Introduction
This Privacy Policy explains what data EngageIQ collects, why we collect it, how we use it, the third parties we rely on, and the controls available to you. It applies to the EngageIQ customer engagement platform, our websites, APIs, SDKs, dashboards, and related services (collectively, the “Services”).
EngageIQ provides infrastructure for transactional email, lifecycle campaigns, automation flows, event tracking, and customer profiles. In delivering these Services we act in two distinct roles:
- Data Controller — for information about our direct customers and account holders (for example, your name, login credentials, and billing details).
- Data Processor — for the contact data and end-user events that you, as our customer, upload or send through the platform. In that case you are the controller and EngageIQ processes the data on your behalf and under your instructions.
Who this policy is for
Information We Collect
We collect information in the following categories:
| Data category | Examples | Why we collect it |
|---|---|---|
| Account Data | Full name, email address, company / organization name, role, password hash, workspace settings. | Create and secure your account, identify users, and provide access to the platform. |
| Billing Data | Subscription tier, plan limits, billing address, tax ID, invoices, and payment metadata (card details are handled by Stripe — we never store full card numbers). | Process subscriptions, payments, renewals, and comply with tax and accounting obligations. |
| Usage Data | Login timestamps, IP addresses, browser and device information, operating system, referring pages, feature usage, and diagnostic logs. | Authenticate sessions, secure the platform, debug issues, and improve performance. |
| Email & Messaging Data | Campaign metadata, sender/recipient addresses, subject lines, delivery status, opens, clicks, bounces, complaints, and unsubscribe events. | Deliver messages, generate analytics, manage deliverability, and prevent abuse. |
| Contact & Event Data | Contact profiles, attributes, segments, and behavioral events you ingest through our APIs, SDKs, or integrations. | Power audience segmentation, automation flows, and lifecycle campaigns on your behalf. |
| Support Data | Messages, attachments, and metadata you share when contacting support or sales. | Respond to requests, troubleshoot, and maintain a record of communications. |
How we collect it
- Directly from you — when you register, configure your workspace, or contact us.
- Automatically — through cookies, log files, and similar technologies as you use the Services.
- From integrations — when you connect third-party tools (such as CRMs, data warehouses, or identity providers) that you authorize.
How We Use Your Data
We use the information described above to:
- Provide, operate, and maintain the Services and their core functionality.
- Authenticate users and protect accounts from unauthorized access.
- Process payments, manage subscriptions, and send billing-related notices.
- Deliver messages and generate engagement analytics (opens, clicks, bounces, conversions).
- Improve platform performance, reliability, and the overall product experience.
- Detect, investigate, and prevent abuse, spam, fraud, and security incidents.
- Provide customer support and respond to your inquiries.
- Send important service, security, and policy update notifications.
- Comply with legal obligations and enforce our agreements.
Legal bases for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Services), legitimate interests (to secure and improve the platform and prevent abuse), consent (for non-essential cookies and certain communications), and legal obligation (to meet regulatory requirements). You may withdraw consent at any time.
We do not sell your data
Email Tracking & Engagement Analytics
To help our customers measure campaign performance, EngageIQ supports message-level tracking. When enabled by the sender, messages delivered through the platform may include:
- Open tracking pixels — a small, invisible image that loads when an email is opened, recording the open event, approximate time, and device/client type.
- Click-tracking links — links that are wrapped so we can record which links a recipient clicks before redirecting them to the destination URL.
- Delivery & engagement events — deliveries, bounces, spam complaints, and unsubscribes.
This tracking is performed on behalf of the sending customer (the controller of that data). EngageIQ uses the resulting engagement data to operate the analytics features, protect deliverability, and detect abuse.
Controls for senders and recipients
Automated Decision-Making & Profiling
EngageIQ offers features that analyze behavioral data to help customers engage their audiences — including audience segmentation and a churn-prediction model that scores the likelihood that a contact may disengage.
How profiling works
These features process event and engagement signals (such as activity frequency, recency, and feature usage) to group contacts into segments or to produce a risk score. The logic is statistical and is intended to help customers prioritize outreach — for example, by triggering a re-engagement campaign for at-risk contacts.
No solely-automated decisions with legal effects
Consistent with Article 22 of the GDPR, EngageIQ does not use these features to make decisions that produce legal effects, or similarly significant effects, on individuals based solely on automated processing without human involvement. Scores and segments are tools that customers use to inform their own marketing decisions.
Your rights regarding profiling
Third-Party Services & Subprocessors
We work with trusted subprocessors to operate the Services. These providers are bound by data-processing agreements and may only process data according to our instructions.
