Compliance Hub

Overview

CLEAR RULES GUIDANCE AND CONFIDENCE FOR EVERY USER

The Compliance Hub explains how Desired Email is designed to handle safety, privacy, and approved use. It is written in clear language so families, schools, medical practices, financial firms, charities, and businesses can understand how we approach protection and responsibility. Our goal is to earn trust by explaining how controls are designed and how responsibilities are shared.

This page is a guide and not a legal contract. Binding terms are defined in the Terms of Service and any applicable agreements. This page highlights major compliance areas and explains how to request supporting documentation.

Some documents may be shared immediately with qualified organizations, regulators, or auditors. Other materials require a mutual nondisclosure agreement because they contain sensitive security or operational details. We clearly explain requirements before sharing any documents.

Core Security and Risk Management

CLEAR RULES THAT GUIDE HOW WE PROTECT INFORMATION AND REDUCE RISK

We maintain written security controls that are designed to reduce risk and keep actions predictable and accountable. These include access controls, encryption standards, device rules, and incident response planning. Together, these controls help reduce exposure and guide how issues are handled when they arise.

Organizations remain responsible for their own security programs, user training, and internal procedures. High level security documentation is available to qualified reviewers upon request.

HIPAA Support and Approved Use

SUPPORTS HIPAA ALIGNED COMMUNICATION WITH CAREFUL CONTROLS

HIPAA protects personal health information and sets requirements for how it is handled. Desired Email is designed to support HIPAA aligned communication through encryption, approval-based access, and by not storing encryption keys. We do not access message content.

Covered entities and business associates remain responsible for their own HIPAA compliance programs, training, and policies. HIPAA aligned guidance and Business Associate Addendum materials are available to qualified organizations by request.

PCI DSS and Payment Protection

PAYMENTS STAY PROTECTED BY KEEPING CARD DATA OUT OF OUR ENVIRONMENT

Stripe Checkout handles all payment card data. Desired Email does not store, process, or transmit cardholder information through its systems. This design helps keep payment data outside our operational environment and reduces PCI scope.

PCI related documentation may be shared with qualified organizations or auditors upon request. Some materials may require a mutual nondisclosure agreement before release.

COPPA and Children

STAY IN CONTROL OF HOW CHILDREN COMMUNICATE

COPPA protects the online privacy of children under the age of thirteen. Desired Email requires approval by a parent, guardian, school, or authorized organization before a child account may be used. Children cannot approve their own contacts.

Approving adults or institutions control who may contact a child and may pause, limit, or revoke access at any time. No unapproved or unknown contacts may message a child account.

FERPA and Student Records

STAY IN CHARGE OF STUDENT RECORDS AND WHO MAY CONTACT STUDENTS

FERPA protects student education records and governs access to student information. Desired Email is designed to support FERPA aligned use by requiring approval before contact and limiting external access by default.

Schools and educational institutions control account permissions and may pause, limit, or revoke access at any time. FERPA alignment statements and guidance are available to qualified institutions upon request.

Data Rights and Privacy Controls

USERS HAVE RIGHTS OVER THEIR INFORMATION AND WE RESPECT THOSE RIGHTS

We collect only the data needed to operate the service, support billing, and meet legal obligations. We do not sell personal information to third parties. Clear data retention rules define how long different categories of information are kept.

Where allowed by law, users may request access, correction, or deletion of personal data. Requests are reviewed and handled in a fair and transparent manner based on legal and operational requirements.

Consent and Governance

THE RIGHT PERSON APPROVES USE SO ACCOUNTS STAY SAFE AND RESPONSIBLE

Accounts involving children, students, or managed users require approval by a parent, school, employer, or authorized administrator. Clear consent rules help prevent misuse and confusion.

Written governance and consent policies define approval authority and responsibilities. These materials are available to regulators, auditors, and qualified organizations upon request.

Audit, Logging, and Oversight

VISIBILITY AND REVIEW HELP US STAY ACCOUNTABLE AND EARN TRUST

Security logs record important events such as sign-ins, approvals, and configuration changes. Logs support security investigations and accountability but are not used to monitor message content.

High level logging information may be shared freely with qualified reviewers. More detailed technical materials may require a mutual nondisclosure agreement.

Acceptable Use and Safety

CALM RESPECTFUL COMMUNICATION WITHOUT ABUSE OR UNWANTED CONTACT

Desired Email is intended for respectful, lawful communication. Abuse, harassment, spam, phishing, and illegal activity are not permitted. Repeated violations may result in suspension or removal.

These rules protect the wider community and help keep inboxes focused on wanted communication.

Business Continuity and Incident Response

PLANS AND RESPONSES HELP US RECOVER RESTORE ACCESS AND STAY PREPARED

Even well designed systems may experience disruptions. Business continuity planning is intended to help restore service as quickly as reasonably possible.

Incident response plans describe how issues are investigated, how users are informed when appropriate, and how coordination with authorities occurs when required.

Vendors and Third Parties

VENDORS SUPPORT OUR SERVICE WHILE FOLLOWING CONTROLLED ACCESS RULES

Desired Email relies on trusted vendors such as Stripe and cloud infrastructure providers. Vendors are selected based on security and privacy alignment.

Vendor access is limited to what is necessary to perform services. Written agreements define data handling responsibilities and restrictions.

Training and Awareness

TRAINING AND AWARENESS SUPPORT SAFE AND RESPONSIBLE USE

People play a critical role in security and privacy. Training and guidance help ensure responsibilities are understood and followed.

Training materials are updated as systems and policies change, and records are maintained to show training occurred.