QubrixMailQubrixMail
Dashboard →
Docs Navigation
Security & Privacy

Data & Privacy

How QubrixMail handles and protects your data — exactly what is stored, for how long, and what gets deleted automatically.

🏆

Your data belongs to you

The client information you upload — names, email addresses, messages — is yours. We do not sell it, share it with advertisers, or use it for any purpose other than sending the emails you approve.

What we store

Kept permanently (account lifetime)

  • Your account and company details
  • Contact list (names, emails, health status)
  • Sent email records (to, date, subject — not body)
  • Analytics event logs (EmailEvent, AiUsageLog)

Deleted immediately after email sends

  • Draft email subject and body — cleared immediately on approval + send

Deleted after processing

  • Uploaded Excel files — deleted from disk after rows are imported

Deleted after 30 days

  • Failed job queue entries
  • Draft bodies that were not purged on send (fallback cleanup)

Deleted after 90 days

  • Agent activity logs

Your API Keys

If you use Standard plan with your own email provider API key:

  • Key is encrypted with AES-256-GCM before storage
  • Never stored in plain text — ever
  • Only last 4 characters shown in the UI
  • Decrypted in server memory only, at send time
  • You can revoke at any time by deleting the key at your provider and replacing it in Settings

See API Key Security for full technical details.

Your Email OAuth

For Gmail and Outlook connections:

We store an OAuth token — not your password
Token only has permission to send emails — not read your inbox
Revoke access anytime from your Google or Microsoft account settings

Multi-Tenant Isolation

Every database query is scoped by your company ID. No user can access another company's data, even with direct API calls — the server enforces this on every request, not just the frontend.

Team & Role Security

If you are on a plan with team members:

Each team member has their own account with their own credentials — no shared passwords
Role permissions are enforced server-side — they cannot be bypassed from the browser
Viewers cannot approve or take any action on emails, even with direct task URLs
All team actions (approvals, rejections, role changes) are logged in the audit trail
Removing a team member immediately revokes their access

How to stay safe as a user

Use a strong, unique password for your QubrixMail account
Only connect your own business email — not a personal or shared account
If you suspect unusual activity, contact contact@qubrixmail.com immediately
When leaving a role or company, disconnect your email before handing over the account

Questions about our security practices?

contact@qubrixmail.com

Can't find what you need?

Visit our Help Centre or contact the support team — we respond within one business day.

Help CentreContact Support