OgBae

Data Processing Agreement

Last updated: February 15, 2026

1. Scope

This Data Processing Agreement ("DPA") applies when OgBae processes personal data on your behalf as a data processor under GDPR or similar data protection laws. You are the data controller. This DPA supplements the OgBae Terms of Service and Privacy Policy.

2. Definitions

Personal Data: Any data relating to an identified or identifiable person, as processed through the Service (e.g., recipient email addresses, names in email content).

Processing: Any operation on personal data, including collection, storage, transmission, and deletion as part of email delivery.

3. Data We Process

When you use OgBae to send email, we process the following personal data on your behalf:

  • Recipient email addresses (to, CC, BCC fields).
  • Sender email addresses.
  • Email subject lines and message content (during transmission).
  • Tracking data when enabled: recipient IP addresses, user agents, device type, country (derived from IP), and timestamps for open and click events.

4. Purpose of Processing

We process personal data solely to provide the email delivery service you have requested: transmitting emails to recipients, recording delivery status, processing tracking events, managing suppressions, and delivering webhook notifications.

5. Security Measures

  • TLS encryption for all data in transit.
  • SHA-256 hashing of passwords, session tokens, and API keys at rest.
  • HMAC-SHA256 signed webhook payloads.
  • Scoped SMTP credentials (transactional/marketing separation).
  • Automatic suppression of bounced and complained-about addresses.

6. Data Retention

  • Email metadata (sender, recipients, subject, status) is retained in your email logs for your reference.
  • Email content (body, attachments) is processed for delivery and not retained after delivery.
  • Tracking events (opens, clicks) are automatically deleted after 30 days.
  • Webhook delivery logs are retained for 30 days.

7. Sub-processors

We use the following sub-processors:

  • Stripe — Payment processing. Processes billing information when you purchase credits.

Email content is transmitted to recipient mail servers as part of standard SMTP delivery. We will notify you before adding new sub-processors.

8. Your Rights

You may request access to, correction of, or deletion of personal data processed on your behalf. You can manage suppressions and email logs through the dashboard. For data export or deletion requests, contact privacy@ogbae.com.

9. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and provide information about the nature of the breach, the data affected, and the measures taken.

10. Contact

For DPA-related questions, email privacy@ogbae.com.