Terms of Service

Updated June 12, 2026

XOXO is operated by Supertape, LLC, doing business as XOXO Email (“we”, “us”, and “our”). “You” means the person or organization that owns or uses the XOXO account; if you’re accepting these terms on behalf of an organization, you confirm you have the authority to bind it.

These terms cover everything we provide under the XOXO name — the app, API, MCP server, hosted and embeddable forms, pages, and emails we send for you. By using any of it, you agree to these terms. If you don’t agree, don’t use XOXO.

How we handle data — yours and your subscribers’ — is covered by our Privacy Policy, which is part of these terms.

Accounts

You must be at least 18 years old (or the age of majority in your jurisdiction, if higher) to create an account. XOXO also isn’t available to anyone in a country or region under a United States embargo, or on a US government restricted-party list.

You’re responsible for maintaining the security of your account and for all activity that occurs under it, including the activity of any collaborators you invite. You’re also responsible for their compliance with these terms. You agree to provide accurate information when registering and to keep it up to date.

Every account has one owner — initially the person who created it, though ownership can be transferred to another collaborator. We treat the current owner as the account’s authorized representative: they control billing, ownership transfers, and closing the account, and these terms carry over to the new owner when ownership changes hands.

If there’s ever a dispute over who should own an account, we’ll defer to the current owner — we can’t mediate ownership disputes.

Content

You own the content you publish through XOXO. We’ll never claim ownership of your newsletters, writing, or subscriber data.

By using XOXO, you grant us a limited, non-exclusive, royalty-free license to host, transmit, display, and analyze your content as necessary to run the service — including automated review for spam and abuse. This license ends when you delete your content or close your account, except where copies reasonably persist — in emails already delivered, in our delivery provider’s records, and in our backups until they cycle out.

You may not use XOXO to publish or distribute content that:

  • Is illegal, harassing, threatening, defamatory, or fraudulent
  • Incites violence, exploits or endangers children, or threatens anyone’s health or safety
  • Infringes on the intellectual property rights of others
  • Contains malware, phishing links, or other malicious material
  • Impersonates any person or organization in a misleading way
  • Deceives people with manipulated media, such as deepfakes presented as real
  • Violates any applicable laws or regulations

This applies to newsletters, forms, and any other content published through your XOXO account.

If you believe content hosted through XOXO infringes your copyright, send a notice to our designated DMCA agent:

XOXO EMAIL
ATTN: DMCA
50 W BROADWAY STE 333 PMB 20104, SALT LAKE CITY, UT 84101
801-200-3015
help@xoxo.email

Include the work that was infringed, where the infringing material lives, your contact information, a good-faith statement that the use isn’t authorized, and your physical or electronic signature.

When we receive a valid notice, we’ll remove or disable access to the material and pass the notice along to the account holder, who can respond with a counter-notice under the DMCA. We close the accounts of repeat infringers.

Subscriber data

Your subscriber relationships belong to you. We process subscriber information solely to provide the service on your behalf. The Data processing section below spells out our commitments, including for accounts covered by GDPR.

You’re responsible for:

  • Collecting subscriber data lawfully and clearly disclosing what you collect, including through custom form fields
  • Not using XOXO for newsletters or forms directed to children under 13, and not knowingly collecting personal information from children under 13, unless we approve it in writing
  • Complying with all laws that apply to your audience, including privacy, marketing, consumer protection, and children’s privacy laws
  • Maintaining your own privacy policy that governs your relationship with your subscribers
  • Disclosing your use of engagement tracking, such as opens and clicks, and obtaining any consent your subscribers’ jurisdictions require for it
  • Not collecting sensitive personal information — health, financial account, government ID, precise location, or other special categories of data — through XOXO, unless we approve it in writing

We’re not responsible for how you collect or use subscriber data. Any questions from your subscribers about their data should go to you, not to us.

Data processing

For your subscribers’ data, you’re the controller and we’re your processor (in GDPR terms). This section is our data processing agreement with you — it applies to every account automatically, no signature needed.

The processing is straightforward: while your account is active, we host subscription forms, process imports and API requests, store subscriber records, deliver your emails, record delivery and engagement events, keep unsubscribe/suppression records, provide support, and protect the service from abuse.

The data may include subscriber email addresses, custom fields, tags, groups, source data, delivery and engagement timestamps, and related technical data processed transiently for security, delivery, and bot filtering. The people affected are your subscribers and anyone you add to your audience.

When we handle subscriber data on your behalf, we commit to the following:

  • We process subscriber data to provide XOXO, follow your instructions, and protect the service — never to advertise to subscribers or use your list for ourselves.
  • Everyone at XOXO with access to subscriber data is bound by confidentiality.
  • We protect it with reasonable technical and organizational security measures.
  • We use the service providers named in our Privacy Policy as subprocessors, under contracts that protect your data at least as well as this section, and we remain responsible for their performance. We’ll update that list at least 15 days before a new subprocessor starts handling subscriber data; if you object to a change, you can close your account.
  • We’ll help you respond when subscribers ask to access, correct, or delete their data — most of which you can handle yourself in the app or through the API.
  • We’ll give you reasonable help with data protection impact assessments and consultations with supervisory authorities, where you need our input.
  • If we become aware of a breach affecting your subscribers’ data, we’ll notify you without undue delay — and in any case within 72 hours of becoming aware.
  • When you close your account, subscriber data is deleted or retained only as described in our Privacy Policy.
  • We’ll provide the information you reasonably need to show this section is being followed, and if that’s not enough, we’ll allow and contribute to an audit you run — up to once in any 12-month period, on at least 30 days’ notice, during business hours, under confidentiality, and at your expense.
  • We’ll delete or return subscriber data at the end of the service unless we need to keep limited records for legal, security, abuse-prevention, billing, backup, or provider-retention reasons.

If you or your subscribers are in the EEA, the UK, or Switzerland, the European Commission’s Standard Contractual Clauses (Module 2, controller to processor) and the UK Addendum are incorporated into these terms for transfers of subscriber data to us in the United States when they’re needed, with their annexes completed by this section and our Privacy Policy.

Email sending

XOXO is built for sending newsletters to people who asked for them. Only send email to subscribers who explicitly opted in — through your XOXO form, or another method you can document.

If you import a list or add subscribers through the API, the same standard applies: you should be able to show when, where, and how each person signed up, and we may ask you to do exactly that. We may hold sending while we check.

Re-confirming imported lists isn’t required, but it’s the best protection for your deliverability — and everyone else’s.

You may not:

  • Email lists that were purchased, scraped, or otherwise built without clear consent
  • Use rented, co-registration, lead-generation, harvested, enriched, or cold-outreach lists
  • Send unsolicited bulk or commercial messages
  • Use misleading sender names, subject lines, or from addresses
  • Re-add or email people who have unsubscribed, or otherwise work around an unsubscribe
  • Use XOXO for “permission pass” campaigns or other attempts to revive a list that didn’t clearly opt in to hear from you

Some categories of email hurt deliverability for everyone even when they’re legal, and our email partners prohibit them — so we do too. Don’t use XOXO for:

  • Affiliate marketing as the main purpose of your list
  • Get-rich-quick or multi-level marketing offers
  • Payday or short-term loans
  • Credit repair or debt relief offers
  • Cryptocurrency promotions or giveaways
  • Sweepstakes or gambling
  • Pharmaceutical offers
  • Lead generation or list resale
  • Sexually explicit content
  • Illegal goods, regulated goods sold unlawfully, or anything designed to deceive people about money, health, identity, or safety

If your newsletter sits in a grey area, email us first — we’d rather talk than suspend.

Your emails must comply with anti-spam laws such as CAN-SPAM, GDPR, and CASL. XOXO handles part of this automatically: every newsletter includes an unsubscribe link and one-click unsubscribe support, and opt-outs take effect immediately.

Your part: every email needs a valid sender name and a real physical mailing address — a home address or PO box works. Sponsored or commercial content needs to be disclosed where the law requires it. You can set your address in your sending settings.

We don’t read or pre-approve your emails as a rule. But a send that trips our abuse checks — for example, a large audience that has never confirmed — may be held briefly for automated review, AI review, and sometimes a human look before it goes out.

We can decline to send anything that looks like spam or puts XOXO’s deliverability at risk.

We can’t guarantee delivery — your sending behavior and reputation affect whether your emails reach inboxes or spam folders. XOXO accounts send through shared infrastructure, so one account’s spam complaints or bounces can hurt everyone’s deliverability — we watch both closely.

If your account draws too many spam complaints or bounces, or breaks these rules, we may pause your sending immediately while we look into it, suspend it, or close the account. We may also decline to take on senders whose content category or sending patterns put that shared infrastructure at risk.

API and integrations

XOXO provides API access and supports third-party integrations, including AI assistants, OAuth apps, MCP clients, and automation tools. Some integrations can read, create, update, send, or delete account data. Only connect services you trust, and review their own terms and privacy policies. We’re not responsible for how third-party services access or use your account data after you authorize them.

You’re responsible for all actions taken through your API key. Keep your API key secure and don’t share it. If you believe your key has been compromised, regenerate it immediately.

These terms apply to anyone who accesses the XOXO API or MCP server — including developers acting on behalf of someone else’s account. If you build a service that connects to other people’s XOXO accounts, you also agree to the following:

  • Only access an account with the owner’s permission, and only in the ways they’ve authorized
  • Use the data you access solely to provide your service to that account — don’t sell it, share it for advertising, or combine it across accounts that aren’t yours
  • Protect it with reasonable security measures
  • Delete it when the account holder disconnects your service or asks you to

You may not use the API, MCP server, or integrations to bypass XOXO’s sending, billing, consent, security, or abuse-prevention limits, or to overload the service. The API may change over time, and we may suspend or revoke API access that breaks these rules.

AI features

XOXO includes AI features, like generating subject lines and preview text from your newsletter. Anything they produce for you is your content under these terms — review it before you send it, since you’re responsible for everything you publish.

AI output isn’t guaranteed to be accurate or unique; similar prompts can produce similar results for other accounts. We don’t allow the AI providers we use to train their models on your content.

Billing

Paid plans are billed monthly in US dollars and renew automatically each month until you cancel. Prices don’t include any taxes that may apply to you. You may cancel at any time, effective at the end of the current billing period — you won’t be charged again after that. We may update pricing with at least 30 days’ notice.

If you’re on a paid plan and your subscriber count crosses into the next tier, we’ll attempt to upgrade your account and charge your payment method the prorated difference. If the charge fails, your account may be limited until billing is back in good standing. We’ll email you when you’re approaching your plan’s limit, and again whenever your plan changes.

Likewise, if your subscriber count drops into a lower tier, we’ll automatically move you to the smallest paid plan that fits at the end of your billing period. We never move you to the free plan automatically — if you’d rather be on it, cancel your paid plan and you’ll switch to free when the period ends.

Free plans include a limited number of subscribers — the current cap is shown in the app. Once you reach it, you can’t add new subscribers, and if you’re over it (for example, after canceling a paid plan with a larger list) you won’t be able to send until you upgrade or get back under the cap. Your subscribers and content stay put either way.

If your payment is past due, your account is locked until billing is back in good standing — emails pause and you won’t be able to use the app, though your signup forms and unsubscribe links keep working, and you can export your subscribers at any time. The account owner can update the payment method at any time to restore access immediately.

Refunds are handled case by case — if you think you’re owed one, email help@xoxo.email and we’ll figure out what’s fair. One exception: if we close your account for violating these terms, no refund is given.

