Privacy
How senderZ handles personal data, phone numbers, and message content — aligned with GDPR, CCPA, and global data-protection norms. This page is the operational view; the formal Privacy Policy is the legal document.
On this page
Data we collect
senderZ collects three categories of data.
Account data — email, name, and authentication tokens for each user (managed by Clerk) plus billing details for paid plans (managed by Stripe). Payment card numbers never touch senderZ infrastructure; Stripe handles PCI scope.
Usage data — API call metadata, message delivery status, webhook events, rate-limit counters, AI feature usage. This is operational telemetry, not content.
Message data — recipient phone numbers and message content, because senderZ has to hold both to deliver the message. Both are encrypted in transit, stored in D1, and partitioned by tenant_id. Message content is never used for analytics, training, or cross-customer signal.
Message content retention
Messages are retained for 90 days by default so customers can inspect delivery in the portal and replay failures. After 90 days the message body is purged; delivery metadata (status, timestamps, phone IDs) remains indefinitely for analytics.
Tenant-configurable retention through the portal Planned — Q3 2026 — shorter retention (7, 14, 30 days) for privacy-sensitive workloads, on request today through support.
Opt-out records are retained for the life of the tenant plus 90 days after deletion. This prevents accidental re-enrollment of a phone that opted out.
Sub-processors
senderZ uses these third parties to deliver the service. Material changes are notified to customers on Growth/Scale with a signed DPA at least 30 days in advance.
- Cloudflare Infrastructure provider for Workers, D1, KV, Queues, Pages, Analytics. Handles all customer data in senderZ's control plane.
- Clerk Authentication provider for developer and Simple Mode portals. Holds account data (email, name, password hashes, MFA factors).
- Stripe Billing provider. Holds payment method details and subscription state. Payment card data never reaches senderZ.
- Anthropic AI provider for Claude-based features (reply suggestions, auto-reply personas). Receives the specific request payload for each AI call; does not retain or train on customer data under Anthropic's API terms.
- Cloudflare Workers AI Fallback AI provider when a customer has not configured their own. Same scope as Anthropic.
- senderZ iMessage engine Proprietary iMessage bridge running on operator-controlled dedicated Apple hardware. Not a third-party SaaS; operated by senderZ on senderZ hardware. Listed here for transparency.
Data residency
Cloudflare D1 today runs as a globally distributed database with reads served from the nearest edge. Writes replicate across Cloudflare's network; senderZ does not region-pin tenants. For customers who need strict regional storage (EU-only, US-only), the current answer is "not yet."
EU data residency Planned — Q2 2027 is on the roadmap as Cloudflare rolls out D1 region pinning. Until then, EU customers with strict residency requirements should either accept SCC-based transfers under our DPA or talk to us about Self-Hosted senderZ running entirely in an EU Cloudflare region you control.
Data-subject requests (GDPR / CCPA)
Email [email protected] for export, access, correction, or deletion requests. We acknowledge within three business days and complete within 30 days, the statutory GDPR and CCPA maximum.
For customer-of-customer requests (an end user of your app asking you to delete their data), the customer is the controller and handles the request through our API: DELETE /v1/contacts/:id removes a contact; DELETE on messages is not supported today because the audit trail is required for compliance. If a true right-to-erasure obligation applies, contact us and we will work with you on a case-by-case basis.
Our Data Processing Agreement is Available on request. Ask via the button below.
Children and Global Privacy Control
senderZ is a business-to-business platform and is not directed at anyone under 16. We do not knowingly collect data from minors. If you believe we have, contact [email protected] and we will delete the data.
Global Privacy Control (Sec-GPC header) is honored at the API layer. When a GPC signal arrives on an authenticated request, senderZ records a do_not_sell consent entry automatically in user_consents for that user (workers/api/src/middleware/auth.ts:128-151). This is an already-shipped feature, not a roadmap item.
Frequently asked questions
Where geographically is my tenant data stored?
Customer data lives in Cloudflare D1, which runs across Cloudflare's global network. Today senderZ does not pin tenants to a specific region; writes replicate to the nearest edge for low read latency. EU-only data residency is on the roadmap for Q2 2027 for enterprise customers who need strict in-region storage.
How do you handle EU customers today?
EU customers can use senderZ under our standard terms and a Data Processing Agreement available on request. We rely on Standard Contractual Clauses for EU-to-US data transfer. Customers with strict GDPR data-residency requirements should wait for our Q2 2027 EU region work or talk to us about Self-Hosted deployment in an EU region you control.
Does senderZ staff read message content?
Staff access to message bodies is limited to debugging specific customer-reported issues and requires an operator action logged with a timestamp and reason. There is no bulk-read workflow, no analytics pipeline that reads message content, and no AI training that uses customer messages. Message bodies are never intentionally read by humans or machines outside the delivery path and incident response.
How long does a data-subject delete request take?
We acknowledge GDPR Article 17 / CCPA deletion requests within three business days and complete them within 30 days, which is the statutory maximum. The 30-day window covers propagation across D1 replicas, Cloudflare Queues flush (messages in flight finish delivery), and sub-processor cleanup where we have an export channel.
How will I be notified when you add a sub-processor?
Customers on Growth or Scale with a signed DPA receive advance written notice of material sub-processor changes (the ones that handle customer data, not infrastructure providers). The notice period is 30 days. Customers can object by terminating the affected contract with pro-rated refund under the DPA terms.
Is my data used to train senderZ's AI features?
No. AI features — reply suggestions, auto-reply personas, AI training source ingestion — only pass data to the AI provider (Anthropic or Workers AI) to generate a response for that single request. No fine-tuning on customer data. No cross-customer signal mixing. Anthropic and Cloudflare Workers AI have their own data-handling terms which we pass through to customers via our sub-processor list.
What happens to my data 90 days after I delete my tenant?
On tenant deletion, message bodies and contact records are purged within 7 days. Consent logs are retained for 90 days as a safeguard against erroneous deletion, then purged. Billing records are retained for 7 years per US accounting requirements, but contain no message content — only invoice-level metadata.
Need something formal?
We share our DPA, SOC 2 status, security questionnaire responses, and other formal materials under NDA. Email us or request access below.