Get Stalwart

Privacy Policy

Last updated May 3, 2026

Download PDF

This Privacy Notice for Stalwart Labs Ltd (‘we’, ‘us’, or ‘our’), describes how and why we might access, collect, store, use, and/or share (‘process’) your personal information when you use our services (‘Services’), including when you:

  • Visit our website at https://stalw.art, or any website of ours that links to this Privacy Notice.
  • Register for, manage, or renew a Stalwart Enterprise License at license.stalw.art (the ‘Licensing Portal’).
  • Create an account on, or post questions or issues to, our community support forum at support.stalw.art (the ‘Support Portal’), or open a private support ticket through the priority support area within the Support Portal.
  • Use Stalwart Mail and Collaboration Server. Stalwart is an open-source mail and collaboration server with JMAP, IMAP4, POP3, SMTP, CalDAV, CardDAV and WebDAV support. It is written in Rust and designed to be secure, fast, and scalable. The server is self-hosted by you on your own infrastructure; for the open-source self-hosted server we do not act as a controller or processor of any data stored within your deployment.
  • Engage with us in other related ways, including any sales, marketing, or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

Summary of key points

This summary provides key points from our Privacy Notice. Each topic has a fuller treatment further down the page.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. The categories we collect are listed in Section 1.

Do we process any sensitive personal information? No. We do not request or process special-category personal data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sexual orientation).

Do we collect any information from third parties? No. We do not buy, rent, or otherwise obtain personal information about you from data brokers or other third parties.

How do we process your information? We process your information to provide and administer the Services, to manage your subscription and invoice you, to respond to support requests, to operate the Support Portal, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal basis to do so.

In what situations and with which parties do we share personal information? We share personal information with our payment processor (Stripe, Inc.) to take payment, with our professional advisers and authorities where required by law, and with a successor entity in the event of a corporate transaction. We do not sell personal information. The current list of sub-processors is published at Sub-processor list.

Are personal data transferred outside the UK or EEA? Yes, in limited cases. Stripe processes payment data in the United States under the EU-US Data Privacy Framework, the UK Extension to that Framework, and the UK International Data Transfer Addendum. See Section 5.

How do we keep your information safe? We use organisational and technical measures appropriate to the risk. No system is 100% secure, but we work to reduce the likelihood and impact of any incident.

What are your rights? Depending on where you are located, applicable privacy law may give you rights of access, rectification, erasure, restriction, portability, and objection. You can exercise rights of access, correction, data export, and account deletion directly from your account settings on license.stalw.art and on support.stalw.art, or by emailing [email protected].

1. What information do we collect?

Personal information you provide to us

We collect personal information that you voluntarily provide to us when you create a Licensing Portal account, register for the Support Portal, contact us, or otherwise interact with the Services.

The personal information we collect, and the surface that collects it, are limited to the following:

Licensing Portal (license.stalw.art):

  • name
  • company name
  • email address
  • account password (stored only as a salted hash)
  • billing address
  • phone number
  • tax identification number (such as VAT or equivalent), where required for invoicing

Support Portal (support.stalw.art):

  • email address
  • display name (optional)
  • the questions, issues, replies, and other content you choose to post

Sales and general correspondence:

  • the contact details you choose to share with us (typically name, organisation, email address)
  • the content of your message

Sensitive Information. We do not request or process sensitive information.

Payment Data. We do not receive or store debit or credit card numbers, card security codes, or bank account numbers. All payment instrument data is collected and stored directly by Stripe, Inc., our payment processor. You may find Stripe’s privacy notice at https://stripe.com/privacy. We receive from Stripe only the limited information necessary to issue receipts and reconcile payments (such as the last four digits of the card, the card brand, and the transaction status).

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Personal information automatically collected

When you access the Services, we automatically receive limited technical information that your browser or client sends to any server, such as IP address, user-agent string, request path and timestamp. We use this information solely to operate, secure, and troubleshoot the Services (for example, to mitigate abuse and to investigate errors). We do not use it for behavioural profiling or cross-site tracking.

The Support Portal sets a small number of first-party session cookies that are strictly necessary to keep you signed in and to protect against cross-site request forgery. See our Cookies Policy for the full list.

We do not use Google Analytics or any other third-party analytics service on stalw.art, license.stalw.art, or support.stalw.art.

2. How do we process your information?

We process your information for the following purposes, in each case only where we have a valid legal basis (see Section 3):

  • To provide and administer the Services. Creating and maintaining your Licensing Portal and Support Portal accounts, issuing and renewing licence keys, and operating the community forum and the priority ticket area.
  • To take and reconcile payments. Forwarding the necessary details to Stripe and matching incoming payments to your invoice.
  • To respond to enquiries and provide support. Answering questions you post to the Support Portal or send to us by email, and routing them to the right team.
  • To send service communications. Notifying you of renewals, scheduled maintenance, security advisories, and material changes to our terms or this Privacy Notice.
  • To prevent and investigate abuse and fraud. Including detection of bots and credential-stuffing attempts on the Licensing Portal and the Support Portal.
  • To comply with legal obligations. Including tax, accounting, and lawful requests from competent authorities.

We do not use your information for behavioural advertising, automated decision-making with legal or similarly significant effects, or profiling.

If you are located in the EU or UK, the General Data Protection Regulation (GDPR) and the UK GDPR require us to identify our legal basis. We rely on the following:

  • Performance of a contract (Article 6(1)(b)): processing necessary to provide the Services to you under our Terms and Conditions and the applicable Stalwart Enterprise License Agreement.
  • Legitimate interests (Article 6(1)(f)): operating, securing, and improving the Services, preventing abuse and fraud, and operating a public community forum where you have chosen to post.
  • Legal obligation (Article 6(1)(c)): compliance with tax, accounting, and statutory record-keeping requirements; responding to lawful requests from competent authorities.
  • Consent (Article 6(1)(a)): processing for any purpose for which we ask you, separately and freely, to opt in. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

If you are located in Canada, we may process your information where you have given us express consent, where consent can be inferred from the context, or in the limited cases where applicable law permits processing without consent (such as fraud prevention, compliance with subpoenas, or where the information is publicly available).

4. Who do we share your personal information with?

We share personal information only with the following categories of recipient, and only to the extent necessary:

  • Sub-processors and service providers. We use a small number of vendors to deliver the Services, listed in our Sub-processor list. The principal sub-processor is Stripe, Inc. (payment processing). The Licensing Portal and the Support Portal are operated by Stalwart Labs Ltd from infrastructure located in the United Kingdom; we do not use a third-party hosting partner for either portal.
  • Professional advisers and auditors. Lawyers, accountants, and tax advisers, bound by professional confidentiality.
  • Authorities. Where we are required by applicable law, court order, or other binding regulatory request to disclose information.
  • In a corporate transaction. A successor entity in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, subject to confidentiality protections at least as protective as those in this Privacy Notice.

We do not sell personal information, and we do not share personal information for cross-context behavioural advertising.

Public posts on the Support Portal are public. Any question, reply, or other content you post to the public area of support.stalw.art is visible to anyone on the internet and may be indexed by search engines. Do not include personal data, credentials, configuration secrets, or confidential business information in public posts. The priority support ticket area is private and is visible only to you and to Stalwart staff.

5. International transfers of personal data

Where personal data is transferred from the United Kingdom or the European Economic Area (EEA) to a country that has not been the subject of a UK or European Commission adequacy decision, we put appropriate safeguards in place under Chapter V of the UK GDPR and Chapter V of the EU GDPR.

Our principal cross-border transfer is to Stripe, Inc. in the United States for payment processing. This transfer is covered by:

  • the European Commission’s adequacy decision in respect of the EU-US Data Privacy Framework, in which Stripe participates;
  • the UK Extension to the EU-US Data Privacy Framework; and
  • where required, the European Commission’s Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office.

A copy of the relevant transfer safeguard is available on request to [email protected].

6. How long do we keep your information?

We retain personal information only for as long as necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law.

The retention periods we apply are as follows:

  • Licensing Portal account data: for the duration of your active subscription and for six (6) years after your last invoice, to satisfy UK statutory limitation periods (Limitation Act 1980) and HMRC record-keeping requirements (six years from the end of the accounting period).
  • Invoices and tax records: six (6) years from the end of the relevant accounting period.
  • Support Portal account profile (email, display name): for as long as the account exists. You may delete your account at any time from your Support Portal account settings.
  • Support Portal posts (questions, replies, content): by default, posts you make on the public forum remain published after account deletion in pseudonymised form (your display name is replaced and your email is removed) so that the technical answer remains useful to the community. You may request full deletion of any individual post or of all your posts by emailing [email protected].
  • Priority support tickets (private): for the duration of your subscription and for two (2) years thereafter, for warranty, audit, and dispute-resolution purposes.
  • Server logs (request, security, error): thirty (30) days, then deleted or aggregated.
  • General sales and marketing correspondence: twenty-four (24) months from the last interaction, unless a longer period is necessary for an active negotiation or contract.

When the applicable retention period expires, we delete or anonymise the data, or, if this is not possible (for example, because it has been written to a backup), we securely isolate it from active use and delete it on the next backup-rotation cycle.

7. How do we keep your information safe?

We have implemented organisational and technical security measures appropriate to the risk, including encryption of data in transit (TLS), salted password hashing, principle-of-least-privilege access controls for staff, regular dependency and vulnerability scanning, and monitoring of administrative actions on the Licensing Portal and Support Portal. No system is 100% secure, and transmission of personal information to and from the Services is at your own risk.

If you discover a security vulnerability that affects personal information, please report it under our Vulnerability Disclosure Policy.

8. Do we collect information from minors?

The Services are intended for business users and are not directed at children. We do not knowingly collect or solicit personal information from children under the age of sixteen (16), or under any higher age of digital consent set by the law of your country of residence. By using the Services, you confirm that you are at least sixteen years old (or the equivalent age set by your law), or that you are the parent or guardian of such a minor and consent to that minor’s use. If we learn that we have collected personal information from a child under the applicable age, we will deactivate the account and delete the information without undue delay. If you believe we have collected information from a child, please contact [email protected].

9. What are your privacy rights?

If you are located in the United Kingdom, the European Economic Area, Switzerland, or any other jurisdiction whose law provides equivalent rights, you may have the following rights in respect of your personal information:

  • the right of access, and to receive a copy of the personal information we hold about you;
  • the right to have inaccurate personal information rectified;
  • the right to have personal information erased, in the circumstances permitted by law;
  • the right to restrict processing, in the circumstances permitted by law;
  • the right to data portability, where processing is based on consent or on the performance of a contract and is carried out by automated means;
  • the right to object to processing carried out on the basis of our legitimate interests;
  • the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not engage in such processing); and
  • the right to withdraw consent at any time, where processing is based on consent.

We will respond to a verified rights request within one (1) month of receipt, extendable by a further two months for complex or numerous requests in accordance with Article 12(3) of the UK GDPR / EU GDPR.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to complain to your supervisory authority, in particular the Member State data protection authority or the UK Information Commissioner’s Office.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Where we rely on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at [email protected], or where applicable through the relevant setting in your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Account information and deletion

You can review, correct, export, or delete most of your personal information directly:

  • Licensing Portal: log in at license.stalw.art and use the account-management area to update your details, download an export, or delete your account.
  • Support Portal: log in at support.stalw.art and use the account-management area to update your details, download an export, or delete your account.

If you prefer, you can ask us to do this for you by emailing [email protected]. When you ask us to delete your account, we will deactivate or delete it from our active systems. We may retain a limited subset of information where required to prevent fraud, comply with legal obligations (such as tax records), enforce our terms, or defend legal claims.

If you have questions or comments about your privacy rights, you may email us at [email protected].

10. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track (‘DNT’) feature that you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognising and implementing DNT signals has been finalised. Because we do not engage in cross-site tracking and do not load third-party analytics or advertising trackers, there is currently nothing for us to act on in response to a DNT signal.

