Legal

Privacy Policy

How AXO Email, Inc. collects, uses, and protects your information.

Effective April 1, 2026 · See changelog

Overview

We built AXO because email got gross. Free mail services scan your messages to sell ads; encrypted alternatives make group collaboration painful. AXO is the middle path: business-grade mail you pay for, with no ads, no content mining, and no surprises.

This policy describes what we collect, why, and what we do with it. If you have questions after reading, contact us.

Data we collect

Account information

When you sign up, we collect your name, email address, and password (hashed with bcrypt). If you choose the Concierge setup path or subscribe to a paid plan, we collect billing information (processed by Stripe — we store only the last 4 digits and expiration).

Mail content

We store the messages you send and receive so we can deliver them to you. Mail is encrypted at rest (AES-256) and in transit (TLS 1.3). Only you and people you've shared mailboxes with can read your mail.

Usage data

We log request metadata (timestamp, IP address, user agent) for security, debugging, and abuse prevention. Logs are retained for 30 days and then deleted.

Cookies

We use first-party cookies for session management and remembering your preferences. We don't use third-party tracking cookies or advertising cookies.

How we use it

  • Deliver mail. Receive, route, and send messages on your behalf.
  • Protect accounts. Detect abuse, fraud, and compromise.
  • Improve the product. Aggregate, anonymized metrics (e.g. "90% of users complete DNS setup in under 15 minutes") — never individual messages.
  • Support you. Respond to tickets you open. Our agents only access mail content when you explicitly share it with them in a ticket.
  • Bill you. Process subscription payments.

What we never do

  • Scan your mail to train AI models.
  • Sell or rent your data to anyone.
  • Use your mail content for advertising.
  • Read your mail without a narrow legal obligation or your explicit support ticket.
  • Store your password in plaintext.

Sharing & subprocessors

We share data with a small set of vetted subprocessors that help us operate the service:

SubprocessorPurposeRegion
Amazon Web Services (SES)Outbound mail relayUS
StripePayment processingUS
CloudflareDNS & web edgeGlobal
Backblaze B2Encrypted off-site backupsUS

We also disclose information if required by a valid legal process (subpoena, court order). We publish a transparency report annually.

Retention & deletion

Your mail stays until you delete it. When you delete a message, it's moved to Trash and purged after 30 days. When you close your account, all mail and metadata are scrubbed within 30 days. Billing records are retained for 7 years to comply with tax and accounting law.

Security

Our security practices are detailed on the security page. Highlights: TLS in transit, two-factor authentication for webmail, DKIM/SPF/DMARC on every outbound message, audit logs for admin actions, and daily encrypted off-site backups. To report a vulnerability, use our support form.

Your rights

Depending on your region (GDPR, CCPA, LGPD, etc.), you have the right to:

  • Access the data we hold about you (Settings → Account → Export data)
  • Correct inaccurate data
  • Delete your data (Settings → Security → Delete account)
  • Export your mail and contacts in standard formats (.mbox, .vcf)
  • Object to processing for a specific purpose
  • Lodge a complaint with a data protection authority

To exercise these rights, use in-app controls or open a ticket through our support form.

Children

AXO is not intended for children under 13. We don't knowingly collect information from children.

Contact us

For privacy, legal, or data-protection questions, open a ticket through our support form and we'll route it to the right person.

Changes

We'll notify you by email and in-app banner at least 30 days before any material change.