Privacy Policy

1. Introduction.

This Privacy Policy describes how Cyber Risk Research LLC d/b/a Sangu Mail (“Sangu,” “we,” “our,” or “us”) collects, uses, and discloses personal information about you as well as your rights and choices regarding such information. For purposes of this Privacy Policy, unless otherwise stated, “information” or “personal information” means information relating to an identified or identifiable individual and does not include aggregate information or information that does not identify you.

Some regions provide additional rights by law. For region-specific terms, please see below.

  • California
  • Nevada
  • Virginia
  • European Economic Area, Switzerland, and United Kingdom

For our contact details, please see the “Contact Us” section below.

2. Applicability

Data protection laws distinguish between entities that control the purposes and means of processing information and entities that process information on behalf of other entities.

This Privacy Policy applies to information where we control the purposes and means of processing, and governs any online services we control that link to this Privacy Policy (the “Service”). Please remember that your use of the Service is also subject to our Terms of Use.

3. Information We Collect.

A.   Information You Provide.

We collect information you provide to us, such as information you provide when you register an account, use the Service, update your profile, make a purchase, sign-up for our newsletters, participate in a promotion, respond to our surveys, or contact support, or apply for a job. The categories of information we collect include:

  • Identifiers, including your name, email address, postal address, and phone number.
  • Account credentials, including your usernames, passwords, and other information for authentication or account access. This includes your OAuth login or mail server credentials for the mail accounts you wish to link to the Service.
  • Commercial or transactions information, including records of products or services you purchased, obtained, or considered.
  • Payment information, including your payment instrument number (such as a credit or debit card number), expiration date, and security code as necessary to process your payments. This information is processed by our payment processors.
  • User-generated content, including content within any messages you send to us (such as feedback, feature suggestions, questions, or survey responses) or publicly post on the Service (such as in product reviews or blog comments).

We collect the following information if you apply for a job via the website:

  • Professional, employment, or education-related information, including your employment and work history, transcripts, writing samples, references, and other information necessary to consider you for a job.

Please do not provide any information that we do not request.


B. Information We Collect from Your Use of the Service.

  • Email Information. In order to provide the Service, your email passes through our systems.  Your messages are stored temporarily while they are being processed.  This includes the contents of the emails you send and receive, as well as the data associated with your emails, such as the date, sender, recipient, subject, message-id, and header information.
  • Reported Messages and Related Communications. When you submit to us an email communication for additional analysis, we keep a copy of that message in our case management system and review it with our analyst team. We use these messages and associated analyses to protect your email accounts and the accounts of other users from suspicious communications, email senders and domains. We do not share any personal information, such as your unredacted email address, or the content of any communications with any third parties without your authorization.
  • Logging.  For the purpose of debugging and statistics we log some of the contents and data associated with your use of the Service.


C. Information from Your Browser or Device.

 When you use the Service (including when you visit our websites or apps, or open or click on our emails), we and third parties we work with automatically collect information from your browser or device. The categories of information we automatically collect include:


  • Device identifiers, including your device’s IP.
  •  Device information, including your device’s operating software and browser (e.g., type, version, and configuration), internet service provider, and regional and language settings. 
  • Non-precise location data, such as location derived from an IP address or data that indicates a city or postal code level.

The types of tracking technologies we use to automatically collect this information include:


  • Cookies, which are small data files stored on your browser that save data about your visit. Cookies often include a unique identifier (e.g., cookie #123). We use three types of cookies: session cookies, persistent cookies, and analytics cookies. Session cookies make it easier for you to navigate our website and expire when you close your browser. Persistent cookies help with personalizing your experience, remembering your preferences, and supporting security features. Persistent cookies may remain on your device for extended periods of time and expire on a set expiration date or when they are deleted manually. Analytics cookies help us understand how you access and use the Service.
  • Pixels (also known as web beacons), which is code embedded in a service that sends information about your use to a server. Pixels provide similar functionality to cookies. There are various types of pixels, including image pixels (which are small graphic images) and JavaScript pixels (which contains JavaScript code). When you access a service that contains a pixel, the pixel may permit us or a third party to drop or read cookies on your browser, or collect other information about your visit.
  • Device fingerprinting, which is the process of analyzing and combining sets of data elements from your device’s browser, such as JavaScript objects and installed fonts, to create a “fingerprint” of your device and uniquely identify your browser and device.
  • App technologies, which are technologies included in our apps that are not browser-based like cookies and cannot be controlled by browser settings. These technologies provide similar functionality to cookies.  

D. Information from Other Sources.

 We also collect information from other sources. The categories of sources from which we collect information include:


  • Social media platforms with which you interact.
  • Third Parties that provide services to us, including analytics and fraud prevention providers.
  • Partners that may offer co-branded services, sell or distribute our products, or engage in joint marketing activities.
  • Publicly-available sources, including data in the public domain.

E. Information We Create or Generate.


We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics.

F.  Google API

To access your email to be processed by us, we ask for authorization to access your Google email account(s) using Google’s OAUTH2 mechanism.

  1. Who is requesting Google user data?  We, Cyber Risk Research, owners of Sangu are requesting access to your Google gmail account.  We hold this access token in a digital vault and always keep this information confidential.

  2. What data are we requesting?  We are requesting full access to your Google gmail account.  This allows us to read, write, modify, and delete messages and to read, write, and modify the settings in your account.  We use this access to bring your emails into Sangu, process them, and write the results back out to your mailbox.  

  3. Why are we requesting Google user data?  We are requesting the data to be able offer our services to you.  To be able to scan your emails, our software needs to be able to read the contents of your mail, run it through our system, then add banners to messages and return the modified message back to your mailbox.  We also move spam and malicious emails to a Spam folder and this requires modify permission.  We also ask for delete permission to be able to delete messages in your mailbox that we have modified.  We will never delete a message that is not otherwise accessible.  If your mailbox is a Google mailbox and we access it using IMAP,  Google requires that we ask for full access permissions to use the IMAP protocol.  When you use Sangu with our Google Workspace account, we access the settings of this Google Workspace account to modify the settings when you add your existing email to this account.  This can be done manually but it is much easier and less error prone when we add your accounts by automation.

In all cases, the access we request are solely and explicitly used in pursuit of providing you with our service.  We do not use or look at the contents of any of your mail in any way except when you report messages to us for investigation.   

4. Use Of Information

We collect and use information in accordance with the practices described in this Privacy Policy. Our purposes for collecting and using information include:


  • Providing the Service to you.
  • Preventing and addressing fraud, breach of policies or terms, or threats or harm.
  • Understanding trends, usage, and activities, including through tracking technologies or surveys, to make business and marketing decisions.
  • Communicating with you about updates, security alerts, changes to policies, and other transactional messages.
  • Personalizing your experience to show you content we believe you will find interesting.
  • Engaging in direct marketing, promotional communications, and non-personalized advertising.
  • Fulfilling any purpose at your direction.
  • With notice to you and your consent.


Notwithstanding the above, we may use non-personal information for any purpose to the extent permitted by applicable law. For details on your rights and choices regarding how we use information about you, please see the “Your Rights and Choices” section below.

5. Disclosure Of Information.

Depending on the type of information, your personal data is stored either until you delete the Service or after a certain period of time.

Type of information & Length of storage:

When you delete your account any authentication credentials, passwords, or OAuth sessions are removed at the time of account deletion and the Sangu Mail Service will be unable to access any linked accounts.

Email messages synchronized to your Sangu mailbox are kept for 30 days in the event of inactivity or non-payment. If you delete your account from the service, the Email message content will be removed within 48 hours from the mailbox servers. Your linked accounts will not be further changed so any messages remaining on those accounts will remain on the linked account providers systems. If messages were deleted on the Linked account and only present on Sangu mail those messages will be unrecoverable when the Sangu mail content is expunged.

Email addresses, APNS device token, app tokens assigned by us, device info is kept for 3 months after deletion of your email account from Sangu mail on all devices.

Metadata about messages (headers, hashes, etc) processed via the security and spam analysis tools used in providing services to you is kept for 3 months.

Full message content is persisted in some of our security analysis tools for up to 3 months. While the full message content is removed from the mailbox server when you delete your account it will persist in these security analysis tools for the longer period.

Email messages you reported for additional analysis are kept in our case management system for 12 months from time of report. This retention period also applies after you remove your account.  

As part of the service when messages are determined to be malicious or spam, we retain information about the content and composition of those messages. This is distilled down into cyber observable information and/or Indicators of Compromise (IOC) elements such as hashes, files names. domain names. URLs, IP addresses, malicious sender email addresses, malicious phone numbers, postal addresses, images, etc.  This information is retained for 36 months.

6. Third Parties.

We offer parts of our Service through websites, platforms, and services operated or controlled by third parties. In addition, we integrate technologies operated or controlled by third parties into parts of our Service. Please note that when you interact with third parties, including when you leave our Service, those third parties may independently collect information about you and solicit information from you. The information collected and stored by third parties remains subject to their own policies and practices, including what information they disclose to us, your rights and choices on their services and devices, and whether they store information in the U.S. or elsewhere. We encourage you to familiarize yourself with and consult their privacy policies and terms of use.


Some examples of where you may interact with a third party include:


  • External Platforms.  External platforms such as Google Workspace and Office 365 which we incorporate into some of our offerings.  For example, we can link our software to a Google Workspace account which is used by you as a user interface for your email.

  • Links. Our Service includes links that hyperlink to websites, platforms, and other services not operated or controlled by us. We may get a commission if you purchase a product after clicking on a link to an affiliate’s website.


  • Brand Pages and Messaging. We may offer our content through social media. Any information you provide to us when you engage with our content (such as through our brand page or via a messenger) is treated in accordance with this Privacy Policy. Also, if you publicly reference our Service on social media (e.g., by using a hashtag associated with Sangu in a tweet or post), we may use your reference on or in connection with our Service.

7. Your Rights And Choices.

A. Region-Specific Rights.

In addition to these rights and choices, you may have rights based on your region. For region-specific terms, please see the relevant sections at the end of this Privacy Policy.


B. Account Management.

You may access, update, or delete certain information that you have provided to us through your account by visiting your account settings. Please note that we will retain information in accordance with our data retention practices.


C. Tracking Technology Management.

  • Cookies. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline or delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations.
  • Preference Signals. Your browser or extension may allow you to automatically transmit Do Not Track and other tracking technology preference signals, and unless required by law, we do not respond to such signals.
  • App Technologies. You can stop all collection of information via an app by uninstalling the app. You may also configure the app’s notification settings in your device’s system preferences.

Please be aware that if you disable or remove tracking technologies some parts of the Service may not function correctly.

D. Analytics Management.

We use Google Analytics cookies to help us understand how you access and use the Service. Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at Please note that opt outs only apply to the specific browser or device from which you opt out. We are not responsible for the effectiveness of any opt outs offered by other entities.

E. Communications.

  • E-mails. You can unsubscribe from receiving promotional emails by following the unsubscribe instructions at the bottom of the email, or emailing us at with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt out of transactional messages.
  • Push Notifications. If you have opted-in to receive push notification on your device, you can opt-out by adjusting your device settings or uninstalling our app.

Please note that your opt out is limited to the email address and device used and will not affect subsequent subscriptions.

8. Children

The Service is not directed toward children under 16 years old, and we do not knowingly collect personal information (as that term is defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children. If you are a parent or guardian and believe we have collected personal information from children, please contact us at We will delete the personal information in accordance with COPPA.

9. Data Security

We implement and maintain reasonable administrative, physical, and technical security safeguards to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about you.

10. Retention

We retain information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

11. International Transfer.

We are based in the U.S. If you are located outside the U.S., please be aware that your information may be transferred to and processed in the U.S. or another country where we operate. Where required by applicable law, we will provide appropriate safeguards for data transfers, such as through use of standard contractual clauses.

12. Changes To This Privacy Policy

We reserve the right to revise and reissue this Privacy Policy at any time. Any changes will be effective immediately upon posting of the revised Privacy Policy. Your continued use of our Service indicates your consent to the Privacy Policy then posted. If the changes are material, we may provide you additional notice to your email address.

13. Contact Us

If you have any questions, or have trouble accessing this Privacy Policy, please contact us:


By email:


By mail:

 Cyber Risk Research LLC

197 Palmer Ave, Unit 200

Falmouth MA 02536

14. California

These additional rights and disclosures apply only to California residents. Terms have the meaning ascribed to them in the California Consumer Protection Act as replaced by the California Privacy Rights Act (“CPRA”), unless otherwise stated.


A. Notice at Collection.

At or before the time of collection, you have a right to receive notice of our data practices. The “Information Collection” section above sets out the categories of personal information we have collected and the sources from which we have obtained personal information in the past 12 months.

We collect and use this personal information for the business purposes set out in the “Use of Information” section above. We disclose this personal information to the categories of persons set out in the “Disclosure of Information” section above. Please visit those sections for further details.

We do not “sell” or “share” your personal information as those terms as defined by the CPRA.

We do not knowingly sell or share the personal information of minors under 16 years old who are California residents.


B. Retention.

We retain each category of personal information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.


C. Rights to Know, Correct, and Delete.

You have the right to request the following from us:

  • The categories of personal information we have collected about you; 
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you we disclosed for a business purpose or sold or shared;
  • The categories of persons to whom the personal information was disclosed for a business purpose or sold or shared;
  • The business or commercial purpose for collecting or selling or sharing the personal information; and
  • The specific pieces of personal information we have collected about you.

In addition, you have the right to correct or delete the personal information we have collected from you.

To exercise any of these rights, please email us at


D. Authorized Agent.

You can designate an authorized agent to submit requests on your behalf. Requests must be submitted through the designated methods listed above. Except for opt-out requests, we will require written proof of the agent’s permission to do so and may verify your identity directly.


E. Right to Non-Discrimination.

You have the right not to receive discriminatory treatment by us for the exercise of any your rights.


F. Shine the Light.

Under California’s Shine the Light law, Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To exercise a request, please write us at the email or postal address set out in “Contact Us” above and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

15. Nevada

We do not sell and will not sell your covered information (as those terms are defined by NRS 603A.340).

16. Virginia

These additional rights and disclosures apply only to Virginia residents. Terms have the meaning ascribed to them in the Virginia Consumer Data Protection Act (“VCDPA”).

You have the following rights under the VCDPA:

  • To confirm whether or not we are processing your personal data
  • To access your personal data
  • To correct inaccuracies in your personal data
  • To delete your personal data
  • To obtain a copy of your personal data that you previously provided to us in a portable and readily usable format
  • To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Sangu does not share or sell your personal information, including sales or shares to facilitate targeted advertising or profiling.
  • To exercise any of these rights, please email us at and specify which right you are seeking to exercise.

If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General at

17. European Economic Area, Switzerland, And United Kingdom

These additional disclosures and rights apply only to individuals located in the European Economic Area, Switzerland, or the United Kingdom (collectively, “Europe”). Terms have the meaning ascribed to them in the General Data Protection Regulation (“GDPR”).

A. Roles.

Sangu acts as a controller with respect to personal data collected as you interact with our Service.

B. Lawful Basis for Processing.

Data protection laws in Europe require a “lawful basis” for processing personal data. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers or partners; (b) processing is necessary for the performance of a contract with you; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests. Where applicable, we will transfer your personal data to third countries subject to appropriate or suitable safeguards, such as standard contractual clauses.

C. Your Rights.

You have the right to access, rectify, or erase any personal data we have collected about you. You also have the right to data portability and the right to restrict or object to our processing of personal data we have collected about you. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different than for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any data processing we do based on consent you have provided to us.

To exercise any of these rights, please email us at and specify which right you are seeking to exercise.