We honour the Global Privacy Control (GPC) signal where applicable: because we do not sell or share personal information for cross-context behavioural advertising, no opt-out action is necessary.

11. Do United States residents have specific privacy rights?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

Categories of personal information we collect

The categories of personal information we have collected in the past twelve (12) months include identifiers (real name, postal address, telephone number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name) and commercial information (records of subscriptions purchased). We have not collected personal information in the other categories typically enumerated by US state law (Customer Records statute information, protected classification characteristics, biometric information, internet activity beyond what is required to operate the Services, geolocation, audio/electronic/sensory information, professional or employment-related information, education information, inferences, or sensitive personal information).

We will use and retain identifiers as long as the user has an account with us, plus the period required by tax and accounting law.

Your rights

You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

  • Right to know whether we are processing your personal data.
  • Right to access your personal data.
  • Right to correct inaccuracies in your personal data.
  • Right to request the deletion of your personal data.
  • Right to obtain a copy of the personal data you previously shared with us.
  • Right to non-discrimination for exercising your rights.
  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

We do not sell personal information, do not share personal information for cross-context behavioural advertising, and do not use personal information for profiling that produces legal or similarly significant effects. As a result, no opt-out action is necessary for those purposes.

Depending on the state where you live, you may also have the right to access the categories of personal data being processed, to obtain a list of categories of third parties to which we have disclosed personal data, and to limit use and disclosure of sensitive personal data.

How to exercise your rights

To exercise these rights, log in to your account at license.stalw.art or support.stalw.art and use the in-product controls, email us at [email protected], or contact us via stalw.art/contact.

Under certain US state data protection laws, you can designate an authorised agent to make a request on your behalf. We may deny a request from an authorised agent that does not provide proof of authorisation.

Request verification

Upon receiving your request, we will need to verify your identity to confirm that you are the person about whom we hold the information. We will only use personal information provided in your request to verify your identity or authority to make the request.

Appeals

Under certain US state data protection laws, if we decline to take action on your request, you may appeal our decision by emailing [email protected]. We will inform you in writing of the action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If your appeal is denied, you may submit a complaint to your state attorney general.

California ‘Shine The Light’ law

California Civil Code Section 1798.83 permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. We do not share personal information for third-party direct marketing.

12. Do other regions have specific privacy rights?

You may have additional rights based on the country you reside in.

Australia and New Zealand

We collect and process your personal information under the obligations and conditions set by Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020. This Privacy Notice satisfies the notice requirements defined in both Privacy Acts, in particular: what personal information we collect from you, from which sources, for which purposes, and other recipients of your personal information.

If you do not wish to provide the personal information necessary to fulfil their applicable purpose, it may affect our ability to provide our services, in particular to offer you the products or services that you want, respond to your requests, manage your account with us, or confirm your identity and protect your account. At any time, you have the right to request access to or correction of your personal information.

If you believe we are unlawfully processing your personal information, you have the right to submit a complaint about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner and a breach of New Zealand’s Privacy Principles to the Office of New Zealand Privacy Commissioner.

Republic of South Africa

At any time, you have the right to request access to or correction of your personal information. If you are unsatisfied with the manner in which we address any complaint about our processing of personal information, you can contact The Information Regulator (South Africa), general enquiries at [email protected].

13. Do we make updates to this notice?

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated ‘Last Updated’ date at the top of this Privacy Notice. If we make material changes, we will notify you by prominently posting a notice or, where appropriate, by sending you a direct notification. We encourage you to review this Privacy Notice periodically.

14. How can you contact us about this notice?

For questions about this Privacy Notice or to exercise your privacy rights, email us at [email protected] or contact us by post at:

Stalwart Labs Ltd, 128 City Road, London EC1V 2NX, United Kingdom.

For abuse reports, contact [email protected]. For security vulnerability reports, contact [email protected] under our Vulnerability Disclosure Policy.

15. How can you review, update, or delete the data we collect from you?

You can review, update, export, or delete most of the personal information we hold about you directly from your account settings on license.stalw.art and on support.stalw.art, or by emailing [email protected]. We will respond to verified requests within one month of receipt.