Data Processing Agreement

Last updated: July 15, 2026

1. Scope

This Data Processing Agreement ("DPA") applies when OgBae processes personal data on your behalf as a data processor under GDPR or similar data protection laws. You are the data controller. This DPA supplements the OgBae Terms of Service and Privacy Policy.

2. Definitions

Personal Data: Any data relating to an identified or identifiable person, as processed through the Service (e.g., recipient email addresses, names in email content).

Processing: Any operation on personal data, including collection, storage, transmission, and deletion as part of email delivery.

3. Data We Process

When you use OgBae to send email, we process the following personal data on your behalf:

  • Recipient email addresses (to, CC, BCC fields).
  • Sender email addresses.
  • Email subject lines and message content (during transmission).
  • Tracking data when enabled: recipient IP addresses, user agents, device type, country (derived from IP), and timestamps for open and click events.

4. Purpose of Processing

We process personal data solely to provide the email delivery service you have requested: transmitting emails to recipients, recording delivery status, processing tracking events, managing suppressions, and delivering webhook notifications.

5. Security Measures

  • TLS encryption for all data in transit.
  • Bcrypt password hashing and purpose-appropriate one-way storage for session tokens and API keys.
  • HMAC-SHA256 signed webhook payloads.
  • Scoped SMTP credentials (transactional/marketing separation).
  • Automatic suppression of bounced and complained-about addresses.

6. Data Retention

  • Email and operational logs are normally retained for 90 days.
  • Email content and attachments are transiently retained through queue, scan, retry and delivery; hosted mailbox content persists until deletion.
  • Tracking events (opens, clicks) are automatically deleted after 30 days.
  • Webhook delivery logs are retained for 30 days.

7. Sub-processors

We use the following sub-processors:

  • Razorpay — Payment processing where applicable. It processes payer and payment-method information; OgBae stores transaction and invoice references.
  • OVHcloud — Compute and network infrastructure used to operate the service.
  • Tringify OAuth — Optional identity proof for sign-in.

Email content is transmitted to recipient mail servers as part of standard SMTP delivery. We will notify you before adding new sub-processors.

8. Your Rights

You may request access to, correction of, or deletion of personal data processed on your behalf. You can manage suppressions and email logs through the dashboard. For data export or deletion requests, contact privacy@ogbae.com.

9. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and provide information about the nature of the breach, the data affected, and the measures taken.

10. Contact

For DPA-related questions, email privacy@ogbae.com.