Spamfilter

Last updated: June 2026

Privacy policy

This policy describes how the Spamfilter service handles your personal data. The service is operated by LJPc.

What we process

  • Account data: your name, email address, hashed password, optional MFA secret and hashed recovery codes, billing details when you subscribe, and your IP at significant events (login, password change, contact form submission).
  • Domain data: the domains you add, their DNS verification state, your allow and block lists, the delivery host you configure for relay.
  • Mail data: headers and bodies of mail received on your domains, classifier verdicts, and delivery state. The raw MIME blob is kept for as long as the corresponding mail row.
  • Operational data: in-app notifications, audit log entries, application server logs.

Why we process it

To deliver the spam-filter service you signed up for (contract performance, GDPR Art 6(1)(b)), to operate the filter pipeline against incoming spam and phishing (legitimate interest, GDPR Art 6(1)(f)), and to comply with Dutch fiscal record-retention obligations (legal obligation, GDPR Art 6(1)(c)).

Sub-processors

We use the following processors. Each is bound by a data-processing agreement.

  • OpenRouter Inc. (United States) for AI-based mail classification. Headers and a sanitized body of each filtered mail are sent to OpenRouter, which routes the request to a model provider (currently Anthropic, OpenAI, or Google). Transfers to the US rely on Standard Contractual Clauses.
  • Mollie B.V. (Netherlands) for payment processing when you subscribe.
  • LJPc Postfix relay host (EU) for inbound mail receipt and outbound relay.
  • LJPc application hosting (Netherlands) for the database, queue, and file storage of the service.

Retention

  • Mail successfully delivered to your mailserver: retained for the configured inbox window (default 90 days), then hard-deleted.
  • Quarantined and cleared mail: retained for the configured quarantine window (default 90 days), then hard-deleted.
  • Mail held behind the paywall: retained for the configured held window (default 180 days), then hard-deleted.
  • In-app notifications: 90 days.
  • Soft-deleted domain rows: indefinitely, minimized to domain name and trial-anchor timestamps. Required for trial-abuse prevention.
  • Invoices and order records: 7 years (Dutch fiscal retention obligation).

Your rights

You can request access, rectification, or erasure of your personal data at any time. Account deletion from your profile dashboard hard-deletes your user record, all mail tied to your domains, and all notifications. Soft-deleted domain rows survive (minimized) for trial-abuse prevention. Invoices are retained for fiscal compliance.

For any other data-protection request, contact us via the contact form.

Security

Passwords are hashed with bcrypt. MFA secrets and recovery codes are stored encrypted. The inbound mail webhook is authenticated with a shared secret over HTTPS. The customer portal supports TOTP-based two-factor authentication.

← Back to home