Service availability

XOXO is provided “as is” and “as available,” without warranties of any kind, express or implied — including merchantability and fitness for a particular purpose. We make no guarantees of uninterrupted availability, and we can’t promise your emails will reach every inbox.

We reserve the right to set or adjust sending limits at any time. If your sending volume or patterns appear to be causing harm to XOXO or other accounts, we may throttle or restrict your account.

Features labeled beta or early access may change, break, or be removed at any time — the 30-day notice we promise for discontinuing XOXO or its plans doesn’t apply to them.

You may not interfere with the operation of XOXO or its infrastructure, or use it in ways that harm other accounts or their subscribers. You also may not:

  • Reverse engineer, decompile, or otherwise try to extract XOXO’s source code
  • Scrape, crawl, or mirror the service, or collect data from it by automated means outside the documented API
  • Resell or sublicense XOXO, or use it — including the API — to build a competing service
  • Probe, scan, or test XOXO’s security without our written permission — if you think you’ve found a vulnerability, please email help@xoxo.email

Liability

To the fullest extent permitted by law, our liability for any claim is limited to the greater of $50 or the amount you paid us in the twelve months before the claim. We’re not liable for indirect or consequential damages, including loss of data, revenue, or business.

We’re not liable for any claims arising from how you use XOXO, manage your subscriber relationships, or connect third-party services to your account.

Indemnification

You agree to defend Supertape, LLC and its owners, employees, and agents against any claims, damages, or expenses — including reasonable attorneys’ fees — arising from your use of XOXO, your content, your subscriber relationships, or your use of third-party integrations connected to your account, and to hold us harmless from them.

Termination

You may close your account at any time.

If a free account has been inactive for more than a year — no sign-ins and no sending — we may close it. We’ll email you at least 30 days beforehand so you can keep it active or export your data first.

If you violate these terms, we may remove content, suspend sending, or terminate your account, with or without notice. Where the law requires it, we’ll report activity to the relevant authorities. If we close your account for violating these terms, don’t sign up again — and don’t spread your sending across multiple accounts to get around limits, suspensions, or these rules.

When your account is closed, your data is removed from live XOXO systems and won’t be available in the app — export anything you need first. The exceptions, like backups, provider retention, legal records, and accounts closed for violations, are described in our Privacy Policy.

We hope it never comes to it, but if we ever discontinue XOXO or one of its plans, we’ll give you at least 30 days’ notice and time to export your data.

Other terms

  • If part of these terms turns out to be unenforceable, the rest still stands.
  • These terms, together with our Privacy Policy, are the whole agreement between us — they replace anything we’ve said elsewhere.
  • You can’t assign your account or these terms without our consent; we may assign them if XOXO changes hands, and they’ll bind whoever takes over.
  • Neither of us is responsible for delays or failures caused by things outside our reasonable control.
  • If we don’t enforce part of these terms right away, we’re not waiving it.
  • Sections that should outlive your account — like Liability, Indemnification, and Governing law and disputes — survive its closure.
  • If you send us ideas or feedback, we can use them without owing you anything.

Changes to these terms

We may update these terms from time to time. For material changes, we’ll let you know by email or in the app at least 14 days before they take effect; minor clarifications take effect when posted. If you keep using XOXO after a change takes effect, that means you accept the updated terms. If you don’t agree, close your account before the change kicks in.

Governing law and disputes

These terms are governed by the laws of the State of Utah, and any disputes will be resolved in the state or federal courts located there. If something’s gone wrong, email us first — most problems are faster to fix than to litigate.

We’ve kept disputes in court rather than sending you to arbitration, and we ask that they stay simple in return: both of us agree to bring claims only in our individual capacity — not as a plaintiff or class member in any class, consolidated, or representative proceeding — and we each waive the right to a jury trial. Any claim must be brought within one year of when it arose, or it’s permanently barred. If the law where you live doesn’t allow one of these limits, that limit doesn’t apply to you.

Contact us

Questions about these terms? Email help@xoxo.email.