Legal
Privacy Policy
Last updated 12 July 2026
Sendle (sendle.app) is operated by VEREAL Labs (“we”, “us”). This explains what we collect, why, and your choices. We keep it minimal and we don’t sell your data.
What we collect
- Account — your email address, and the reader email address you set.
- Content you submit — books and fragments you collect (kept so you can manage, view your history, and re-send them — see Retention below). One-shot sends (pasted passages, sent files) are processed for delivery and not stored — we keep only a delivery record (title, kind, timestamp) for your send history and plan limits, never the document content.
- Sign-in tokens — sign-in codes and session tokens are stored only as one-way hashes; we can’t reverse them to the original.
- Connected mailbox (optional) — if you connect your own Gmail or Outlook to send from your address, we store that mailbox’s OAuth authorization, encrypted at rest (see How we protect your data). We never receive or store your email password.
- Usage — a count of deliveries, to enforce plan limits and improve the service.
How we use it
To run the service: build and deliver your documents, sign you in, enforce plan limits, and provide support. We don’t use your content for advertising and we don’t sell it.
Connecting your own Gmail or Outlook
Sendle lets you optionally connect your own Gmail or Outlook mailbox so your documents are sent
from your address. We use the provider’s official OAuth sign-in — we never see or store your
password. We request the narrowest possible permission: send-only
(gmail.send for Google, Mail.Send for Microsoft) plus your email
address, used only to know which mailbox is connected. Sendle therefore cannot read,
download, scan, or delete any of your email or contacts — it can only send the message you
ask it to, to the reader address you configured. You can disconnect at any time in Settings,
which deletes the stored authorization and revokes Sendle’s access with your provider.
Google API Services — Limited Use. Sendle’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we use this access only to provide the user-facing sending feature you enabled; we do not use Google user data for advertising, we do not sell or transfer it, and we do not allow humans to read it, except with your explicit consent, as strictly necessary for security or support, or where required by law.
Who processes it (subprocessors)
We rely on a small number of reputable third-party providers, by role (the specific vendors are available on request):
- Infrastructure & hosting — hosting, database and session storage.
- Email delivery — delivering your documents and sign-in codes.
- Payments (merchant of record) — processing purchases. We never see or store your card details.
How we protect your data
We apply security measures appropriate to the sensitivity of the data, with particular care for the mailbox authorization above:
- Encryption in transit — all traffic to and from Sendle is served over HTTPS/TLS.
- Encryption at rest — your Gmail/Outlook OAuth authorization is sealed with authenticated AES-256-GCM encryption before it is stored. The encryption key is held as a platform secret, separately from the database, so the stored value is useless on its own.
- Least privilege & no exposure — the authorization is write-only inside our systems: it is never returned to your browser, written to logs, or shared with third parties, and short-lived access tokens are held only in memory for the moment of sending, never stored.
- Hashed credentials — sign-in codes and session tokens are stored only as one-way hashes.
- Deletion & revocation — disconnecting, or deleting your account, removes the stored authorization and revokes Sendle’s access with your provider.
Retention & deletion
We keep the books you collect and your send history to operate the service and let you re-send. Sendle is not a backup service — we don’t guarantee long-term storage and may remove this content at any time, including automatically as part of routine maintenance, without prior notice. One-shot sends (pasted passages, sent files) aren’t retained — only their delivery record (title, kind, timestamp). You can export or delete your data, or close your account, anytime — email support@sendle.app.
Cookies
We use an essential session cookie (httpOnly) to keep you signed in, and a first-party referral cookie that remembers which channel brought you here (a short code like “hn”, kept for 30 days and used only to count signups per channel). No third-party advertising or tracking cookies, and no third-party analytics.
Your rights & contact
You can request access, export, correction or deletion of your data. Data may be processed outside your country by the subprocessors above. Questions or requests: support@sendle.app. We may update this policy; material changes will be posted here with a new date.