Skip to content
SendByte Start sending

Updated Draft, June 2026

Privacy Notice

Draft. This document is a working draft pending review by qualified counsel and our Data Protection Compliance Organisation. It is not yet legally effective.

This Privacy Notice explains how personal data is handled when you use SendByte. SendByte is a transactional email API operated by Echospectra Technology Limited (“Echospectra”, “we”, “us”), a company registered in Nigeria. It is written to meet the Nigeria Data Protection Act 2023 (NDPA) and the NDPR, and to be readable.

1. Who controls your data

We act in two different roles depending on the data:

  • As a data controller for your account: the information you give us to open and run a SendByte account (your name, email, password, billing details, support messages, and how you use the dashboard and API).
  • As a data processor for the email you send: when you send email through SendByte, the recipient addresses, message content, and delivery events are personal data that belongs to your users. You are the controller of that data; we process it only to deliver your email and report on it, on your instructions. The terms of that processing are set out in our Data Processing Agreement.

2. What we collect

Account data (we are controller): name, email address, hashed password, organization name, API key metadata (never the secret), billing information (processed by our payment provider, see section 6), support correspondence, and dashboard/API usage logs including IP address and request metadata.

Email data you send (we are processor): sender and recipient addresses, subject lines, message bodies, attachments, custom headers and tags, and delivery events (sent, delivered, opened, clicked, bounced, complained, unsubscribed).

We do not sell personal data, and we do not use the content of your email to train models or for any purpose other than delivering and reporting on your sends.

PurposeLegal basis (NDPA)
Providing the SendByte servicePerformance of a contract
Authenticating you and securing accountsLegitimate interest; legal obligation
Billing and fraud preventionPerformance of a contract; legitimate interest
Deliverability and abuse prevention (bounce, complaint, suppression handling)Legitimate interest; legal obligation
Product and security communicationsLegitimate interest
Marketing emails to you (account holders)Consent, which you can withdraw

4. Where your data lives

Customer data and email logs are stored in Africa, in AWS af-south-1 (Cape Town). Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). For customers with users in the EU/UK, we can support transfers consistent with GDPR (see section 7).

5. How long we keep it

  • Email logs: for the retention period of your plan (3 days on Free, up to 90 days on Scale, or longer with the retention add-on). After that, log content is deleted.
  • Account data: for as long as your account is open, and for a limited period afterward to meet legal, tax, and accounting obligations, then deleted or anonymized.
  • Suppression list entries (hard bounces, complaints, unsubscribes): retained as long as needed to protect deliverability and respect recipients’ choices.

6. Who we share it with

We use a small number of vetted processors, each bound by data-protection terms:

  • Amazon Web Services (af-south-1): infrastructure and storage.
  • Paystack (and Flutterwave as backup): payment processing. Card details are handled by them, not stored by us.
  • Cloudflare: content delivery, DDoS protection, and email tracking.

We may disclose data if required by law or to protect our rights, users, or the public, and to a successor entity in a merger or acquisition. The current list of sub-processors for email data is maintained in the Data Processing Agreement.

7. International transfers

If you or your recipients are in the EU/UK, personal data may be transferred to and processed in Nigeria and other locations. Where required, we rely on appropriate safeguards (such as standard contractual clauses) and our security measures described above.

8. Your rights

Under the NDPA you have the right to access, correct, delete, restrict, object to, and port your personal data, and to withdraw consent. You can exercise most of these directly in the dashboard (for example, deleting data or configuring retention), or by contacting us. If we process data on behalf of a customer (email data), we will refer your request to that customer, who is the controller.

To make a request, contact privacy@sendbyte.africa. We respond within the timeframe required by law. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

9. Security

We protect personal data with encryption in transit and at rest, network isolation, least-privilege access, secret management, audit logging of account and API actions, and regular dependency and security review. No system is perfectly secure, but security is core to how SendByte is built.

10. Cookies

The dashboard uses strictly necessary cookies and local storage to keep you signed in. The marketing site uses minimal, privacy-respecting analytics. We do not use advertising trackers.

11. Changes

We may update this notice. Material changes will be communicated to account holders. The “updated” date at the top reflects the current version.

12. Contact

Echospectra Technology Limited, Lagos, Nigeria. Data protection contact: privacy@sendbyte.africa. Our Data Protection Compliance Organisation (DPCO) details will be published here once registration with the NDPC is complete.