arrobaMail
Legal document

Privacy and Data Protection Policy

How arrobaMail (TECSID) collects, uses, protects, and shares personal data. Aligned with Argentine Law 25,326, Brazil's LGPD, and the EU's GDPR.

Updated June 20, 2026·Version 3.1

This policy explains how we process personal data at arrobaMail. Together with the Terms and Conditions, the Cookie Policy, and the Anti-Spam Policy, it forms a single contractual framework. It is drafted in accordance with Argentina's Law 25,326 on the Protection of Personal Data and its implementing Decree 1558/2001, and aligned with Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018) and the European Union's General Data Protection Regulation (GDPR, EU 2016/679).


1. Data controller

The controller responsible for processing personal data is:

  • Legal owner / Business name: TECSID de Danilo Raúl Garín
  • Trade name: TECSID — Product: arrobaMail
  • Argentine Tax ID (CUIT): 23-23639244-9
  • Registered and tax address: Las Heras 155 (postal code 1663), San Miguel, Buenos Aires Province, Argentina
  • Privacy contact: [email protected] (subject line: "Privacy")
  • Security incidents and abuse: [email protected] or [email protected] (subject line: "Security"), or the Abuse Report Channel
  • WhatsApp: +54 9 11 5655-0699

TECSID is an Argentine sole proprietorship operating since 2004 in Internet services, digital marketing, and direct-communication platforms. arrobaMail has operated as a SaaS product since 2015.

The supervisory authority for personal data protection in Argentina is the Agencia de Acceso a la Información Pública (AAIP).


2. Definitions

  • Client / User: the natural or legal person who contracts or uses arrobaMail's services.
  • Subscriber / Contact: the person whose personal data (email, name, etc.) the Client uploads to the platform to send them campaigns.
  • Personal data: any information of any kind relating to identified or identifiable natural or legal persons.
  • Processing: any operation or procedure performed on personal data (collection, storage, use, disclosure, transfer, deletion).
  • Data controller: the party that decides on the purpose and content of the database.
  • Data processor: the party that processes personal data on behalf of the controller.

3. Two distinct data relationships

It is important to distinguish the following layers, because our role changes in each one:

  • Layer A — Client data. With respect to your account data (the data you upload when registering and contracting), TECSID/arrobaMail is the Controller of the processing. This policy explains what we do with it.
  • Layer B — Data of the Client's Subscribers. With respect to the data of your contacts that you upload to send them campaigns, you (the Client) are the Controller and arrobaMail acts as Processor: we process that data solely following your instructions and to provide you with the Service. You are responsible for having consent or a legal basis to process it, and for informing your subscribers as required by law.
  • Layer C — Reseller model (white label). When the Client is a Reseller that resells the Service to its own clients, the chain has one more link: the Reseller's client is the Controller of its subscribers' data, the Reseller acts as Processor toward its client, and arrobaMail/TECSID acts as sub-processor, limited to providing the infrastructure and software. arrobaMail has no direct relationship with the Reseller's clients or with the subscribers they upload, does not determine the purposes of the processing, and does not validate the lawfulness, source, or consent behind those lists: that is the Reseller's and its clients' responsibility. Rights requests from those data subjects are channeled through the Reseller (see Terms, section 2.6).

If you need a data processing agreement (DPA) for your own compliance (for example, under the LGPD or the GDPR), our Data Processing Agreement (DPA) is available; you can also write to us at [email protected] to arrange a signed version.


4. Data we collect

4.1 Client data (Layer A)

When you register or contract the Service, we may collect:

  • First and last name, or business name
  • Email and, optionally, phone / WhatsApp number
  • Country of residence and address
  • Billing data (tax ID, tax status, tax address)
  • Payment-verification data (full card and account details are processed by the payment gateways; arrobaMail does not store card numbers)
  • Access credentials (email + password, stored encrypted/hashed, never in plain text)
  • Platform usage logs (IP address, browser, date and time, actions performed)

4.2 Data of the Client's Subscribers (Layer B)

The Client uploads data about its subscribers, which may include:

  • Email (mandatory)
  • First and last name
  • Custom fields defined by the Client itself (whichever the Client chooses)
  • Campaign interaction metrics: opens, clicks, bounces, complaints, and unsubscribes. Tracking opens and clicks is a core feature of the Email Marketing service that arrobaMail provides as Processor on the Client's behalf.

