Your webhook is the system of record — we're the pipe. This explains what we collect, how long we keep it, and the per-domain controls you have over the email we process.
Effective date: 2026-06-27
MailKite ("MailKite", "we", "us") provides a developer email platform: we receive inbound email for your domains and deliver it to your webhook, and we send outbound email through our API. This policy explains what we collect, why, how long we keep it, and the choices you have.
Questions or requests? Email support@mailkite.dev.
We collect three kinds of data:
We use your data only to run the service:
We do not sell your data, and we do not use the contents of your email to build advertising profiles.
By default we keep a parsed copy of each message only long enough for you to replay or debug a delivery, then it auto-expires — 3 days on Free, 30 on Pro, 90 on Scale, and 365 on Business. Inbound attachments are deleted after 7 days. Your webhook is the system of record; MailKite is the pipe.
You can tighten this per domain:
See the Retention & encryption docs for how to enable each.
Connecting Google is optional and entirely under your control. If you click "Sync" next to Google on your Contacts page, we ask Google for read-only access so we can build your MailKite address book. We request only these scopes:
From those contacts we import only each person's name and email address (and, when present, their company) into your own MailKite address book. We use this solely to (a) show you your contacts and (b) suggest recipients when you compose an email. We never use it for advertising, never sell or share it, and never use it to train AI/ML models. Your Google OAuth tokens are encrypted at rest (AES-GCM) and used only to sync your contacts.
You can disconnect Google at any time from your Contacts page, after which we stop syncing, and you can delete imported contacts individually or by deleting your account.
MailKite's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We rely on a small set of infrastructure providers to deliver the service. Each processes data only to perform its function:
Outbound mail is signed with DKIM and aligned to SPF and DMARC on your domain using the DNS records set at onboarding, so your mail authenticates as you. Webhook deliveries are signed with HMAC-SHA256 (the x-mailkite-signature header) so you can verify they came from us. Access to the API and webhooks is over TLS.
We use a first-party session cookie (scoped to mailkite.dev) to keep you signed in across the dashboard, docs, and site. We use minimal first-party analytics to understand which links are used. We do not use third-party advertising cookies.
You can access, export, correct, or delete your account data. Deleting a domain removes it and its routes; deleting your account removes your account data and stops processing. Depending on where you live, you may have additional rights under laws such as the GDPR or CCPA — email support@mailkite.dev to exercise them and we'll respond within a reasonable time.
For email we process on your behalf, you are the controller and MailKite is the processor; we act on your instructions.
We keep account and billing records for as long as your account is active and as required for legal, tax, and accounting purposes. Email content follows the retention rules above. Data is processed on our providers' global infrastructure; contact us about region requirements for enterprise needs.
MailKite is a developer tool not directed to children, and is not intended for anyone under 16.
We may update this policy from time to time. Material changes will be announced to your account contact email. The version in effect when you use the service governs that use.
Privacy questions or requests: support@mailkite.dev.
See also our Terms of Service and SLA.