Privacy Policy
EmailSyncer is operated by [TBD legal entity name], a [TBD entity type] registered at [TBD registered address] (company number [TBD]).
We provide an outbound email routing service that connects Go High Level (GHL) installations to your own Microsoft 365 or Google Workspace mailbox via OAuth, so GHL workflow emails are sent from your real mailbox instead of GHL's bundled email infrastructure.
For privacy questions, contact [privacy@emailsyncer.com](mailto:privacy@emailsyncer.com).
The short version
- We hold OAuth tokens for the GHL installation and for each connected Microsoft / Google mailbox you authorise.
- We log metadata about each outbound message we route (sender, recipients, delivery status). The subject line is not stored.
- We never read your inbound mail. We never archive message bodies.
- Tokens are encrypted at rest with AES-256-GCM. We never see your password.
- We never sell or share your data outside the sub-processors listed below.
- Uninstalling EmailSyncer from GHL revokes our access and deletes the underlying tokens within [TBD: e.g. 30 days].
What we collect
We collect only what we need to route emails on your behalf, in five categories:
Account & installation data
- GHL installation ID, company ID, location ID
- GHL OAuth access token + refresh token (encrypted)
- Provider registration ID returned by GHL when we register as your conversation provider
Mailbox connection data
- Microsoft / Google OAuth access token + refresh token (encrypted)
- Mailbox identifiers: email address, display name, Microsoft Object ID, tenant ID
- Proxy/alias addresses returned by Microsoft Graph (
proxyAddresses) — used to validate sender identity before send
Message metadata (per outbound send)
- GHL message ID (used for deduplication)
- Sender mailbox ID and
fromaddress - Recipient
to,cc,bccaddresses - Internet message ID returned by Microsoft Graph after send
- Send status (queued / sending / delivered / failed) and failure reason if applicable
- Timestamps (enqueued, sent)
We do not store the message subject, body, or attachments. We do not retain the message after send beyond the metadata listed above.
Audit events
Append-only log of significant events: installation, mailbox connection, mailbox revocation, webhook receipt, send result. Used for incident investigation and security audit. Includes references to the records above; does not include message content.
Operational data
- Server logs (request method, path, status code, request ID, duration)
- Error reports captured by [TBD error reporting provider] if enabled
- Site analytics (page view counts only) collected by [TBD analytics provider] if enabled
Why we collect it (lawful basis)
If you reside in the EEA, the UK, or a comparable jurisdiction:
| Purpose | Lawful basis |
|---|---|
| Route emails on your behalf (the service you signed up for) | Contract — Article 6(1)(b) |
| Refresh OAuth tokens; verify webhook signatures | Contract — Article 6(1)(b) |
| Maintain audit logs for security and incident response | Legitimate interest — Article 6(1)(f) |
| Detect and respond to abuse | Legitimate interest — Article 6(1)(f) |
| Respond to legal requests | Legal obligation — Article 6(1)(c) |
We do not rely on consent for the processing described here. You may withdraw access at anytime by uninstalling EmailSyncer from GHL or revoking the OAuth grant in Microsoft / Google.
Where it lives (data residency)
- Database: PostgreSQL 16 hosted on Render in [TBD region].
- Server logs: same region as the database; retained [TBD: e.g. 30 days] then automatically deleted.
- Backups: encrypted daily snapshots, 7-day point-in-time recovery, retained [TBD: e.g. 30 days].
When you authorise EmailSyncer to access your Microsoft or Google mailbox, that mailbox data continues to live with Microsoft / Google under their own residency rules. We never copy mailbox content into our own storage.
Sub-processors
We use the following third parties to operate the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Render Services, Inc. | Application hosting and managed PostgreSQL | [TBD region] |
| Microsoft Corporation | OAuth and Microsoft Graph (when you connect a Microsoft 365 mailbox) | Per Microsoft's data residency rules |
| Google LLC | OAuth and Gmail API (when you connect a Google Workspace mailbox; v2) | Per Google's data residency rules |
We will update this section if we add a new sub-processor and notify customers in advance.
How long we keep it
| Data | Retention |
|---|---|
| OAuth tokens (GHL + mailbox) | Until installation/mailbox is revoked, then deleted within [TBD] |
| Message metadata | [TBD: e.g. 12 months], then automatically deleted |
| Audit events | [TBD: e.g. 24 months], then automatically deleted |
| Server logs | [TBD: e.g. 30 days] |
| Backups | [TBD: e.g. 30 days] |
Your rights
If you reside in the EEA, the UK, or California, you have the rights summarised below. Email privacy@emailsyncer.com to exercise them; we will respond within [TBD: typically 30 days under GDPR, 45 days under CCPA].
- Access — request a copy of the data we hold about your installation and mailboxes
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (some audit data must be retained for security and legal reasons; we'll explain what stays and why)
- Restriction — ask us to stop processing while a dispute is investigated
- Portability — receive your data in a machine-readable format
- Object — object to processing that we rely on legitimate interest for
- Lodge a complaint — with [TBD supervisory authority] if you believe we've handled your data unlawfully
California residents have equivalent rights under the CCPA / CPRA; we do not 'sell' or 'share' personal information as those terms are defined.
How to revoke access
You may disconnect EmailSyncer at anytime, in increasing order of severity:
- Disconnect a single mailbox: use the Disconnect action in the EmailSyncer embed UI inside GHL. The mailbox is marked revoked immediately; we delete its tokens within [TBD].
- Uninstall from GHL: GHL fires our uninstall webhook, which marks every mailbox tied to that installation as revoked.
- Revoke at the OAuth provider: Microsoft (account.microsoft.com/privacy/app-access or myapps.microsoft.com), Google (myaccount.google.com/permissions), or GHL agency settings.
When access is revoked we cease using the tokens immediately. Pending sends already in our queue at the moment of revocation may still attempt to dispatch using a cached fresh token; new sends fail with the reason mailbox_revoked and are surfaced in the embed UI.
Security
- OAuth 2.0 only. We never see, store, or transmit your password.
- Access and refresh tokens are encrypted at rest with AES-256-GCM (32-byte key, base64-encoded, rotated per environment).
- Webhook signatures verified with Ed25519 against the raw request body.
- TLS 1.2+ enforced for all connections. HSTS header set on every response from emailsyncer.com.
- Production database hosted on a private network; not directly reachable from the public internet.
- Daily encrypted backups; 7-day point-in-time recovery.
- Dependency security audit run on every deploy.
- We use the principle of least privilege when requesting OAuth scopes.
We don't claim certifications we don't hold.
OAuth scopes
Microsoft Graph
| Scope | Why |
|---|---|
Mail.Send | Send messages on the user's behalf via /me/sendMail and /me/messages/{id}/send |
User.Read | Read the user's profile (email, display name) and proxyAddresses to validate sender aliases |
offline_access | Refresh tokens — required to keep sending after the initial 1-hour access-token window |
Google (v2 — not yet active)
| Scope | Why |
|---|---|
gmail.send | Send messages on the user's behalf |
email, profile | Read the user's email and display name |
Go High Level
| Scope | Why |
|---|---|
conversations/message.write | Update message status on the GHL conversation thread after send |
conversations.write | Required to register as a conversation provider |
locations.readonly | Read the locations that have installed our app |
We do not request mail-read, mail-archive, or mail-modify scopes on a provider. We have no use for them.
Cookies
We use no cookies on emailsyncer.com for marketing or tracking. The embed UI inside GHL uses a single first-party session cookie (session) to maintain the authenticated session — strictly necessary for the embed to function, exempt from consent requirements under PECR / ePrivacy.
Children
EmailSyncer is a B2B service. We do not knowingly process personal data of those under 18.
International transfers
Where data is processed in a jurisdiction outside the EEA / UK, we rely on the following safeguards:
- For transfers to the United States: the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
- For transfers to other jurisdictions: Standard Contractual Clauses with appropriate technical and organisational measures.
Changes to this policy
If we make material changes we will notify customers via email at the address registered with the GHL installation, at least [TBD: e.g. 14 days] before the change takes effect. Non-material changes (typo fixes, clarifications) take effect immediately.
Contact
- Privacy questions / data subject requests: privacy@emailsyncer.com
- Security disclosures: security@emailsyncer.com
- General contact: hello@emailsyncer.com
- Postal address: [TBD registered address]