Privacy Policy
Last Updated: January 23, 2026
This Privacy Policy describes how Niro ("we", "us", or "our") collects, uses, and shares information when you use our email campaign service at m.useniro.com (the "Service").
1. Information We Collect
1.1 Account Information
When you sign in to Niro, we collect information from your authentication provider:
- Email address — Used to identify your account and communicate with you
- Full name — Retrieved from your Microsoft or Google account profile
- User ID — A unique identifier assigned to your account
We support sign-in through:
- Microsoft (Azure AD) — We request access to your email and permission to send emails on your behalf
- Google — We request access to your email and permission to send emails via Gmail on your behalf
1.2 Campaign Data
When you create email campaigns, we store:
- Campaign details — Name, email subject, and email body content (HTML)
- Custom field definitions — Any template variables you define for personalization
- Scheduling information — When campaigns are scheduled to send
- Campaign settings — Including whether open tracking and click tracking are enabled
1.3 Recipient Data
When you upload recipients for a campaign, we store:
- Email addresses — Required for sending emails
- Names — First name and last name (if provided)
- Custom data — Any additional fields you import from CSV files for personalization (e.g., company name, custom variables)
1.4 Email Attachments
If you attach files to your campaigns:
- File metadata — File name, size, and content type
- File contents — Stored securely in our cloud storage
1.5 Email Tracking Data
When tracking is enabled on a campaign, we collect:
- Open events — When a recipient opens an email (via a 1x1 tracking pixel)
- Click events — When a recipient clicks a link in your email
- Timestamps — When opens and clicks occur
- User agent — The browser/email client used to open or click
- Hashed IP address — We store a cryptographic hash (SHA-256) of the recipient's IP address, NOT the actual IP address. This hash cannot be reversed to reveal the original IP.
- Referrer — The referring page (if available)
Important: Raw IP addresses are never stored in our database. We apply a one-way cryptographic hash before storage to protect recipient privacy while still allowing for deduplication of tracking events.
1.6 Email Delivery Data
For each email sent, we store:
- Delivery status — Whether the email was sent successfully or failed
- Error messages — If delivery failed, the reason why
- Timestamps — When the email was sent
- Retry information — Number of delivery attempts
1.7 Billing Information
We use a third-party billing service (Autumn) to manage subscriptions. We share:
- Your user ID — To associate your subscription
- Your email address — For billing communications
- Your name — For billing records
We do NOT directly collect or store payment card information. All payment processing is handled by our billing provider.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — Send emails on your behalf using your connected Microsoft or Google account
- Track campaign performance — Show you open rates, click rates, and recipient activity (when tracking is enabled)
- Manage your account — Authenticate you, maintain your campaigns and recipients, and enforce usage limits
- Process billing — Track your email usage against your plan limits and process subscription payments
- Improve the Service — Understand how the Service is used and make improvements
- Communicate with you — Send service-related notifications
3. How We Share Your Information
We share your information with the following third parties:
3.1 Email Providers
When you send campaigns:
- Microsoft Graph API — If you signed in with Microsoft, we use Microsoft's API to send emails from your Outlook/Microsoft 365 account
- Gmail API — If you signed in with Google, we use Google's API to send emails from your Gmail account
Emails are sent directly from YOUR email account, not from Niro. Recipients see your email address as the sender.
3.2 Billing Provider
- Stripe — Manages subscriptions, processes payments, and tracks feature usage
3.3 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal requests.
4. Data Security
We implement security measures to protect your data:
- Row-Level Security (RLS) — Database policies ensure you can only access your own campaigns, recipients, and tracking data
- Encrypted connections — All data transmitted to and from our servers uses HTTPS/TLS encryption
- Secure token storage — OAuth tokens are managed securely within our database.
- Signed tracking URLs — Tracking links use HMAC-SHA256 signatures to prevent forgery and expire after 30 days
- Hashed IP addresses — Recipient IP addresses are cryptographically hashed before storage
- Access controls — Administrative access to our systems is strictly limited
5. Data Retention
- Account data — Retained for as long as you have an active account
- Campaigns and recipients — Retained until you delete them or delete your account
- Tracking events — Retained along with the associated campaign data
- Attachments — Retained until you delete them or delete the associated campaign
When you delete your account, all associated data (campaigns, recipients, tracking events, attachments) is permanently deleted from our systems.
6. Your Rights and Choices
6.1 Access and Deletion
You can:
- View your data — Access your campaigns, recipients, and tracking statistics through the dashboard
- Delete campaigns — Remove campaigns and their associated recipients and tracking data
- Delete your account — Contact us to request complete account deletion
6.2 Email Tracking
You can disable tracking on a per-campaign basis:
- Open tracking — Toggle off to prevent tracking pixel injection
- Click tracking — Toggle off to prevent link rewriting
When tracking is disabled, no tracking data is collected for that campaign.
6.3 OAuth Permissions
You can revoke Niro's access to your email account at any time:
- Microsoft — Visit your Microsoft account security settings
- Google — Visit your Google account security settings
Revoking access will prevent you from sending new campaigns until you sign in again.
7. Recipient Privacy (For Your Email Recipients)
If you are a recipient of emails sent through Niro:
- The email sender (Niro user) is the data controller for your information
- Niro acts as a data processor on behalf of the sender
- If you have questions about how your data is used, contact the email sender directly
- Open and click tracking may be used to measure engagement — this is controlled by the sender
- Your IP address is hashed (not stored in readable form) if you open or click tracked emails
8. International Data Transfers
Our service infrastructure is hosted in the United States.
9. Children's Privacy
Niro is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
Email: hi@useniro.com
12. Summary of Data Collection
| Data Type | What We Collect | Why |
|---|---|---|
| Account | Email, name, user ID | Authentication & account management |
| Campaigns | Subject, body, settings | Store and send your email campaigns |
| Recipients | Email, name, custom fields | Personalize and deliver your emails |
| Attachments | Files you upload | Include in your email campaigns |
| Tracking | Opens, clicks, hashed IPs, timestamps | Campaign analytics (when enabled) |
| Delivery | Status, errors, timestamps | Show you campaign progress & results |
| Billing | User ID, email, usage | Process subscriptions & enforce limits |