Privacy Policy

1. Who we are

TheStuHub Mail Tracker (the “Service”) is operated by TheStuHub (“we”, “us”, “our”). Questions or requests about this policy can be sent to hello@thestuhub.com.

2. Scope

This Privacy Policy applies to mailtracker.thestuhub.com (marketing site), app.mailtracker.thestuhub.com (dashboard), api.mailtracker.thestuhub.com (API), and the TheStuHub Mail Tracker Chrome extension. It explains what we collect when you use any of these surfaces.

3. Data we collect

3.1 Information you give us directly

• Account information — your full name, email address, and a password (stored only as a one-way bcrypt hash; we never see or store your plaintext password).
• Billing information — when you subscribe to a paid plan, payment is handled by Stripe. We never receive or store your card numbers; we only receive a subscription identifier and the plan tier.
• Support correspondence — anything you write to us by email.

3.2 Data the Service collects when you track an email

When you compose a new email in Gmail and switch the “Track” toggle on, the extension records the following metadata about that specific message:

• The recipient email address(es)
• The subject line
• The send timestamp and any subsequent open/click timestamps
• The URL of any links you also enabled link-tracking on
• The IP address and User-Agent string of whoever (or whose mail client's image proxy) loads the tracking pixel — used to estimate location and device type for the analytics dashboard, and to filter obvious bots

We do not store the body of your emails. Ever. The extension reads the recipient and subject from Gmail's compose UI and inserts a 1×1 tracking pixel into the message you send — but the body of the message goes straight from Gmail to the recipient. It does not pass through our servers, is not retained, and is not accessible to us under any circumstance.

3.3 Automatic technical telemetry

• Aggregated request logs (HTTP method, path, status code, duration) for our own debugging and abuse-prevention.
• Error traces from the dashboard and extension when something unexpected happens.
• The Service does not use third-party analytics (Google Analytics, Segment, Mixpanel, etc.) on the marketing site or dashboard at this time.

4. How we use the data

• To run the Service (deliver tracking pixels, store events, render dashboards).
• To send you product notifications (e.g., “Sarah just opened your email”).
• To process billing and send transactional receipts via Stripe and SendGrid.
• To prevent abuse (rate limiting, bot detection, fraud).
• To improve the Service through aggregated, non-identifying performance metrics.
• To respond to support requests.

We do not use your data for advertising and we do not sell or rent personal information.

5. Legal bases for processing (GDPR / similar regimes)

If you are in a jurisdiction with comparable rules (EEA, UK, etc.), our legal bases are:

• Performance of contract — to provide the Service you signed up for.
• Legitimate interest — security, abuse prevention, and aggregate product improvement.
• Consent — for optional notifications you opt into. You can withdraw consent at any time in your account settings.
• Legal obligation — billing records and tax compliance.

6. Sub-processors and third parties we share data with

We use a small number of trusted infrastructure providers:

• Oracle Cloud Infrastructure — hosts our application servers and database.
• Stripe — handles all card payments and billing. Subject to Stripe's privacy policy.
• SendGrid (Twilio) — sends transactional notification emails.
• Cloudflare / DNS provider — DNS resolution and TLS protection.

Each of these processes data only on our instructions and only to deliver the function listed above.

7. International data transfers

Although TheStuHub operates from the Islamic Republic of Pakistan, the infrastructure providers above operate globally. By using the Service you understand that your data may be processed in countries outside Pakistan, including the United States and the European Union, under each provider's standard contractual safeguards.

8. Data retention

• Tracked email events — retained according to your plan's history window: 7 days on the Free plan, 90 days on Pro, 1 year on Business, and unlimited on Enterprise.
• Account data — retained while your account is active and for 30 days after deletion to allow recovery, then permanently erased.
• Billing records — retained for 7 years to comply with tax law in our operating jurisdictions.
• Server logs — retained for 30 days, then rotated out.

9. Your rights

Depending on where you live, you may have some or all of the following rights over the personal data we hold about you:

• Access — get a copy of the data we have about you.
• Rectification — correct anything that's wrong.
• Erasure — ask us to delete your account and associated data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdrawal of consent — at any time, for anything you previously opted into.
• Complaint to a supervisory authority — if you believe we've mishandled your data.

To exercise any of these rights, email hello@thestuhub.com. We'll respond within 30 days.

10. Cookies and local storage

The Service uses a minimal set of browser storage:

• Authentication tokens (JWT access + refresh) — stored in the dashboard and the Chrome extension so you stay signed in.
• Theme preference (emailtracker:theme) — stored in localStorage so dark/light mode persists across visits.
• No third-party cookies, no advertising trackers, no fingerprinting on the marketing site or dashboard.

11. Security

We take the following measures to keep your data safe:

• Passwords stored only as one-way bcrypt hashes (never plaintext).
• All traffic between you and our servers uses TLS 1.2+ (HTTPS / WSS).
• JWT access tokens with short lifetimes (30 minutes) and rotation on refresh.
• Per-IP and per-account rate limiting on authentication endpoints.
• Bot detection on tracking pixel events to prevent skewed analytics.
• As a defensive design choice, we never persist email body content anywhere — so a breach cannot expose what you wrote.

12. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has registered, email hello@thestuhub.com and we will delete the account.

13. Changes to this policy

We may update this policy from time to time. We'll post the new version on this page and update the “Last updated” date. If the change materially affects how we handle your data, we'll also notify you by email at least 14 days before the change takes effect.

14. Contact

Questions, requests, or anything else? hello@thestuhub.com.