Privacy Policy

Updated June 12, 2026

XOXO is operated by Supertape, LLC, doing business as XOXO Email (“we”, “us”, and “our”). The short version: our marketing analytics are cookieless, we don’t sell data or share it for ads, and XOXO is built around consent-based email.

When you close an account, we delete XOXO live data right away and clean up provider records where we can, with limited exceptions for backups, delivery, billing, support, security, abuse, and legal records.

Scope

This policy covers the personal data we collect from XOXO account holders — the people who create and send newsletters — from people who join our waitlist, and from visitors to our website. Account holders are “you” throughout this policy.

If you’re a newsletter subscriber rather than an account holder, see For subscribers below.

This policy doesn’t cover the data you collect from your own subscribers. You’re responsible for your own data practices and should maintain your own privacy policy.

Where we handle subscriber data — delivering your emails, recording engagement — we do it on your behalf, under the Data processing section of our Terms of Service. Questions from your subscribers about their data should go to you.

Data we collect

  • Waitlist data — If you join the waitlist, we collect your email address so we can confirm your request and let you know when you can use XOXO.
  • Account data — When you create an account, we collect your name and email address, account and team settings, connected apps, sending settings, and the physical mailing address you set for sending (anti-spam laws require one in every email).
  • Newsletter and form data — We store the emails, hosted forms, images, uploads, custom fields, tags, groups, imports, and settings you create or upload in XOXO.
  • Payment data — Payments are processed by Stripe on their site; your card details never touch our servers. Stripe’s privacy policy applies to payment data.
  • Technical data — We collect basic technical information when you use XOXO, such as your IP address, browser type, logs, device and request data, and usage patterns. We use this to keep the service running, secure it, and understand how people use it.
  • Site analytics — Our public marketing pages use cookieless analytics to count visits: pages viewed, referrer, and rough location derived from your IP address. We don’t use this to identify you.
  • Product analytics — Inside the XOXO app, we use cookieless product analytics tied to your user and account so we can understand usage, debug product flows, and improve the service. We don’t use session replay, advertising pixels, or ad targeting.
  • Support and error data — If you contact support or hit an error, we may receive your account context, messages, logs, browser details, and the information needed to troubleshoot.
  • Subscriber data — We process subscriber email addresses, custom fields, tags, groups, source data, import data, and delivery or engagement data on your behalf. You’re responsible for what you collect from subscribers and how you use it.

How we use data

We use the data we collect to:

  • Operate and improve the XOXO service
  • Deliver newsletters and track engagement on your behalf
  • Manage the waitlist and account access
  • Email you about your account and about XOXO itself
  • Respond to support requests
  • Generate subject lines or preview text when you ask us to
  • Review sends for spam, abuse, and deliverability risk
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

Most emails we send are about your account — things like billing, subscriber limits, and changes to your plan.

We may also email you about XOXO itself, such as tips for getting started or news about features and plans. Every one of those includes an unsubscribe link, and opting out doesn’t affect the account emails we need to send to run the service.

Email tracking

For newsletters sent through XOXO, we record delivery and engagement signals: delivery, bounce, complaint, unsubscribe, open, click, and like timestamps, plus aggregate counts and rates. Opens are detected with a tracking pixel and clicks by routing links through a redirect.

Our email delivery provider sends us technical details such as IP address and user agent with engagement events. We use those details to filter out bots and automated privacy prefetches, then store the event timestamp rather than the IP address or device details. Subscribers can prevent open tracking by disabling image loading in their email client.

Data sharing

We share data only with the service providers we need to operate XOXO:

  • Postmark — email delivery
  • Stripe — payments
  • Render — application hosting
  • Cloudflare — website, image, and upload hosting
  • Sentry — error reporting
  • OpenPanel — analytics
  • Plain — customer support
  • Iframely — link previews
  • Google — sign-in, if you use it, and AI features or automated abuse review
  • Apple — sign-in, if you use it

If you use AI generation, the relevant newsletter content is sent to our AI provider to generate the subject line or preview text.

If a send trips our abuse checks, the email content, subject, links, account and list risk signals, top recipient domains, and derived list-shape signals may be reviewed by an AI service before the email goes out. We don’t send full subscriber email addresses to the AI service.

If the send needs human review, a XOXO admin may review the email and a sample of recipient addresses to decide whether it can be sent.

We don’t allow the AI providers we use to train their models on your content or data.

We share only what each provider needs to do its job for us. We’ll update this list when our providers change — and when a new provider will handle subscriber data, we’ll update it at least 15 days before they start.

