GDPR & Privacy

MailTrixy includes built-in tools to help you comply with GDPR, CAN-SPAM, and other privacy regulations. This page covers data export, deletion, and compliance features.

Data Export

Users can request a full export of their personal data as required by GDPR Article 20 (Right to Data Portability). The export is delivered as a streaming JSON file containing all user data.

What Is Included

  • User profile — Name, email, phone, avatar, preferences, and account settings.
  • Contacts — All contacts created by the user, including custom fields and tags.
  • Conversations — All conversations the user participated in, with full message history.
  • Email data — Sent and received email metadata (subject, timestamps, recipients). Email body content is included if configured.
  • Campaigns — Campaign configurations, recipient lists, and analytics.
  • Workflows — Workflow definitions and execution logs.
  • AI interactions — AI conversation history and generated replies.
  • Activity logs — All actions performed by the user within the workspace.

How to Export

  1. Navigate to Settings → Privacy → Export My Data.
  2. Click Request Data Export.
  3. The system generates a streaming JSON export in the background.
  4. You will receive an email notification when the export is ready for download.
  5. Download links expire after 48 hours for security.
// Export is streamed as JSON to handle large datasets
// without running into memory limits
{
    "export_date": "2026-03-25T10:00:00Z",
    "user": { "name": "John Doe", "email": "john@example.com", ... },
    "contacts": [ ... ],
    "conversations": [ ... ],
    "campaigns": [ ... ],
    "workflows": [ ... ],
    "ai_interactions": [ ... ],
    "activity_logs": [ ... ]
}

Account Deletion

Users can request permanent deletion of their account and all associated data, in compliance with GDPR Article 17 (Right to Erasure). Account deletion includes a configurable grace period.

  • Grace period — By default, account deletion is scheduled 30 days in the future. During this period, the user can cancel the deletion request by logging back in.
  • Immediate deletion — Admins can process immediate deletion from the admin panel if requested.
  • Data purged — All user data including profile, contacts, conversations, emails, campaigns, workflows, AI data, and uploaded files are permanently deleted.
  • Workspace impact — If the user is the sole owner of a workspace, the entire workspace and all its data will be deleted. Workspaces with multiple owners will transfer ownership.
  • Audit trail — A minimal anonymized record is kept to prove that the deletion was processed (deletion date, anonymized ID), as permitted by GDPR for legal compliance.

Account Deactivation

As an alternative to permanent deletion, users can deactivate their account. Deactivation preserves data but prevents access.

  • Deactivated accounts cannot log in or access any workspace resources.
  • All API tokens are automatically revoked upon deactivation.
  • Email sync is paused for all connected accounts.
  • Active workflows are paused.
  • Scheduled campaigns are cancelled.
  • The account can be reactivated at any time by the user (via email verification) or by a workspace admin.

MailTrixy includes a built-in cookie consent banner that complies with EU ePrivacy Directive requirements. The banner is displayed to all users on their first visit and allows them to accept or reject non-essential cookies.

  • Essential cookies — Session cookies and CSRF tokens are always enabled (required for application functionality).
  • Analytics cookies — Optional cookies for usage tracking (disabled by default until consent).
  • Preference cookies — Theme preferences, sidebar state, and other UI preferences.
  • Cookie preferences can be changed at any time from the footer link "Cookie Settings".
  • The consent banner text, colors, and position are customizable from the admin panel.

Privacy Policy Requirements

If you operate MailTrixy as a SaaS (Extended License), you must publish a privacy policy that covers:

  • What personal data is collected and why.
  • How data is stored and protected (encryption, access controls).
  • Third-party services that process data (AI providers, email services, payment gateways).
  • User rights regarding their data (access, export, deletion, portability).
  • Data retention periods.
  • Contact information for the Data Protection Officer (if applicable).
  • How to file a complaint with a supervisory authority.

MailTrixy provides a customizable privacy policy template at resources/views/legal/privacy-policy.blade.php that you can adapt to your specific use case.

CAN-SPAM Compliance

MailTrixy enforces CAN-SPAM Act requirements for all outgoing marketing campaigns:

  • Unsubscribe link — Every campaign email automatically includes a one-click unsubscribe link. This cannot be removed.
  • Physical address — Campaign emails include the workspace's physical mailing address in the footer.
  • Accurate headers — The "From" name and email must match the sending account. Spoofed headers are not allowed.
  • Subject line honesty — The system flags potentially misleading subject lines (e.g., "RE:", "FWD:") in new campaigns.
  • Unsubscribe processing — Unsubscribe requests are processed immediately. Unsubscribed contacts are automatically excluded from all future campaigns.
  • Suppression list — A global suppression list prevents sending to addresses that have unsubscribed from any campaign in the workspace.

Data Processing Agreement

If you use MailTrixy to process personal data of EU residents on behalf of your clients (as a data processor), you may need a Data Processing Agreement (DPA). Key considerations:

  • Self-hosted — Since MailTrixy is self-hosted, you are both the data controller and processor. You control where data is stored and who has access.
  • Sub-processors — Document any third-party services that process data (AI providers like OpenAI, payment gateways, email delivery services).
  • Data location — Data is stored on your own servers. Choose a hosting location that complies with your data residency requirements.
  • Breach notification — MailTrixy logs all authentication events and data access for audit purposes. Configure email alerts for suspicious activity.
  • DPA template — A customizable DPA template is provided at resources/views/legal/dpa.blade.php.
Last updated 10/03/2026