1. Data Controller
Muli is the data controller responsible for your personal information. For any questions or concerns about this Privacy Policy or your personal data, please contact us at:
2. Information We Collect
2.1 Personal Information You Provide
We collect the following personal information when you create an account, use our Service, or communicate with us:
Account Information
- Name
- Email address
- Profile picture (if provided via Google OAuth)
Company Information
- Company name
- Company email address
Payment Information
- Stripe Customer ID (we do not store credit card details directly)
- Subscription plan information (Starter or Pro)
- Payment status and transaction history
Stripe Connect Information
- Stripe Connected Account ID
- Stripe access tokens (stored securely with restricted access)
- Stripe refresh tokens (stored securely with restricted access)
- API keys (stored securely with restricted access)
Email Template Data
- Custom email subjects
- Email body content
- Template styles and customization preferences
- Call-to-action text and URLs
Customer Communication Data
- Email addresses of your customers (recipients of your automated emails)
- Customer names (if available from Stripe events)
- Email delivery logs and status information
2.2 Automatically Collected Information
Technical Information
- IP address
- Browser type and version
- Device information
- Operating system
- Session cookies for authentication
- Usage data and analytics
- Log files (access times, pages viewed, errors)
Stripe Event Data
- Webhook event types
- Event IDs and timestamps
- Subscription status changes
2.3 Cookies and Tracking Technologies
We use the following types of cookies:
Essential Cookies (Required)
- Authentication cookies — to keep you logged in
- Session cookies — to maintain your session state
- CSRF tokens — to protect against security threats
These cookies are necessary for the Service to function and cannot be disabled.
3. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
a) Contract Performance (Art. 6(1)(b))
- Creating and managing your account
- Processing payments and subscriptions
- Providing the email automation service
- Connecting to your Stripe account
- Sending automated emails on your behalf
b) Legitimate Interest (Art. 6(1)(f))
- Preventing fraud and abuse
- Improving our Service
- Technical troubleshooting and bug fixes
- Security and system maintenance
- Analytics to understand usage patterns
c) Legal Obligation (Art. 6(1)(c))
- Maintaining financial records for tax purposes
- Complying with applicable laws and regulations
- Responding to legal requests
d) Consent (Art. 6(1)(a))
- Marketing communications (if you opt-in)
- Optional analytics or tracking (if implemented in future)
4. How We Use Your Information
Service Delivery
- Creating and managing your user account
- Processing subscription payments through Stripe
- Connecting to your Stripe account to monitor subscription events
- Sending automated emails to your customers when triggered by Stripe events
- Storing and managing your custom email templates
- Logging email delivery status for your records
- Providing customer support
Communication
- Sending service-related notifications
- Responding to your inquiries
- Sending administrative messages about your account
Service Improvement
- Analyzing usage patterns to improve functionality
- Troubleshooting technical issues
- Developing new features
Legal and Security
- Preventing fraud and unauthorized access
- Enforcing our Terms of Service
- Complying with legal obligations
- Protecting our rights and property
5. Data Sharing and Third-Party Processors
We share your personal information with the following third-party service providers who process data on our behalf:
Stripe, Inc.
Purpose: Payment processing, subscription management, Stripe Connect integration
Data shared: Name, email, payment information, subscription details, connected account credentials
Location: United States
Resend
Purpose: Sending transactional emails and automated emails
Data shared: Recipient email addresses, names, email content, templates
Location: United States
Google OAuth
Purpose: User authentication and login
Data shared: Name, email address, profile picture
Location: United States
MongoDB Atlas
Purpose: Database hosting and data storage
Data shared: All user account data and service information
Location: EU or US (depending on configuration)
We do NOT:
- Sell your personal information to third parties
- Share your data for advertising purposes
- Use your customer data for any purpose other than providing the Service
6. International Data Transfers
Your personal information may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Service providers' compliance with GDPR and privacy frameworks
We ensure that appropriate safeguards are in place to protect your data during international transfers.
7. Data Retention
We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy:
Account Data
While active; deleted within 30 days of deletion request
Email Logs
Retained while your account is active; deleted upon account deletion
Payment Records
7 years to comply with tax and accounting regulations
Email Templates
While active; deleted within 30 days of account deletion
Session & Log Data
Retained for operational purposes; deleted upon account deletion
Lead Data
Retained while relevant; deleted upon account deletion
After the retention period expires, we will securely delete or anonymize your personal information.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right to Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and to access your data. You can view your data in your account settings or request a complete copy.
Right to Rectification (Art. 16)
You can correct inaccurate or incomplete personal information through your account settings or by contacting us.
Right to Erasure / "Right to be Forgotten" (Art. 17)
You can request deletion of your personal data. You can delete your account directly in the settings page, which will permanently remove all your personal information within 30 days.
Right to Data Portability (Art. 20)
You can request a copy of your personal data in a structured, machine-readable format by contacting us at support@muli.email.
Right to Restrict Processing (Art. 18)
You can request that we limit how we use your personal data in certain circumstances.
Right to Object (Art. 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you can withdraw consent at any time without affecting prior processing.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.
To exercise any of these rights, contact us at support@muli.email or use the tools in your account settings. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
Technical Measures
- Encryption of data in transit (HTTPS/TLS)
- Restricted access controls for sensitive credentials (API tokens, access tokens)
- HTTP-only, secure cookies
- Regular security updates and patches
- Access controls and authentication via OAuth and magic links (no passwords stored)
Organizational Measures
- Limited access to personal data (need-to-know basis)
- Regular security assessments
- Employee confidentiality obligations
- Incident response procedures
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We will notify you of any data breaches as required by law.
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours (GDPR Art. 33)
- Notify affected individuals without undue delay if the breach poses a high risk (GDPR Art. 34)
- Provide information about the nature of the breach and measures taken
11. Children's Privacy
Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@muli.email and we will promptly delete such information.
13. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or significantly affects you.
14. Third-Party Links
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.
15. Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you via email and/or a prominent notice on our Service of any change in ownership or use of your personal information.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Service features.
When we make material changes:
- We will update the "Last Updated" date at the top
- We may notify you via email (if you have an account)
- We may display a prominent notice on our Service
Continued use of the Service after changes constitutes acceptance of the updated policy.
17. Data Protection Officer
For GDPR compliance matters, privacy concerns, or to exercise your data protection rights, please contact:
19. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
This Privacy Policy is effective as of the date stated at the top and governs your use of the Service.