Email Handling & Anti-Spam Policy

Last Updated: February 6, 2026

1. OVERVIEW

LegalFlow operates a zero-tolerance policy towards unsolicited commercial email (spam). This policy outlines our protocols for email transmission, user consent, and infrastructure security. We utilize Amazon Simple Email Service (SES) to ensure high deliverability, security, and compliance with international anti-spam laws, including the CAN-SPAM Act (USA), CASL (Canada), and GDPR (EU).

2. TYPES OF EMAILS WE SEND

To maintain clarity and trust, we strictly categorize emails into two types:

2.1. Transactional Emails

These are automated emails triggered by user actions or specific events within the application. These emails are essential for the functioning of the service. Examples include:

  • Account Verification: Emails containing links or codes to verify a new user's email address.
  • Password Resets: Secure links to reset lost or forgotten passwords.
  • Security Alerts: Notifications of new logins from unrecognized devices or IP addresses.
  • Case Updates: Notifications when a document is uploaded, a message is received, or a task is assigned within a case file.
  • Billing Notifications: Invoices, payment receipts, and dunning notifications for failed payments.

Note: You cannot opt-out of Transactional Emails as they are required for the performance of the contract, unless you close your account.

2.2. Marketing Emails (Optional)

These are promotional communications sent to inform you about new features, special offers, or newsletters. Examples include:

  • Monthly product digests.
  • Webinar invitations.
  • Referral program updates.

Requirement: We only send Marketing Emails to users who have explicitly "opted-in" via a checkbox during registration or in their account settings. You may unsubscribe at any time via the link in the footer of these emails.

3. CONSENT AND OPT-IN

3.1. Explicit Consent. During the registration process, we employ a "double opt-in" mechanism where possible. Users must actively check a box to agree to our Terms and Privacy Policy. Marketing consent is collected via a separate, unchecked box.

3.2. Recording Consent. We store the timestamp, IP address, and specific wording of the consent form used at the time of signup to demonstrate compliance with GDPR accountability requirements.

4. UNSUBSCRIBE AND OPT-OUT MECHANISMS

4.1. One-Click Unsubscribe. All marketing and non-essential emails contain a visible, functional "Unsubscribe" link in the footer. Clicking this link immediately updates our suppression list.

4.2. Processing Time. While our systems usually process unsubscribe requests instantly, please allow up to 48 hours for the changes to propagate across all mailing lists.

5. BOUNCE AND COMPLAINT HANDLING

We actively monitor our sending reputation through Amazon SES feedback loops.

  • Hard Bounces (Permanent Failures): If an email sent to you returns a "Hard Bounce" (e.g., address does not exist), your email address is immediately placed on our Suppression List to prevent future sending attempts. This protects our domain reputation.
  • Soft Bounces (Temporary Failures): If an email returns a "Soft Bounce" (e.g., mailbox full), we will retry delivery for a period of 72 hours before marking the delivery as failed.
  • Spam Complaints: If a user marks a LegalFlow email as "Spam" in their email client, we receive a notification. We immediately unsubscribe that user from marketing communications. High rates of complaints may lead to a manual review or suspension of the user's account to investigate potential compromise.

6. EMAIL AUTHENTICATION AND SECURITY

To protect our users from phishing and spoofing, LegalFlow implements strict email authentication protocols:

6.1. SPF (Sender Policy Framework)

We publish SPF records in our DNS to list the IP addresses and domains that are authorized to send email on our behalf (specifically, Amazon SES). This allows receiving mail servers to verify that the email actually came from us.

6.2. DKIM (DomainKeys Identified Mail)

We cryptographically sign every email we send using DKIM. This ensures that the email content has not been altered in transit between our servers and your inbox.

6.3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

We have a DMARC policy set to "quarantine" or "reject". This instructs receiving mail servers (like Gmail, Outlook) to reject any email claiming to be from @legalflow.com that fails SPF or DKIM checks.

6.4. TLS Encryption

We force TLS (Transport Layer Security) 1.2 or higher for all outbound email connections. If your email provider supports TLS, the connection between our server and yours is encrypted.

7. THIRD-PARTY INFRASTRUCTURE

We utilize Amazon Web Services (AWS) Simple Email Service (SES) located in the eu-west-1 (Ireland) or eu-west-3 (Paris) regions. AWS is ISO 27001 certified and GDPR compliant. By using our service, you acknowledge that your email address and the content of transactional emails are processed through AWS infrastructure.

8. PROHIBITED CONTENT

Users are strictly prohibited from using the LegalFlow messaging or invitation systems to send:

  • Unsolicited promotions to third parties.
  • Content that is illegal, harassing, defamatory, or obscene.
  • Phishing links or malware.
  • Multi-level marketing (MLM) schemes.

Violation of this policy will result in immediate account termination.

9. CONTACT US

If you believe you have received spam from us or have questions about this policy, please contact our abuse team immediately at abuse@yourdomain.com.

End of Email Policy.