General Data Protection
Regulation (GDPR)

BulkEmailSetup.com, operated by Goletro Technologies Pvt. Ltd., is fully committed to complying with the European Union's General Data Protection Regulation (GDPR). Although our company is headquartered in Pune, India, we serve customers in the European Economic Area (EEA) and process data that falls under the scope of GDPR.

We have implemented comprehensive organizational and technical measures to ensure that personal data is processed lawfully, fairly, and transparently. This page outlines how we meet our obligations under the regulation and how you can exercise your rights.

Our infrastructure services — dedicated SMTP servers, IP rotation, and email marketing platform — are designed with privacy-by-design and privacy-by-default principles at their core.

The data controller responsible for processing your personal data is:

As the data controller, we determine the purposes and means of processing personal data collected through our website, platform, and customer communications.

We process personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on include:

• Contract Performance (Art. 6(1)(b)): Processing is necessary to provide our services to you — including provisioning SMTP servers, configuring dedicated IPs, setting up your email marketing platform, and providing technical support.
• Legitimate Interest (Art. 6(1)(f)): We process data for fraud prevention, network security, service improvement, and to ensure the deliverability and reputation of our shared and dedicated IP pools.
• Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent — for example, before sending marketing communications, placing non-essential cookies, or processing data for purposes beyond what is necessary for service delivery.
• Legal Obligation (Art. 6(1)(c)): We may process data to comply with applicable legal requirements, such as tax regulations, anti-spam laws, or law enforcement requests.

We collect and process the following categories of personal data:

If you are located in the EEA, you have the following rights regarding your personal data under the GDPR:

You also have the right to withdraw consent at any time (where processing is based on consent) and the right to lodge a complaint with a supervisory authority in your EU member state.

To exercise any of the rights described above, please contact us at:

We will verify your identity before processing any request and respond within 30 days of receiving your request, as required by the GDPR. If additional time is needed due to the complexity of the request, we will notify you within the initial 30-day period.

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

When we process personal data on your behalf (i.e., the email recipient data you upload to our platform), we act as a data processor under Article 28 of the GDPR. We offer a Data Processing Agreement (DPA) to all customers that outlines:

• The nature, purpose, and duration of processing
• The types of personal data and categories of data subjects
• Our obligations and your rights as the data controller
• Technical and organizational security measures we implement
• Sub-processor engagement terms and notification procedures
• Data deletion and return obligations upon contract termination

To request a signed DPA, please contact us with the subject line “DPA Request”.

Goletro Technologies Pvt. Ltd. is headquartered in Pune, India. When personal data is transferred from the EEA to India (which is not recognized by the European Commission as providing an adequate level of data protection), we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs as the primary transfer mechanism when personal data flows from EEA customers to our infrastructure in India.
• Supplementary Measures: We implement additional technical safeguards including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security audits.
• Server Location Options: For customers who require data residency, we offer the option of provisioning dedicated SMTP servers in EU-based data centers to keep data within the EEA.

We periodically review and assess the data protection landscape in India and update our safeguards to ensure continued compliance with GDPR transfer requirements.

In the event of a personal data breach, we are committed to the following response protocol:

• Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 of the GDPR.
• Data Subject Notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to affected individuals without undue delay, as required by Article 34.
• Customer Notification (Processor Role): When acting as a data processor, we will notify the data controller (our customer) without undue delay after becoming aware of a breach, so that the controller can meet its own notification obligations.
• Documentation: All breaches, including those not requiring notification, are documented with details of the incident, its effects, and the remedial actions taken.

For all matters related to data protection and GDPR compliance, you may contact our Data Protection Officer:

The DPO is responsible for overseeing our data protection strategy, ensuring GDPR compliance, and serving as the point of contact for data subjects and supervisory authorities.

We use a limited number of third-party sub-processors to deliver our services. Each sub-processor is bound by data processing agreements that ensure GDPR-compliant handling of personal data.

We will notify customers of any intended changes to our sub-processor list, giving you the opportunity to object to such changes before they take effect.

Our website uses only strictly necessary cookies required for core functionality (e.g., security tokens). In compliance with the GDPR and the ePrivacy Directive:

• We do not use analytics, marketing, or preference cookies. Our analytics provider (Plausible Analytics) is fully cookie-free and does not collect personal data.
• Google reCAPTCHA may set a necessary cookie (_GRECAPTCHA) for spam prevention, which is classified as strictly necessary.
• Since we only use strictly necessary cookies, no cookie consent banner is required under the GDPR or ePrivacy Directive.
• You can manage or delete cookies at any time through your browser settings.

For detailed information about the cookies we use, please refer to our Cookie Policy.

If you have any questions, concerns, or requests related to GDPR compliance or your personal data, please do not hesitate to reach out:

We aim to respond to all GDPR-related inquiries within 5 business days. For formal data subject requests, the statutory 30-day response period applies.