NNuntly

GDPR Compliance

Nuntly is a French company. Your data stays in the EU. GDPR is not an afterthought, it is our baseline.

EU-based company

Nuntly is a French micro-entreprise registered in Chatillon, France. As an EU entity, we are directly subject to the General Data Protection Regulation (GDPR) and supervised by the CNIL (Commission Nationale de l'Informatique et des Libertes), the French data protection authority.

All email data (message content, recipient addresses, delivery metadata) is processed and stored exclusively in the EU. Payment data processed by Stripe may be transferred to the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses. See our sub-processors page for details.

Data hosting in the EU

All customer data is hosted exclusively in European Union AWS regions:

  • Dublin, Ireland for primary infrastructure

No email or account data is stored, processed, or replicated in regions outside the EU/EEA. Payment processing is handled by Stripe (EU entity: Stripe Payments Europe, Limited, Ireland), which may transfer billing data to the US under approved transfer mechanisms.

Data we process

As an email delivery platform, Nuntly processes the following types of personal data on behalf of our customers:

  • Recipient email addresses
  • Email message content (subject, body, headers)
  • Delivery metadata (timestamps, status, bounce information)
  • Tracking events (opens, clicks) when enabled by the customer
  • Webhook delivery payloads

Nuntly acts as a data processor for email data sent through our API. Our customers are the data controllers who determine the purpose and means of processing.

Security measures

  • Encryption in transit: all data transmitted via TLS 1.2+
  • Encryption at rest: all databases and storage encrypted with AWS KMS
  • Access controls: principle of least privilege, API key authentication
  • Audit logging: all API access and administrative actions are logged
  • Infrastructure isolation: dedicated VPC with private subnets for databases

Data subject rights

Under GDPR, individuals have the right to access, rectify, erase, restrict processing, and port their data. If you are an end-user whose data is processed through Nuntly, please contact the company that sent you the email (the data controller).

If you are a Nuntly customer, you can exercise your data rights through our data request form. We respond within 30 days per GDPR Article 12.

Breach notification

In the event of a personal data breach, Nuntly will notify the CNIL within 72 hours as required by GDPR Article 33. Affected customers will be notified without undue delay per GDPR Article 34 and our Data Processing Agreement.

Legal documents

Start sending free