Privacy Policy

Last updated: April 2026

WeScan ("we", "our", "us") provides a scan-to-email relay service. This policy explains what data we collect, why we collect it, and what we do with it.

1. What We Collect

Account Information

When you sign up, we collect your email address and a generated SMTP username. If you use OAuth (Google, Microsoft, Apple), we receive the email address associated with that account.

Recipient Information

Email addresses you add to your recipient whitelist are stored so we can verify and relay scanned documents to those addresses.

Email Metadata

We temporarily log sender, recipient, subject line, timestamp, and size for operational purposes (delivery tracking, rate limiting, abuse prevention). These logs are retained for 30 days then automatically purged.

Email Content

WeScan acts as a relay — scanned document emails pass through our servers but are not stored or inspected beyond what is technically necessary for delivery. We do not read, store, or analyse the content of your scanned documents.

2. What We Don't Collect

We do not collect browsing history, behavioural tracking data, personal identifiers beyond your email, or any information from devices other than what is needed to provide the SMTP relay service. We do not use cookies for tracking purposes.

3. How We Use Your Data

  • To operate and maintain the SMTP relay service
  • To authenticate your printer when it connects to our servers
  • To send you service-related emails (welcome, password changes, invoices)
  • To enforce rate limits and detect abuse
  • To improve service reliability and troubleshoot issues

4. Data Sharing

We do not sell your personal information. We may share data with:

  • Mailgun — used to deliver transactional emails (OTP codes, welcome emails)
  • Cloudflare — used for Turnstile bot protection and CDN
  • Stripe — if you purchase an Enterprise plan, payment is processed by Stripe. We do not store credit card information

These providers are contractually bound to use your data only for the purposes of providing their services to us.

5. Data Retention

  • Account data: retained while your account is active, plus 90 days after deletion
  • Email logs: automatically deleted after 30 days
  • Blocked/denied email records: retained for 30 days for abuse monitoring
  • Payment records: retained as required by Australian tax law (7 years)

6. Security

All SMTP connections require STARTTLS encryption. Passwords are hashed and never stored in plaintext. SMTP credentials are generated server-side and shown once. Our infrastructure is hosted in Sydney, Australia (DigitalOcean data centre SYD1).

7. Your Rights

If you are in Australia (or the EU/UK), you have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Export your data in a portable format
  • Withdraw consent (where processing is based on consent)

To exercise these rights, email us at [email protected]. We will respond within 30 days.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

9. Contact

WeScan is operated from Sydney, Australia.
Email: [email protected]