4.3 Public site browsing data

When you visit arrobamail.com or its subdomains we may collect IP address, browser, operating system, device, pages viewed, time on page, and referrer, as well as aggregate behavioral data through analytics and advertising tools subject to your consent (see Cookie Policy).

4.4 Conversations with Amanda (AI agent)

Conversations you have with Amanda, our artificial-intelligence agent, are processed to respond to you and continue the conversation. Important: Amanda runs on a specialized provider's platform (Relevance AI, see section 10), so the content of those conversations is processed on its infrastructure, located in the United States, as a sub-processor. Under that provider's terms, conversation content is not used to train AI models, and the data remains under our control for retention or deletion. We nonetheless recommend that you not share passwords or sensitive data with Amanda beyond what your query requires.


5. Purposes of processing

We process data for the following purposes:

  1. Providing the contracted Service (account management, sending campaigns, automations, AI, reports, integrations).
  2. Billing and collection (issuing invoices, managing payments, recovering debts).
  3. Support and assistance (responding to inquiries via Amanda, WhatsApp, or email).
  4. Improving the product (aggregate usage analysis, without identifying individuals).
  5. Operational communications (service notices, maintenance, changes to these documents).
  6. Commercial communications (only with your prior consent, via newsletter subscription or express acceptance; you can revoke it at any time).
  7. Legal compliance (responding to requirements from competent authorities).
  8. Security and abuse prevention (detecting spam, fraud, and unauthorized access).

6. Legal basis for processing

Depending on the purpose and the applicable regime, the bases enabling processing are:

Purpose Legal basis
Providing the Service Performance of the contract (art. 5 Law 25,326; art. 6.1.b GDPR)
Billing and tax obligations Legal obligation (art. 6.1.c GDPR)
Operational communications Performance of the contract + legitimate interest
Commercial communications Prior, free, express, and informed consent (art. 5 Law 25,326; art. 6.1.a GDPR)
Support (Amanda, WhatsApp, email) Performance of the contract + legitimate interest
Product improvement Legitimate interest, over aggregated/anonymized data
Security and anti-fraud Legitimate interest + legal compliance

7. Confidentiality

TECSID/arrobaMail treats Client and subscriber information with the strictest confidentiality, and extends that duty to employees, associates, and providers who, due to their relationship with TECSID, must access the data to provide the Service (art. 10 Law 25,326).

We do not reproduce, modify, publish, or disclose Client information to third parties without authorization, except in the cases set out in section 9. We apply to that information the same security measures we apply to our own confidential information.


8. Data retention

Data type Retention period
Active-account data While the account is active
Cancelled-account data Up to 1 year after cancellation
Histories and sent campaigns, with their statistics 6 months; then may be automatically deleted if the Client did not delete them earlier
Platform logs 6 months
Billing and accounting records 5 years (statute of limitations for tax purposes under AFIP/ARCA in Argentina)
Data of prospects without a contract (web forms) Up to 12 months

The Client may request early deletion of their data as set out in section 11. Upon cancellation of the Service or serious arrears (see Terms, sections 3.7 and 6), certain data may be permanently deleted, except what we must retain under a legal, tax, security, abuse-prevention, or claims-defense obligation. Backups exist for operational continuity and infrastructure and do not constitute an individual restoration service for data deleted by the Client.


9. Exceptions to confidentiality

The duty of confidentiality does not apply when:

a) the information was already public when we received it; b) TECSID already lawfully knew it, with no duty of confidentiality; c) applicable law or an order from a competent judicial or administrative authority requires its disclosure (in which case, where legally possible, we will notify the Client); d) TECSID can show that the information was independently developed or received from third parties; e) the Client itself made it public through its own action, error, or negligence.


10. Sub-processors and data recipients

To provide the Service we rely on providers that may process personal data on our behalf or receive data as recipients. We work only with providers offering adequate guarantees and under data processing agreements:

Provider Function Location / Transfer
Akamai (Linode) Hosting and platform server infrastructure United States (Miami)
Cloudflare CDN, DNS, security (WAF), and performance; routes traffic, is not a recipient of content Global network (PoPs in multiple countries)
Relevance AI Engine for the Amanda AI agent; processes conversation content (not used to train models; SOC 2 Type II) United States
Google (Analytics 4, Tag Manager, Google Ads) Site analytics and advertising/remarketing, subject to your consent United States
Mercado Pago Payment processing Argentina
PayPal International payment processing United States / global
Payoneer International payment processing and receipt United States / global
WhatsApp (Meta) Contact and support channel United States / global

Payment gateways process payment data as independent controllers, under their own policies. arrobaMail does not store full card or account details.

We do not share personal data with unrelated advertisers, data brokers, or third parties for their own commercial purposes without your consent.


11. Data subject rights

As a data subject, you have the right to:

  • Access: know what data of yours we process and obtain a copy.
  • Rectification and update: correct inaccurate or outdated data.
  • Erasure: request deletion of your data when it is no longer necessary or as required by law.
  • Objection: object to processing for legitimate reasons.
  • Portability: receive your data in a structured format (CSV/JSON) and, where technically feasible, transfer it to another controller.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise these rights, write to us at [email protected] with the subject line "Data subject rights." We will respond within the legal deadlines (in Argentina: 10 calendar days for access and 5 business days for rectification, update, or erasure, per articles 14 and 16 of Law 25,326). We may ask you to verify your identity before responding.

Under Law 25,326 (art. 1, in fine), data subjects may bring a habeas data action to protect their personal data. If you believe your rights have been violated, you may file a claim with the supervisory authority:


12. International transfers

Part of the processing takes place outside Argentina — mainly in the United States (hosting at Akamai/Linode, Relevance AI, Google, PayPal, Payoneer) and on Cloudflare's global network. When we transfer data to countries that do not have a level of protection considered adequate, we do so under one of the following guarantees or grounds:

  • the necessity of the transfer for the performance of the contract that binds us (art. 12, Law 25,326);
  • contractual clauses for protection with the provider (the AAIP Resolution 60-E/2016 model; GDPR Standard Contractual Clauses where applicable);
  • your consent where that is the applicable basis.

13. Security

We apply reasonable technical and organizational measures to protect data, including:

  • Mandatory HTTPS (TLS) across the entire site
  • Passwords stored encrypted/hashed (never in plain text)
  • Web application firewall (WAF) and edge attack mitigation (Cloudflare)
  • Backups for operational continuity and infrastructure recovery (not an individual restoration service for data deleted by the Client — see section 8)
  • Server access restricted by credentials and environment hardening
  • Internal awareness of best practices
  • Incident response protocols

No system is entirely foolproof: we cannot guarantee perfect security, but we work to minimize risk and react quickly to any incident.


14. Security incident notification

In the event of a security incident affecting personal data that may pose a risk to data subjects, we will notify affected Clients and the relevant supervisory authority without undue delay (AAIP in Argentina; ANPD in Brazil; the competent authority under the GDPR, within the 72 hours that regime requires), to the extent and within the timeframes applicable law establishes.


15. Minors

The Service is aimed at persons over 18 years of age. We do not knowingly collect data from minors. If we detect a minor's data in an account, we may delete it and suspend the account. If you are a parent or guardian and believe a minor in your care provided us data, contact us and we will delete it.


16. Cookies and similar technologies

The use of cookies and tracking technologies on the site is governed by a separate document: Cookie Policy. Analytics and advertising cookies and scripts do not activate until you give your consent via the banner.


17. Changes to this policy

We may update this policy periodically. Material changes will be notified by email to active Clients with reasonable advance notice. Continued use of the Service after the effective date implies awareness of the updated version.

  • Prior versions: 3.0 (June 19, 2026) and 2.0 (May 23, 2026), archived.

18. Governing law and jurisdiction

This policy is governed by Argentina's Law 25,326 on the Protection of Personal Data. For Clients based in the European Union, the GDPR additionally applies; for Clients based in Brazil, the LGPD.

For any dispute, the parties submit to the courts of the Autonomous City of Buenos Aires, except when the Client is a consumer, in which case the court of the consumer's domicile has jurisdiction, per article 36 of Consumer Protection Law 24,240, without prejudice to their right to file a claim with the supervisory authority of their country.


19. Contact


Last updated: June 20, 2026 — Version 3.1.

If you find a wording error or have questions about any point, write to us through the contact channel.

This page is a courtesy translation. The original, legally binding document is in Spanish. View the original Spanish document

Get started with arrobaMail
in under 5 minutes.

Free plan, AI generations included, no credit card required — and real support from a real team.

Try it free now
WhatsAppOur team replies