs (who logged in, when, from where) for security.
IMAP/SMTP transaction logs for troubleshooting and abuse detection (sender, recipient, size, timestamp — not message body). Retained for 30 days.
AI feature logs: when an AI feature ran and what it decided (categorize, suggest a draft, flag a follow-up). Anonymized to the tenant level after 90 days.
AI feedback: if you accept, edit, or reject an AI suggestion, we retain the suggestion + your edit (without identifying personal content) to improve the model. You can disable this in account settings.

Website analytics

We use no third-party analytics. We do log basic web access (IP, URL, user agent) for security and capacity planning. These logs are retained for 30 days.

How we use the data

To operate the Service: store and transmit your mail, run the features you enable, authenticate your sessions.
To bill you: send your account information to Stripe for payment processing.
To prevent abuse: spam filter inbound, score outbound, detect compromised accounts.
To improve the Service: aggregate (not individualized) usage metrics, and the AI feedback corpus described above.
To comply with the law: when we receive a valid legal request. We document every such request on our website (at /transparency, added when we get our first one) so customers can see when this happens, without identifying who was asked about.

We do not:

Sell, rent, or trade your data to anyone.
Train AI models on your mail content. The corrections corpus described above is anonymized and used only for the LoRA fine-tuning of our AI features.
Show you ads, or let anyone advertise to you on the Service.
Read your mail manually except (a) when you ask us to (e.g. a support request where you share a message), or (b) when required by a valid legal process.

Sub-processors

The third parties we share data with, and why:

Sub-processor	What they handle	Data shared
Hetzner Online	Server hosting (Germany / Finland)	All Service data (encrypted at rest)
Stripe	Payments	Name, email, billing info, charge data
Backblaze B2	Offsite encrypted backups (optional)	Encrypted backup blobs (we hold the key)
Cloudflare	DNS	DNS queries (no mail content)
Let's Encrypt	TLS certificates	Domain name only
Anthropic / Groq / OpenAI	LLM inference (varies by feature; configurable per tenant; defaults to self-hosted vLLM)	Message content for the request being processed
RunPod	Self-hosted LLM compute	Same as above when self-hosted is selected

⚠️ Operator: update this table to match what you actually use in production. List every third party that touches customer data.

Where your data lives

Servers are physically located in [REGION]. If you have specific data-residency requirements, contact us before signing up.

How long we keep it

Account information: as long as your account is active, plus 90 days after closure for legal/billing record retention.
Mail content: until you delete it, or 30 days after account closure (whichever is sooner).
Backups: snapshots retained per the schedule in our backup config — typically 7 daily, 4 weekly, 12 monthly. Deletes propagate to backups within 12 months.
Operation logs: 30 days.
AI feature logs: 90 days; corrections corpus retained anonymously until you disable AI feedback.

Your rights

Depending on where you live, you may have rights to:

Access the data we have about you (export available at /admin/account/export once we ship it; for now, write to us).
Correct inaccurate data.
Delete your data by closing your account.
Object to certain types of processing.
Port your data to another provider (IMAP-based services accept your mailbox via imapsync; we'll help if you ask).

To exercise any of these rights, write to privacy@talkingunicorn.email. We'll respond within 30 days.

Children

The Service is not directed at children under 13 (or 16 in the EU). We don't knowingly collect data from anyone under that age. If you believe a child has an account, write to us and we'll delete it.

Service Integrity

We run abuse detection to protect the platform from spam, fraud, and malicious use. What this means in plain terms:

What we examine (patterns, not content):

Outbound velocity — we count how many messages each tenant sends per hour and day. Counts only — we do not inspect message bodies for this.
UNI prompts — what users type INTO the AI (e.g. "draft a reply to Alice") is reviewed by an automated classifier looking for jailbreak attempts and requests to generate bulk spam. We do not review the AI's responses to those prompts for this purpose.
Signup and billing patterns — same Stripe customer creating many tenants in a short window is a fraud signal.

We do not read the content of your incoming or outgoing mail to train classifiers, profile you, or build advertising audiences. The abuse classifier looks at metadata and AI-prompt phrasing — never your correspondents' messages to you, never your replies to them.

What happens when a signal trips:

The signal is logged with a severity (info / low / medium / high / critical) and confidence score.
By default, it lands in an operator review queue — no automated action is taken. A human (the platform operator) reviews and either confirms abuse or marks the signal legitimate.
The operator can choose to: send a warning email, suspend outbound sending, schedule the account for deletion, or take no action.
Each tenant has a per-account trust score (0.0–1.0). Green-flagged signals nudge it up; confirmed-abuse signals nudge it down. The score is used internally to prioritize review and may, in the future, modulate AI rate limits — it is never shared with third parties.

Optional auto-suspend (off by default): the platform supports auto-suspending a tenant when a signal is critical severity AND confidence ≥ 0.95. This is gated by the operator-flipped ABUSE_AUTO_ACTION_ENABLED setting and is OFF by default. Suspended tenants keep their data — see "Service behavior" for what happens next.

Your rights here:

You can request a copy of every signal recorded against your account by contacting us at the address in the Contact section.
You can dispute an action by replying to the warning or suspension notice; a human will review.
We retain abuse signals for at most the same window as inference logs (see How long we keep it) unless required to keep them longer to defend the platform against a recurring threat.

Security

Mail at rest is on encrypted disks.
Mail in transit is on TLS (STARTTLS for SMTP, TLS for IMAP, HTTPS for the web UI). We negotiate the strongest cipher the remote supports.
Passwords are hashed with bcrypt.
We do not use SMS or "secret questions" for password recovery.
Two-factor authentication: see "Coming Soon" — we're tracking this as a high-priority backlog item. Until then, use a strong password.

No system is perfectly secure. If you discover a vulnerability, write to security@talkingunicorn.email — we don't have a bug bounty program yet but we'll thank you publicly and fix the issue.

Changes to this policy

We may update this Privacy Policy. Material changes will be sent to your admin email at least 30 days before they take effect.

Contact

Privacy questions: privacy@talkingunicorn.email
Data requests: privacy@talkingunicorn.email
Security disclosures: security@talkingunicorn.email