Legal Center

Privacy Policy

Your trust is the foundation of our platform. This policy explains what data EngageIQ collects, why we collect it, how we use and protect it, and the controls you have over your information.

Effective June 12, 2026
Last updated June 12, 2026
01

Introduction

This Privacy Policy explains what data EngageIQ collects, why we collect it, how we use it, the third parties we rely on, and the controls available to you. It applies to the EngageIQ customer engagement platform, our websites, APIs, SDKs, dashboards, and related services (collectively, the “Services”).

EngageIQ provides infrastructure for transactional email, lifecycle campaigns, automation flows, event tracking, and customer profiles. In delivering these Services we act in two distinct roles:

  • Data Controller — for information about our direct customers and account holders (for example, your name, login credentials, and billing details).
  • Data Processor — for the contact data and end-user events that you, as our customer, upload or send through the platform. In that case you are the controller and EngageIQ processes the data on your behalf and under your instructions.

Who this policy is for

If you are an end-recipient of an email sent through EngageIQ by one of our customers, please direct privacy requests to that customer (the sender). We will assist them in responding to your request.
02

Information We Collect

We collect information in the following categories:

Data categoryExamplesWhy we collect it
Account DataFull name, email address, company / organization name, role, password hash, workspace settings.Create and secure your account, identify users, and provide access to the platform.
Billing DataSubscription tier, plan limits, billing address, tax ID, invoices, and payment metadata (card details are handled by Stripe — we never store full card numbers).Process subscriptions, payments, renewals, and comply with tax and accounting obligations.
Usage DataLogin timestamps, IP addresses, browser and device information, operating system, referring pages, feature usage, and diagnostic logs.Authenticate sessions, secure the platform, debug issues, and improve performance.
Email & Messaging DataCampaign metadata, sender/recipient addresses, subject lines, delivery status, opens, clicks, bounces, complaints, and unsubscribe events.Deliver messages, generate analytics, manage deliverability, and prevent abuse.
Contact & Event DataContact profiles, attributes, segments, and behavioral events you ingest through our APIs, SDKs, or integrations.Power audience segmentation, automation flows, and lifecycle campaigns on your behalf.
Support DataMessages, attachments, and metadata you share when contacting support or sales.Respond to requests, troubleshoot, and maintain a record of communications.

How we collect it

  • Directly from you — when you register, configure your workspace, or contact us.
  • Automatically — through cookies, log files, and similar technologies as you use the Services.
  • From integrations — when you connect third-party tools (such as CRMs, data warehouses, or identity providers) that you authorize.
03

How We Use Your Data

We use the information described above to:

  • Provide, operate, and maintain the Services and their core functionality.
  • Authenticate users and protect accounts from unauthorized access.
  • Process payments, manage subscriptions, and send billing-related notices.
  • Deliver messages and generate engagement analytics (opens, clicks, bounces, conversions).
  • Improve platform performance, reliability, and the overall product experience.
  • Detect, investigate, and prevent abuse, spam, fraud, and security incidents.
  • Provide customer support and respond to your inquiries.
  • Send important service, security, and policy update notifications.
  • Comply with legal obligations and enforce our agreements.

Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Services), legitimate interests (to secure and improve the platform and prevent abuse), consent (for non-essential cookies and certain communications), and legal obligation (to meet regulatory requirements). You may withdraw consent at any time.

We do not sell your data

EngageIQ does not sell personal information and does not use the contact data you upload to train models for unrelated purposes. Customer data is used to provide the Services to you.
04

Email Tracking & Engagement Analytics

To help our customers measure campaign performance, EngageIQ supports message-level tracking. When enabled by the sender, messages delivered through the platform may include:

  • Open tracking pixels — a small, invisible image that loads when an email is opened, recording the open event, approximate time, and device/client type.
  • Click-tracking links — links that are wrapped so we can record which links a recipient clicks before redirecting them to the destination URL.
  • Delivery & engagement events — deliveries, bounces, spam complaints, and unsubscribes.

This tracking is performed on behalf of the sending customer (the controller of that data). EngageIQ uses the resulting engagement data to operate the analytics features, protect deliverability, and detect abuse.

Controls for senders and recipients

Senders can disable open and click tracking per message or campaign. Recipients can limit open tracking by disabling automatic image loading in their email client, and can unsubscribe at any time using the link included in commercial messages.
05

Automated Decision-Making & Profiling

EngageIQ offers features that analyze behavioral data to help customers engage their audiences — including audience segmentation and a churn-prediction model that scores the likelihood that a contact may disengage.

How profiling works

These features process event and engagement signals (such as activity frequency, recency, and feature usage) to group contacts into segments or to produce a risk score. The logic is statistical and is intended to help customers prioritize outreach — for example, by triggering a re-engagement campaign for at-risk contacts.

No solely-automated decisions with legal effects

Consistent with Article 22 of the GDPR, EngageIQ does not use these features to make decisions that produce legal effects, or similarly significant effects, on individuals based solely on automated processing without human involvement. Scores and segments are tools that customers use to inform their own marketing decisions.

Your rights regarding profiling

Where applicable, you may request information about the logic involved, object to profiling carried out on the basis of legitimate interests, and request human review. Contact the sending customer for end-recipient requests, or reach us using the details in the Contact section.
06

Third-Party Services & Subprocessors

We work with trusted subprocessors to operate the Services. These providers are bound by data-processing agreements and may only process data according to our instructions.

