Legal
Anti-Spam Policy
Last updated: 7 July 2026 · Operated by L. Bone trading as PolicifyAI
1.Our commitment to responsible email
PolicifyAI is committed to responsible, permission-based email communication. We believe that email is a privilege, not a right, and we take our obligations to users, regulators, and the broader email ecosystem seriously.
We will never send unsolicited commercial email. Every commercial or promotional email we send includes:
- A clear, accurate subject line that truthfully represents the content of the email.
- Accurate sender identification showing PolicifyAI as the sender.
- Our physical or trading address, as required by applicable law.
- A clear and functional one-click unsubscribe link in the email footer.
- No deceptive routing information or falsified headers.
We operate a zero-tolerance policy towards spam. Any email sent from our domains (@policifyai.com) that you did not request or consent to should be reported to us immediately at [email protected].
2.Legal framework
Our email communications comply with the following laws and regulations:
- UK PECR (Privacy and Electronic Communications Regulations 2003) — requires prior consent or a valid soft opt-in for marketing emails to individuals and sole traders. We comply with Regulation 22 (unsolicited communications) and Regulation 23 (identification of caller/sender). Transactional emails are exempt from the consent requirement.
- EU ePrivacy Directive (Directive 2002/58/EC) — as implemented in applicable EU member states. Imposes equivalent consent requirements for marketing emails to recipients in EU countries. We treat EU recipients in the same way as UK recipients under PECR.
- UK GDPR / EU GDPR — all email addresses and communication preferences are processed as personal data subject to data protection principles, including purpose limitation, data minimisation, and the right to withdraw consent at any time.
- CAN-SPAM Act (United States, 15 U.S.C. § 7701) — requires accurate header information, clear identification of commercial email, a valid physical address, and a functional opt-out mechanism. We honour opt-out requests within 10 business days as required.
- CASL (Canada's Anti-Spam Legislation, S.C. 2010, c. 23) — requires express or implied consent before sending commercial electronic messages to Canadian recipients, accurate sender information, and an unsubscribe mechanism. We obtain express consent for marketing emails to Canadian recipients.
3.Email categories we send
PolicifyAI sends two distinct categories of email: transactional emails and product/marketing emails. These categories have different legal bases and different opt-out rights.
| Category | Legal basis | Can opt out? |
|---|---|---|
| Transactional — payment receipts, invoices, billing alerts | Contract performance | No (required for account management) |
| Transactional — password reset, account security alerts | Contract performance / legitimate interests | No (required for security) |
| Transactional — policy update notifications (your own policies changed) | Contract performance | Yes (in Settings → Notifications) |
| Transactional — policy share notifications | Contract performance | Yes (in Settings → Notifications) |
| Product — feature announcements, changelog updates | Legitimate interests (soft opt-in, existing customers) or consent | Yes — one-click unsubscribe |
| Product — service improvement notices | Legitimate interests or consent | Yes — one-click unsubscribe |
| Marketing — promotional offers, plan upgrade prompts | Consent (explicit opt-in required) | Yes — one-click unsubscribe |
4.Transactional email details
Transactional emails are sent as a necessary part of our contractual relationship with you and for the security and management of your account. You cannot opt out of all transactional emails and continue using the Service — some are essential for account security and billing.
4.1 Types of transactional emails we send- Payment receipts and invoices — sent after each successful payment, containing your invoice details. Required by applicable tax law.
- Subscription change confirmations — sent when you upgrade, downgrade, or cancel your subscription.
- Payment failure alerts — sent when a payment fails, with instructions on how to update your billing details.
- Password reset emails — sent when you request a password reset. Single-use link, expires after 1 hour.
- Account security alerts — sent when unusual account activity is detected, such as sign-ins from new devices or locations.
- Policy share notifications — sent when you share a generated policy with another user or when a shared policy is updated (can be disabled in Settings → Notifications).
- Policy update notifications — sent when a policy you have published is updated with a new version (can be disabled in Settings → Notifications).
Transactional emails are delivered via Resend from the domain policifyai.com or authorised subdomains. All legitimate transactional emails from PolicifyAI will have a valid DKIM signature and will pass SPF and DMARC checks.
5.Marketing and product email details
Marketing and product update emails are sent only where we have a valid legal basis to do so under UK PECR and applicable law.
5.1 Soft opt-in (UK PECR Regulation 22(3))We rely on the "soft opt-in" (or "existing customer exception") under UK PECR Regulation 22(3) to send product update and feature announcement emails to existing customers without a separate opt-in, provided that:
- You are an existing customer who has purchased or used the Service.
- The email relates to similar products or services to those you purchased (i.e. PolicifyAI platform features and updates — not unrelated third-party products).
- At signup, our Terms of Service and this policy (linked from the signup form) disclose that we may send product update emails and how to opt out — and every such email includes a one-click unsubscribe link, giving you the opportunity to opt out at any time.
- You have not opted out of such communications.
- We do not purchase, rent, or use mailing lists from third parties.
- We do not scrape or harvest email addresses from websites or other sources.
- We do not use pre-ticked opt-in boxes or disguised opt-in mechanisms.
- We do not send commercial emails to addresses that have not had a relationship with PolicifyAI.
- We do not send marketing emails on behalf of third parties.
6.Unsubscribing from marketing emails
You can unsubscribe from marketing and product update emails at any time. We offer multiple methods:
6.1 One-click unsubscribe linkEvery marketing and product update email includes a one-click unsubscribe link in the footer. Clicking this link immediately removes you from the relevant mailing list without requiring you to log in. Unsubscribe requests are processed within 3 business days, though most are processed instantly.
6.2 Account settingsYou can manage your email preferences at any time from your account dashboard under Dashboard → Settings → Notifications. You can independently control:
- Product update and feature announcement emails (on/off)
- Policy share notification emails (on/off)
- Policy version update notification emails (on/off)
You can also request removal from marketing communications by emailing [email protected] with the subject "Unsubscribe". We will process your request within 3 business days and send a confirmation email.
Important: Unsubscribing from marketing emails does not affect your receipt of transactional emails such as payment receipts, password resets, and security alerts. These cannot be disabled as they are essential for the security and management of your account.
7.Sender identification and authentication
All legitimate email from PolicifyAI is sent from the following domains and sub-domains:
[email protected]— general correspondence and product updates[email protected]— privacy and data protection[email protected]— legal notices[email protected]— security notifications[email protected]— customer support[email protected]— spam reports (inbound only)[email protected]— automated transactional notifications, sent from a dedicated sub-domain
All outgoing email is authenticated with:
- DKIM (DomainKeys Identified Mail) — cryptographic signature allowing recipients to verify the email originated from policifyai.com or mail.policifyai.com.
- SPF (Sender Policy Framework) — DNS record specifying which mail servers are authorised to send email on behalf of policifyai.com.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — policy published at the domain level instructing receiving mail servers on how to handle emails that fail DKIM or SPF checks. Our DMARC policy is set to "reject" for unauthorised senders.
If you receive an email purporting to be from PolicifyAI that fails these checks, or that you did not request, please forward it to [email protected] immediately.
8.Email service provider (Resend)
All transactional and product/marketing email delivery is handled by Resend (resend.com), a US-based email infrastructure provider.
Resend acts as a data processor for email delivery purposes and is listed as a sub-processor in our sub-processors list. Data shared with Resend for email delivery is limited to:
- Your email address (recipient)
- The content of the email being sent (subject line, body)
- Email delivery metadata (timestamps, open/click events where tracked)
Resend maintains its own anti-spam and infrastructure policies, including full DKIM, SPF, and DMARC authentication for all outgoing email, and compliance with CAN-SPAM, CASL, and applicable international anti-spam laws.
Transfer of data to Resend (US) is governed by the EU Standard Contractual Clauses and UK IDTA. Resend's Privacy Policy is available at resend.com/legal/privacy-policy.
9.Prohibited use of the platform
You may not use PolicifyAI or any policy document generated through it to facilitate spam, phishing, or deceptive email practices. Specifically, you may not:
- Generate false privacy policies: Generate privacy policies that misrepresent how you collect, use, share, or process email addresses or other personal data — for example, stating you will not sell data when you do, or omitting disclosure of third-party email sharing.
- Legitimise spam operations: Use PolicifyAI-generated documents to provide a veneer of legitimacy to operations that send unsolicited commercial email or that violate anti-spam laws.
- Deceptive data collection: Collect email addresses through deceptive means including fake forms, web scraping, address harvesting, pre-ticked opt-in boxes, or other means that do not obtain genuine informed consent.
- Phishing and fraud: Generate, publish, or use policies in connection with phishing, financial fraud, identity theft, or other unlawful schemes.
- Third-party spam: Use PolicifyAI to generate policies for third-party businesses or operations that engage in prohibited email practices, where you are aware of or have reasonable reason to suspect such practices.
Violations of these prohibitions will result in immediate account suspension without notice or refund and may be reported to the ICO, Ofcom, the FTC (US), CRTC (Canada), or other relevant authorities. PolicifyAI reserves the right to terminate any account used in connection with spam operations and to cooperate with law enforcement investigations.
10.Reporting spam or abuse
If you receive email that appears to come from a PolicifyAI domain and you believe it to be unsolicited, phishing, or abusive, please report it to us immediately:
- Email: [email protected]
- Include: Forward the full email including headers if possible, or describe what you received.
We investigate all spam reports within 3 business days. Where the report involves a compromised account or a spoofed PolicifyAI sender, we will take immediate action including revoking compromised credentials and updating our DMARC/SPF records as necessary.
Reporting abuse of generated policiesIf you have discovered that a third party is using a PolicifyAI-generated policy document to deceive or defraud end users — for example, by publishing a privacy policy that falsely describes data practices — please contact us with:
- The domain or URL of the offending policy
- A description of the deceptive practice you have observed
- Any supporting evidence (screenshots, emails, etc.)
We will investigate and, where we confirm abuse, terminate the relevant account and notify appropriate authorities. Email abuse reports to [email protected] or security concerns to [email protected].
External reportingYou may also report spam or phishing emails to your national authority:
- UK: Action Fraud (actionfraud.police.uk) or report to your email provider's spam filter.
- EU: Contact your national data protection authority or consumer protection agency.
- US: FTC at reportfraud.ftc.gov or forward to [email protected].
- Canada: CRTC at fightspam.gc.ca.
11.Changes to this policy
We may update this Anti-Spam Policy from time to time to reflect changes in applicable law, regulatory guidance, or our email practices. We will notify you of material changes by:
- Sending an email notice to the address on your account at least 30 days before changes take effect.
- Displaying a notice within the Service at least 30 days before changes take effect.
- Updating the "Last updated" date at the top of this page.
12.Contact
For questions about this policy, email preferences, or to report email abuse:
- Spam reports: [email protected]
- Unsubscribe requests: [email protected]
- Privacy and data subject requests: [email protected]
- General enquiries: [email protected]
- Security incidents: [email protected]