Privacy Policy

Mailtohire is an early-stage product operated by an individual founder based in India. We do not currently operate as a registered legal entity. Once formally incorporated, this policy will be updated with the registered business details. For now, all data-related inquiries can be directed to the contact address at the bottom of this page.

We are committed to handling your information responsibly and in compliance with India's Information Technology Act, 2000, and its associated rules on privacy and sensitive personal data.

We collect information in three ways: what you provide directly, what Google shares with us during OAuth login, and what's generated automatically as you use the platform.

For Smart Campaigns (automated sending), Mailtohire requests one specific Gmail permission: gmail.send. This is a narrow, write-only scope that allows us to send emails on your behalf. It does not grant access to read, modify, or delete any messages in your inbox.

Mailtohire maintains a curated catalog of HR professionals, recruiters, and company career email addresses at Indian tech companies. This catalog is built and maintained manually by our team.

• Catalog entries are sourced from publicly available professional information
• Email addresses in the catalog are never shown in full to any user — they are masked in all UI views (e.g., pr******@razorpay.com)
• Emails are only used server-side when sending your campaign or Quick Send message
• Cooldown rules prevent any HR from being contacted more than once per platform-wide window, protecting both their inbox and your reputation

All payment processing on Mailtohire is handled by Razorpay, a PCI-DSS compliant payment gateway. Mailtohire never sees, processes, or stores your credit card, debit card, UPI, or net banking credentials.

What Mailtohire stores after a completed transaction:

• Razorpay order ID and payment ID (for reference and dispute resolution)
• Transaction amount, currency (INR), and payment status
• The plan purchased and coins credited

This information is retained to maintain your coin balance history and for accounting purposes. Razorpay's own privacy policy governs how they handle your payment credentials.

Mailtohire uses exactly one cookie: a JWT authentication token stored as an httpOnly cookie. This cookie:

• Is set when you sign in with Google and cleared when you sign out
• Is marked httpOnly — it is not accessible to JavaScript and cannot be stolen by XSS attacks
• Contains only your user ID and email — no sensitive personal data
• Expires after 7 days, requiring you to sign in again

• ✕We do not use advertising cookies or tracking pixels
• ✕We do not use analytics cookies (Google Analytics, Mixpanel, etc.)
• ✕We do not serve ads or allow advertisers to place cookies on Mailtohire

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Razorpay — receives transaction details to process your payment. Governed by their privacy policy.
• Google — receives your OAuth tokens to authenticate login and send emails via the Gmail API.
• Legal compliance — we may disclose data if required by Indian law, court order, or government authority, to the extent legally mandated.

No other third parties receive your personal data. We do not integrate with advertising networks, data brokers, or marketing platforms.

We retain your data for as long as your account is active. Specifically:

• Your profile, templates, and campaign data are retained while your account exists
• Payment and coin transaction records are retained for a minimum of 3 years for accounting and legal compliance purposes, even after account deletion
• Email send logs are retained for 12 months, after which they are deleted
• Gmail OAuth tokens are deleted immediately when you disconnect Gmail or delete your account

You have the following rights regarding your data on Mailtohire:

• Access — request a copy of the personal data we hold about you
• Correction — update or correct your profile information at any time from the Profile page
• Deletion — request full account deletion by emailing us; we will delete all personal data except legally mandated records within 30 days
• Gmail Revocation — disconnect Gmail access at any time from your Profile page, without deleting your account
• Data Portability — request an export of your profile and template data

To exercise any of these rights, email us at abcd@gmail.com. We will respond within 30 days.

We take reasonable technical measures to protect your data:

• Gmail OAuth tokens are encrypted using AES-256-CBC before storage — the encryption key is never stored in the database
• All connections are HTTPS-only in production
• JWT cookies are httpOnly and secure — resistant to XSS and CSRF
• Database access is restricted to application servers; no public-facing database ports
• Rate limiting is applied to all authentication endpoints

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to abcd@gmail.com before public disclosure.

We may update this Privacy Policy as the product evolves — for example, when we formally incorporate as a business entity. When we make material changes, we will update the effective date at the top of this page.

For significant changes that affect how we handle your data, we will notify you by email (to your Google account email) at least 7 days before the changes take effect. Continued use of Mailtohire after that date constitutes acceptance.

For any privacy-related questions, data requests, or concerns, please reach out: