Service Privacy Policy

1. About This Document

1.1. GetOnline Ltd trading as 'AuthSMTP' (the "Vendor") provide an authenticated SMTP email relay server along with other ancillary websites and functions (the "Service").

1.2. This page informs you (the "Customer") of the Vendor policies regarding the collection, use, storage and disclosure of Personal Information.

1.3. This Service Privacy Policy is an addendum to the Terms of Service (

2. What this Service Privacy Policy covers

2.1. This Service Privacy Policy applies to any Personal Information that is collected during the term of the Agreement and use of the Service including (but not limited to) the following ancillary websites and functions:

2.2. This privacy policy will cover the key points about your Personal Information (including but not limited to):

  • a. What information is collected
  • b. How and when it is collected
  • c. What processing (if any) will be carried out
  • d. How it is shared or disclosed
  • e. How long we will kept
  • f. Your rights and responsibilities
  • g. Change notification

2.3. This service privacy policy does not cover the following:

  • a. The public Vendor websites
  • b. Third party websites that are linked to from the Vendor websites
  • c. Websites that the Customer is directed to by the Vendor

2.4. If the Customer visits a website referred to in point 2.3, they are subject to the terms & conditions and privacy policy of that website, the Vendor does not accept any responsibility or liability for those third party websites.

2.5. The privacy policy for public Vendor websites is separate from this service privacy policy, it can be found here -

3. What Personal Information is collected

In order to faciliate a Customer account and provide the Service the Vendor collect the following groups of data:

3.1. Customer Account Data

3.1.1. So that the Vendor can personalise your account, contact you and issue documentation / invoices to you; basic data will be collected such as (but not limited to):

  • a. Customer Name
  • b. Company Name & Details (if applicable)
  • c. Postal Address
  • d. Contact Email Addresses

3.2 Financial Data

3.2.1. Whenever the Customer submits a payment to the Vendor or the Vendor issues a credit, the Vendor will collect separately from the customer account data, details for each transaction such as (but not limited to):

  • a. Date / Time
  • b. Amount & Currency
  • c. Description
  • d. Payer Name
  • e. Payer Postal Address
  • f. Payer Email Address

3.3 Customer Communication

3.3.1. Whenever the Customer contacts the Vendor directly via email or via the Vendor websites for support or other account related activities, the Vendor will retain copies of those messages and any subsequent replies including (but not limited to) the following information about each message:

  • a. Date / Time
  • b. From Address
  • c. Contact Name
  • d. Message Subject
  • e. Message Body

3.4. Network Connection Logs (with successful authentication challenge)

3.4.1. Whenever a Customer connects to the Vendor network and completes a successful authentication attempt, the Vendor will collect information such as the following (but not limited to):

  • a. SMTP Username
  • b. Date / Time
  • c. Source IP Address
  • d. Summary of Event

3.5. SMTP Message Submission

3.5.1. Whenever a Customer submits a message to the Vendor network, the Vendor will collect information such as the following (but not limited to):

  • a. Date / Time
  • b. Source IP
  • c. From Address
  • d. Recipient Addresses
  • e. Message Subject
  • f. Message Body

3.5.2. The message body will be deleted from the Vendor network once the message is delivered, the Vendor does not store any message body data on a permanent basis unless that information is supplied by a third party via other means. Further information can be found in the Data Retention Policy under 'Micellaneous Data'.

3.6. SMTP Message Delivery

3.6.1. Whenever a Customer message is delivered, the Vendor we will collect information such as the following (but not limited to):

  • a. Date / Time
  • b. From Address
  • c. Recipient Addresses
  • d. Delivery Response

3.7. Detailed Information

3.7.1. The full Vendor data retention policy can be found on

4. Sensitive Personal Information

4.1. Under no circumstances should the Customer provide the Vendor with any information that would be classed as Sensitive Personal Information as defined in article 9 of the GDPR regulations, this includes but is not limited to:

  • a. Race
  • b. Ethnic origin
  • c. Political views
  • d. Religious views
  • e. Trade union membership
  • f. Genetic data
  • g. Biometric data
  • h. Health data
  • i. Sexual orientation

4.2. Where there is doubt, the Customer should contact the Vendor for assistance.

5. How Personal Information is collected

5.1. The are 4 primary ways that information will be collected:

  • a. When the Customer specifically passes information to the Vendor via the website or a direct email message
  • b. When the Customer crries out a financial transaction with the Vendor
  • c. When the Customer uses the Service, all activity will automatically be logged to text based log files and / or a database
  • d. When the Customer transfers data to the Vendor network in the form of a message via the SMTP protocol for delivery to a recipient

6. How Personal Information is processed

6.1. The Vendor will only process Customer Personal Information in the following circumstances:

  • a. To create, renew or upgrade the Customer account
  • b. To update the configuration of the Customer account
  • c. To perform a financial transaction on the Customer account
  • d. To provide support to the Customer when they are using their account
  • e. To accept or deliver an email message set through the Customer account
  • f. Periodic Customer account reviews to monitor reputation and compliance with Terms of Service

6.2. The Vendor reserves the right to collect, process and analyze non-personally identifiable data or information from the network in order to carry out internal business processes such as (but not limited to) network troubleshooting, performance testing and product development.

7. Why Personal Information is processed

7.1. With the exception of clause 6.2, the Vendor only processes Personal Information in order to provide the Service to the Customer under the Service Agreement, meet legal obligations and to comply with the applicable laws.

8. Legal basis for processing Personal Information

8.1. The primary legal basis under which the Vendor processes Personal Information is 'contractual'.

8.2 The Vendor will minimize the types and amount of personal data that is collected, processed and stored, whenever possible.

8.3. There are a number of secondary cases where the Vendor will process Personal Information on a different legal basis:

  • a. Financial data which will be processed on a 'legal' basis.
  • b. Marketing emails will be only be sent based on 'consent' basis.
  • c. There may be occasions where the Vendor have to process additional information on a different basis, the basis on which that will be processed will be notified prior to the processing activity.

9. Processing by Contracted Processors (Sub-Processors)

9.1. To provide the Service, third party companies may be contracted and will process Personal Information, in the context of this Service Privacy Policy they will be known as 'Sub-Processors'.

9.2. Appropriate data processing agreements will be agreed between the Vendor and all Sub-Processors prior to the commencement of processing.

9.3 Any changes to the list of Sub-Processors (section 9.4) will be notified using the following methods:

9.3.1. If a data processing agreement has been mutually signed by the Vendor and the Customer; the Customer will be given at least 30 days notice prior to the effective date, notice will be issued via email to the admin email address on the account.

9.3.2. If a data processing agreement has not been mutually signed by the Vendor and the Customer; the Service Privacy Policy will be updated at least 30 days prior to the effective date.

9.4. The following Sub-Processors are currently contracted:

EntityPurposeLocationEffective Date
Amazon Web Services, Inc.Cloud-based Infrastructure Hosting ProviderLondon, UK25th March 2022

10. Use of children's Personal Information

10.1. The service is primarily a business to business service, in order to be eligible to use our service the Customer must be aged 18 or over.

11. Sharing and disclosure of Personal Information

11.1 The Vendor will not share or disclose Personal Information about any users of the Service unless it is required as part of providing the service or the Vendor is directed to by a government authority and it is required by the applicable laws.

12. How to change or revoke consent

12.1. The service is provided to the Customer on a contractual basis, the Vendor will only process Personal Information as described and required by the service contract - it is not possible to revoke consent unless you cancel the contract.

12.2. The Customer can withdraw consent to receive marketing emails via the 'Preferences' page in the control panel.

13. Customer Rights

13.1. The right to be informed

13.1.1. The Customer has the right to be informed about the collection and use of their personal data.

13.1.2. This Service Privacy Policy and the Data Retention Policy detail what Personal Information is collected, how it is processed and how long it will be kept for.

13.2. The right of access

13.2.1. The Customer has the right to request a copy of all of the personal data that is held about them, for more information see Data Subject Access Request

13.3. The right to rectification

13.3.1. The Customer has the right to have inaccurate personal data rectified, or completed if it is incomplete.

13.3.2. Any discrepancies in the personal data held by the Vendor can be rectified upon request wherever possible.

13.4. The right to erasure

13.4.1. The Customer has the right to request the deletion any personal data held about them by the Vendor, see: Data Deletion Access Request

13.5. The right to restrict processing

13.5.1. The Customer has the right to request the restriction or suppression of their personal data.

13.5.2. The personal data held by the Vendor is kept to the absolute minimum required to provide the service which is offered, similarly the Vendor does not do any unncessary processing of Personal Data other than to provide the Service itself.

13.6. The right to data portability

13.6.1. The Customer has the right to receive a copy of their data in a portable format so that it can be re-used with another provider. For more information about exporting data and how it will be presented, see: Data Subject Access Request.

13.7. The right to object

13.7.1. The Customer has the right to object to the processing of of Personal Information in certain circumstances. The Vendor only processes Personal Information as described in the Service Agreement.

13.8. Rights in relation to automated decision making and profiling

13.8.1. The Vendor does not make any automated decisions or carry out any profiling of Personal Data that will have any significant or legal implications for the Customer unless it is in the interests of preventing fraudulent or abusive use of the service which may contravene the Terms of Service or obligations under UK law.

14. Website Cookies

14.1. The Vendor's Customer control panel uses cookies for technical functionality only, it is not used for tracking or marketing purposes and the data is not shared with any third parties.

14.2. The applicable cookie policy can be found on the here -

15. How Personal Information is kept secure

15.1. The Vendor follows all industry standard practices in order to secure the network and Personal Data including (but not limited to):

  • a. All network points are hosted in state-of-the-art, PCI compliant data centres
  • b. Multiple geographic diverse data centre locations for optimal redundancy and availability
  • c. Layered network firewalls and intrusion detection systems
  • d. The use of current and up-to-date hardware, software and operating systems
  • e. Industry standard practices for monitoring for and defending against potential system weaknesses and exploits
  • f. Making available and encouraging use of encryption protocols when making connections to the network
  • g. Physical and application layer access restrictions
  • h. Data encryption

16. How long Personal Information is retained

16.1. The Vendor Data Retention Policy details all of the Personal Information that is stored and how long it is stored for, see: Data Retention Policy.

17. Questions about privacy and Personal Information

17.1. For any questions or concerns about privacy or Personal Information, a support ticket should be raised via the control panel or email [email protected] directly.

18. Changes to this policy

18.1. This policy is effective as of ​the 25th of May 2018 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

18.2. The Vendor reserves the right to update or change the policy at any time.

18.3. If a data processing agreement has been mutually signed by the Vendor and the Customer; the Customer will be given at least 30 days notice prior to the effective date of the change, the notice will be issued via email to the admin contact email address on the account.

18.4. If a data processing agreement has not been mutually signed by the Vendor and the Customer; the Vendor will endeavour to notify the customer by placing a prominent notice in the control panel.

18.5. The Visitor of this page should check this policy periodically for changes. The continued use of the Website and / or Service after the Vendor posts any modifications to the policy on this page will constitute the Visitors acknowledgment of the modifications and consent to abide and be bound by the modified policy.

19. Current Version

19.1. The version reference for this service privacy policy is:

SPP-1.1.0 (last updated 25th of February 2022)