Skip to content

Shroud.email customer privacy notice

Registered name: Working Hypothesis Ltd

We are the controller of your personal data. For more information on controllers and their responsibilities please see our guidance on data protection principles, definitions, and key terms.

This privacy notice tells you what to expect us to do with your personal information.

Contact details

Email
contact@shroud.email

What information we collect, use, and why

We collect or use the following information to provide services and goods, including delivery:

  • Names and contact details
  • Addresses
  • Purchase or account history
  • Account information
  • Information relating to compliments or complaints
  • Email aliases, custom domains, and the sender, recipient and content of emails processed to forward messages and filter spam.

We collect or use the following information for the operation of customer accounts and guarantees:

  • Names and contact details
  • Addresses
  • Purchase history
  • Account information, including registration details
  • Information used for security purposes
  • Email aliases, custom domains, forwarding settings and blocked-sender lists.

We collect or use the following information for service updates or marketing purposes:

  • Names and contact details
  • Marketing preferences
  • Records of consent, where appropriate

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide services and goods are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
    • Spam detection, abuse prevention, protecting deliverability, service security and troubleshooting.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
    • Authentication security, fraud prevention, enforcing fair-use rules and investigating misuse.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

Where we get personal information from

  • Directly from you
  • Suppliers and service providers
  • Third parties:
    • People who email a Shroud.email alias provide sender details, message headers, content and attachments. Recipients can also provide information through replies.

How long we keep information

Email being delivered
We keep message content only until delivery succeeds or delivery attempts end.
Spam
We keep a message identified as spam until you delete it or for seven days, whichever happens first.
Account information
We keep account information while your account exists. Aliases, custom domains and their settings are deleted from active systems when you delete the item or your account.
Support and security information
We keep this information while your account exists or while it is reasonably needed to resolve a complaint, protect the service or meet a legal obligation.
Newsletter information
We keep your subscription until you unsubscribe. We may keep a minimal suppression record so we honour your choice not to receive further marketing.

Any residual copies in routine backups are isolated from ordinary use and disappear when those backups are overwritten.

Who we share information with

Data processors

Hetzner Online GmbH

Hosts our application, databases and email infrastructure. It stores and processes account information, aliases, domains, settings, security logs and spam messages retained by the service.

Bunny.net

Provides content delivery, web application firewall (WAF), and bot protection for our marketing website and application.

Astrodon Corporation, trading as Loops

Manages newsletter subscriptions and sends our optional marketing emails. It processes subscriber email addresses, subscription preferences, consent and unsubscribe records.

Functional Software, Inc., trading as Sentry

Monitors application errors so we can troubleshoot and maintain the service. Error reports may include technical diagnostic and account information.

Others we share personal information with

  • Relevant regulatory authorities
  • Organisations we’re legally obliged to share personal information with
  • Suppliers and service providers
  • Other relevant third parties:
    • Paddle.com Market Ltd — our merchant of record. It handles payments, tax, fraud checks and refunds, and shares subscription details and billing postcode with us.
    • Email service providers, mail servers and intended recipients worldwide. We share sender and recipient addresses, message headers and email content with these parties as necessary to route and deliver emails at the user’s request.

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

Organisation name: Hetzner Online GmbH

Category of recipient: Cloud hosting and data-centre provider

Country the personal information is sent to: Germany

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Organisation name: Astrodon Corporation, trading as Loops

Category of recipient: Email marketing provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Organisation name: Functional Software, Inc., trading as Sentry

Category of recipient: Application error-monitoring provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

How to complain

If you have any concerns about our use of your personal information, you can make a data protection complaint to us:

Email: contact@shroud.email

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint