Innovatex Digital FZCO · License No. 49371

Privacy Policy

Service: IXmail (ixmailer.com)
Effective: 16 May 2026
Version: 1.0

1. Introduction

This Privacy Policy describes how Innovatex Digital FZCO ("Innovatex," "we," "us," "our") collects, uses, shares, and protects personal data in connection with the IXmail service ("Service") at ixmailer.com and related interfaces.

This Privacy Policy applies to:

Visitors to our websites
Customers and authorized users of the Service
Recipients of email sent through the Service (in limited circumstances — see Section 5)

If you do not agree with this Privacy Policy, please do not use the Service.

2. Personal Data We Collect

2.1 Account information (Customers)

Name, email address, phone number, business name, country
Billing information (processed by third-party payment processors — we do not store full payment-card numbers)
Authentication credentials (passwords stored as Argon2id hashes; 2FA secrets)
Sender domains and DNS verification status
API keys and SMTP credentials (hashed at rest)

2.2 Usage data

Service interactions: API calls, dashboard sessions, feature usage
Device and connection metadata: IP address, browser, operating system, timestamps
Email-sending metadata: volume, delivery status, bounce/complaint events, IP pool routing
Diagnostic logs

2.3 Cookies and similar technologies

We use essential cookies for session management and authentication, and limited analytics cookies subject to consent where required. See Section 9.

2.4 Customer-uploaded data (recipient data)

When you use the Service to send email, you upload personal data of recipients (email address, name, custom fields) to Innovatex. With respect to that data, you are the Controller and Innovatex is the Processor. Our processing of that data is governed by the Data Processing Agreement (see Section 5).

3. Purposes and Legal Bases for Processing

Purpose	Legal basis (GDPR)
Provide the Service to you	Contract — Art. 6(1)(b)
Process payment	Contract — Art. 6(1)(b)
Send transactional messages (receipts, updates)	Contract — Art. 6(1)(b)
Send product, marketing, or research communications	Consent — Art. 6(1)(a), or legitimate interest — Art. 6(1)(f) where lawful
Detect, prevent, investigate fraud and abuse	Legitimate interest — Art. 6(1)(f); legal obligation — Art. 6(1)(c)
Comply with legal, regulatory, tax, AML obligations	Legal obligation — Art. 6(1)(c)
Improve and maintain the Service	Legitimate interest — Art. 6(1)(f)
Process recipient data on your behalf	Customer is Controller; DPA — Art. 28

For UAE PDPL, equivalent lawful bases under Articles 5–6 apply.

We share personal data with:

4.1 Sub-processors

Vendors that process personal data to help us provide the Service. Current Sub-processors include:

Cloudflare, Inc. (USA) — CDN, DNS, edge security
Cloudflare R2 (USA) — inbound email storage
Stripe, Inc. (USA) — payment processing
Sumsub (UK) — Know-Your-Customer (only when triggered)
Twilio, Inc. (USA) / Vonage (UK) — phone verification (only when triggered)
Email providers for transactional system mail (Mailjet / Mailgun)
Cloud hosting and infrastructure providers in Singapore, UAE, and Germany

The current list is published at ixmailer.com/sub-processors and may be updated. Material changes are communicated to Customers via email or in-product notification.

4.2 Service providers and professional advisors

Accounting, legal, audit, and similar professional services bound by confidentiality.

4.3 Legal and regulatory authorities

Where required by law, court order, or to protect rights, safety, or property.

4.4 Business transfers

In connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality protections.

We do not sell personal data.

5. Customer-Recipient Data

Personal data of recipients uploaded by Customers is processed under the Data Processing Agreement. We:

Process recipient data only to provide the Service and as instructed by the Customer
Implement appropriate technical and organizational measures (see Section 7)
Assist Customers with data-subject rights requests
Notify Customers of personal data breaches without undue delay

For data-subject rights requests relating to recipient data, please contact the Customer that holds your relationship. Where Innovatex receives a direct request, we will forward it to the relevant Customer.

6. International Data Transfers

Innovatex is established in the United Arab Emirates and operates infrastructure in Singapore, UAE, and Germany. Personal data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States and the European Economic Area.

For transfers from the EU/EEA / UK, we rely on:

Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
UK International Data Transfer Addendum, where applicable
Other lawful transfer mechanisms

For UAE PDPL transfers, we apply the safeguards required under Article 22 PDPL.

7. Security

We implement technical and organizational measures appropriate to the risk, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable)
Hashed passwords (Argon2id) and hashed API keys
Network isolation, firewalls, and IP-pool segmentation
Least-privilege access controls and audit logs
Regular vulnerability scanning and patch management
Incident response procedures
Daily encrypted database backups with retention

No system is completely secure. We make no warranty that personal data will be fully protected. In the event of a personal data breach affecting your data, we will notify you in accordance with applicable law.

8. Data Retention

Data	Retention
Account data	Duration of account + 90 days post-termination
Billing records	7 years (UAE tax / accounting requirements)
Email-sending metadata	30 days full; aggregated indefinitely
Customer-uploaded recipient data	Per Customer instruction (DPA)
Authentication and access logs	12 months
Support communications	3 years
Backup snapshots	Up to 14 days rolling

Anonymized or aggregated data may be retained indefinitely for analytics and Service improvement.

9. Cookies and Tracking

We use:

Strictly necessary cookies — session, authentication, security (no consent required)
Functional cookies — preferences, language (no consent required where strictly functional)
Analytics cookies — usage measurement (consent-based where required by law)

You can manage cookie preferences via the cookie banner or your browser settings. Refusing non-essential cookies may affect Service functionality.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access to your personal data
Rectification of inaccurate data
Erasure ("right to be forgotten"), subject to legal exceptions
Restriction of processing
Portability to another controller
Objection to processing based on legitimate interest
Withdrawal of consent at any time (without affecting prior lawful processing)
Lodging a complaint with a supervisory authority

To exercise these rights, contact privacy@innovatex.ae. We will respond within 30 days, subject to verification of your identity and applicable legal limits.

If you are a recipient of email sent by a Customer through IXmail, contact the Customer directly. We will forward requests where appropriate.

11. Children's Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice via email or in-product. Continued use after the effective date constitutes acceptance.

A change log is maintained at ixmailer.com/privacy/changelog.

13. Contact

Data Protection contact:

Innovatex Digital FZCO

Attention: Data Protection
IFZA Business Park, Building A1
Dubai Digital Park, Dubai Silicon Oasis
Dubai, United Arab Emirates
License No. 49371

Privacy: privacy@innovatex.ae
Legal: legal@innovatex.ae