Amazon Web Services (AWS)

Cloud hosting, compute, storage, and database infrastructure.

Amazon SES

Email delivery and relay infrastructure for outbound messages.

Stripe

Payment processing and subscription billing. Card data is handled directly by Stripe.

Sentry

Application error monitoring and crash diagnostics.

PostHog

Product analytics to understand feature usage and improve the platform.

A current list of subprocessors is available on request. We will provide notice before adding a new subprocessor that materially affects the processing of personal data, giving you the opportunity to object.

07

Data Retention

We retain personal data only for as long as necessary to provide the Services and to meet legal, accounting, or reporting requirements.

  • Account data is retained for as long as your account remains active.
  • Deleted accounts and their associated data are permanently removed within 90 days of deletion, except where a longer period is required by law.
  • Billing and tax records may be retained for up to 7 years to satisfy financial regulations.
  • Aggregated and anonymized data that can no longer identify you may be kept for analytics and benchmarking.
  • Backups are kept on a rolling basis and are purged on a regular cycle.

As a customer, you control the retention of the contact and event data you ingest and can delete it at any time through the dashboard or API.

08

Your Rights & Controls

Depending on your jurisdiction (including the GDPR and CCPA/CPRA), you have rights over your personal data. You can:

  • Access the personal data we hold about you.
  • Export your data in a portable, machine-readable format.
  • Correct inaccurate or incomplete information.
  • Delete your data and request erasure of your account.
  • Restrict or object to certain processing activities.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

How to submit a Data Subject Request (DSR)

Account holders can access, export, correct, and delete much of their data directly from Settings → Privacy in the dashboard. To submit a formal request, use our intake form or email us:

Verification & timing

To protect your data, we verify the identity of every requester before acting. We respond within the time required by law — generally within 30 days under the GDPR and 45 days under the CCPA/CPRA, with a permitted extension where a request is complex. Authorized agents may submit requests on your behalf with proof of authorization.
09

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, provides you with specific rights regarding your personal information.

Categories of personal information collected & disclosed

Category (CCPA)ExamplesDisclosed to
IdentifiersName, email, IP address, account IDHosting, analytics, payment subprocessors
Commercial informationSubscription and billing recordsPayment processor (Stripe)
Internet/network activityUsage logs, feature interactions, email engagementAnalytics and infrastructure providers
Geolocation (approximate)Region inferred from IP addressInfrastructure and security providers
Professional informationCompany name, roleInternal use only

“Do Not Sell or Share My Personal Information”

EngageIQ does not sell your personal information and does not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. Because we do not sell or share, there is nothing to opt out of for those activities; you may still exercise your other rights below.

Sensitive personal information

We do not collect or use sensitive personal information (such as government IDs, precise geolocation, or account login combined with credentials to an external account) for purposes that require an opt-out under the CPRA. We use any limited sensitive data only as necessary to provide the Services.

Your California rights

  • The right to know what personal information we collect, use, and disclose.
  • The right to delete personal information we hold about you.
  • The right to correct inaccurate personal information.
  • The right to limit the use of sensitive personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise these rights, use the request methods in the section above. We will not discriminate against you for exercising any of your rights.

10

Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Services. Essential cookies are required for the platform to function; analytics cookies are optional and only set where permitted or where you have consented.

CookiePurposeCategoryDuration
eiq_sessionMaintains your authenticated sessionEssentialSession
eiq_csrfProtects against cross-site request forgeryEssentialSession
eiq_consentStores your cookie consent preferencesEssential12 months
eiq_workspaceRemembers your active workspace selectionFunctional30 days
ph_*PostHog product analytics (feature usage)AnalyticsUp to 12 months

You can manage non-essential cookies at any time. Disabling essential cookies may impair core functionality.

11

Security Measures

We implement administrative, technical, and organizational safeguards designed to protect your data, including:

  • Encryption in transit (TLS) and encryption at rest for stored data.
  • Strict role-based access controls and the principle of least privilege.
  • Continuous monitoring, logging, and alerting for suspicious activity.
  • Regular security reviews, dependency scanning, and patch management.
  • Secure development practices and isolation between customer workspaces.

Breach notification

If we become aware of a personal data breach, we will act without undue delay to investigate and contain it. Where the breach is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours where required by the GDPR, and will inform affected customers without undue delay so they can meet their own notification obligations.

No system is perfectly secure

While we work hard to protect your data, no method of transmission or storage is 100% secure. We continuously improve our controls but cannot guarantee absolute security.
12

International Data Transfers

EngageIQ operates on global cloud infrastructure (AWS) and may process data in regions outside your country of residence, including the United States and the European Union. Where data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and equivalent mechanisms to ensure your data receives an adequate level of protection.

Where available, customers on eligible plans can request data residency in a specific AWS region. Contact us to discuss regional hosting options.

13

Children’s Privacy

The Services are intended for businesses and are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the dashboard. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

15

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us using the details below.

EngageIQ Inc.

2261 Market Street, Suite 5678, San Francisco, CA 94114, USA

Privacy inquiries: privacy@engageiq.com

Data Protection Officer: dpo@engageiq.com

General support: support@engageiq.com

EU & UK representatives

In accordance with Article 27 of the GDPR and the UK GDPR, where required we appoint representatives for data subjects in the EEA and the United Kingdom. Until a local representative is designated for your region, please direct all requests to dpo@engageiq.com and we will route them appropriately.

Read next

Terms of Service