Amazon Web Services (AWS)
Cloud hosting, compute, storage, and database infrastructure.
Amazon SES
Email delivery and relay infrastructure for outbound messages.
Stripe
Payment processing and subscription billing. Card data is handled directly by Stripe.
Sentry
Application error monitoring and crash diagnostics.
PostHog
Product analytics to understand feature usage and improve the platform.
A current list of subprocessors is available on request. We will provide notice before adding a new subprocessor that materially affects the processing of personal data, giving you the opportunity to object.
Data Retention
We retain personal data only for as long as necessary to provide the Services and to meet legal, accounting, or reporting requirements.
- Account data is retained for as long as your account remains active.
- Deleted accounts and their associated data are permanently removed within 90 days of deletion, except where a longer period is required by law.
- Billing and tax records may be retained for up to 7 years to satisfy financial regulations.
- Aggregated and anonymized data that can no longer identify you may be kept for analytics and benchmarking.
- Backups are kept on a rolling basis and are purged on a regular cycle.
As a customer, you control the retention of the contact and event data you ingest and can delete it at any time through the dashboard or API.
Your Rights & Controls
Depending on your jurisdiction (including the GDPR and CCPA/CPRA), you have rights over your personal data. You can:
- Access the personal data we hold about you.
- Export your data in a portable, machine-readable format.
- Correct inaccurate or incomplete information.
- Delete your data and request erasure of your account.
- Restrict or object to certain processing activities.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local data protection authority.
How to submit a Data Subject Request (DSR)
Account holders can access, export, correct, and delete much of their data directly from Settings → Privacy in the dashboard. To submit a formal request, use our intake form or email us:
Verification & timing
California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, provides you with specific rights regarding your personal information.
Categories of personal information collected & disclosed
| Category (CCPA) | Examples | Disclosed to |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Hosting, analytics, payment subprocessors |
| Commercial information | Subscription and billing records | Payment processor (Stripe) |
| Internet/network activity | Usage logs, feature interactions, email engagement | Analytics and infrastructure providers |
| Geolocation (approximate) | Region inferred from IP address | Infrastructure and security providers |
| Professional information | Company name, role | Internal use only |
“Do Not Sell or Share My Personal Information”
EngageIQ does not sell your personal information and does not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. Because we do not sell or share, there is nothing to opt out of for those activities; you may still exercise your other rights below.
Sensitive personal information
We do not collect or use sensitive personal information (such as government IDs, precise geolocation, or account login combined with credentials to an external account) for purposes that require an opt-out under the CPRA. We use any limited sensitive data only as necessary to provide the Services.
Your California rights
- The right to know what personal information we collect, use, and disclose.
- The right to delete personal information we hold about you.
- The right to correct inaccurate personal information.
- The right to limit the use of sensitive personal information.
- The right to non-discrimination for exercising your privacy rights.
To exercise these rights, use the request methods in the section above. We will not discriminate against you for exercising any of your rights.
Security Measures
We implement administrative, technical, and organizational safeguards designed to protect your data, including:
- Encryption in transit (TLS) and encryption at rest for stored data.
- Strict role-based access controls and the principle of least privilege.
- Continuous monitoring, logging, and alerting for suspicious activity.
- Regular security reviews, dependency scanning, and patch management.
- Secure development practices and isolation between customer workspaces.
Breach notification
If we become aware of a personal data breach, we will act without undue delay to investigate and contain it. Where the breach is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours where required by the GDPR, and will inform affected customers without undue delay so they can meet their own notification obligations.
No system is perfectly secure
International Data Transfers
EngageIQ operates on global cloud infrastructure (AWS) and may process data in regions outside your country of residence, including the United States and the European Union. Where data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and equivalent mechanisms to ensure your data receives an adequate level of protection.
Where available, customers on eligible plans can request data residency in a specific AWS region. Contact us to discuss regional hosting options.
Children’s Privacy
The Services are intended for businesses and are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the dashboard. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us using the details below.
EngageIQ Inc.
2261 Market Street, Suite 5678, San Francisco, CA 94114, USA
Privacy inquiries: privacy@engageiq.com
Data Protection Officer: dpo@engageiq.com
General support: support@engageiq.com
EU & UK representatives
In accordance with Article 27 of the GDPR and the UK GDPR, where required we appoint representatives for data subjects in the EEA and the United Kingdom. Until a local representative is designated for your region, please direct all requests to dpo@engageiq.com and we will route them appropriately.
Read next