We’re based in the United States. If you use XOXO from elsewhere, your data will be transferred to and processed there. If you’re in the EEA, UK, or Switzerland, transfers of subscriber data are covered by the Standard Contractual Clauses, which are part of our Terms of Service.

If you connect a third-party service to your XOXO account, such as an AI assistant or automation tool, you authorize that service to access your account data on your behalf.

That service’s privacy policy governs how it handles your data, and you can disconnect it at any time in your settings.

We may also disclose information if required by law or to protect the safety or rights of our users or the public.

We don’t sell your data or your subscribers’ data, and we don’t share it for cross-context behavioral advertising.

Cookies and storage

We use a small number of first-party cookies and similar browser storage, all essential for running the app: keeping you signed in, remembering which account you last used, and avoiding duplicate sign-in analytics within a browser tab. We don’t use advertising or targeting cookies, and our analytics are cookieless.

You can manage or block cookies through your browser settings, but without our essential cookies you won’t be able to sign in.

Privacy rights

You can access, update, or delete your personal data at any time through your account settings, or by asking us.

If you’re in the European Economic Area or the UK, GDPR gives you additional rights, including data portability and the right to object to certain types of processing. Our legal bases for processing your data are performing our contract with you (running the service), our legitimate interests (keeping the service secure, preventing abuse, and understanding how it’s used), and complying with legal obligations.

You also have the right to lodge a complaint with your local supervisory authority — though we’d appreciate the chance to sort things out first.

US state privacy laws may give you additional rights too: to know what personal information we’ve collected about you and request a copy, to correct or delete it, to opt out of sale or sharing for targeted advertising — we don’t do either — and to not be discriminated against for exercising any of these rights. We honor these requests for everyone, whether or not a particular law applies to you.

To submit a request, email help@xoxo.email. We’ll respond within the timeframe required by law.

If we decline a request, we’ll explain why, and you can appeal by replying to our response — someone other than the original reviewer will take a second look. If you’re still unsatisfied, you can raise it with your state attorney general or local data protection authority.

Some browsers send opt-out signals like Global Privacy Control or Do Not Track. We don’t sell or share personal data for targeted advertising, so the opt-out those signals ask for is already everyone’s default — there’s nothing further for them to turn off.

Retention

We keep your data while your account is active. If you’re on the waitlist, we keep your email until you’re approved, you ask us to remove it, or we no longer need the waitlist.

When you close your account, we delete your XOXO account data — including your subscriber list and sent emails — from our live systems immediately.

Some records can persist outside live XOXO tables: database backups until they cycle out, Postmark delivery records for its retention window, Stripe billing records, support conversations, error logs, analytics records that require provider support to remove, and anything we need to keep for legal, security, abuse-prevention, or tax reasons. For accounts closed for terms violations, we may keep limited records for up to 30 days to investigate and prevent repeat abuse.

One deliberate exception: when a subscriber unsubscribes, bounces, complains, or is removed with suppression enabled, we keep a one-way cryptographic hash of their email address so they can’t be accidentally re-added to your list. The hash can’t reasonably be turned back into an email address, and it’s deleted along with your account.

Security

We take reasonable technical and organizational measures to protect your data. No system is perfectly secure, and we can’t guarantee your information will never be accessed without authorization. If we become aware of a breach affecting your data, we’ll investigate promptly, let you know without undue delay — and in any case within 72 hours of becoming aware — and notify regulators where the law requires it.

Children

XOXO doesn’t knowingly collect personal information from children under 13, and you must be at least 18 to have an account. Don’t use XOXO for newsletters or forms directed to children under 13, or knowingly collect personal information from children under 13, unless we approve it in writing. We may suspend or terminate accounts that don’t follow this rule.

For subscribers

If you subscribed to a newsletter sent through XOXO, the sender of that newsletter is responsible for your data — we process it on their behalf to deliver their emails. We store delivery and engagement timestamps, but not your IP address, location, or device details. See Email tracking.

If you unsubscribe, bounce, complain, or ask the sender to suppress you, we keep only a one-way hash of your email address so the sender can’t accidentally re-add you. For anything else about your data — including access or deletion requests — contact the sender directly; their privacy policy governs your relationship with them.

Changes to this policy

We may update this policy from time to time. When we do, we’ll update the date at the top, and we’ll communicate material changes by email or in the app.

Contact us

Questions about this policy? Email help@xoxo.email.