Security & Privacy

Security and privacy for anonymous submissions

For technical reviewers, HR leaders, and compliance teams who need the privacy model in plain language, with details they can actually verify.

Need the workflow and setup path too? Read how RelayClear works, check the FAQ, or start your subscription.

What we do not collect

These are hard limits.

  • No submitter accounts

    Submitters never create accounts. No username, email address, or personal information is collected at the point of submission. Submitters are warned about the potential of self-identifying information in their messages.

  • No raw IP addresses in our database

    We never write a submitter's IP address to our database. For abuse prevention, we store a short-lived one-way identifier derived from the IP. This identifier cannot be reversed to recover the original address, and it expires automatically after 30 days.

  • No long-term storage of submission content

    Submission text is never written to the main database. It exists in temporary encrypted storage only while waiting for delivery, then is deleted immediately after the email is sent (within 24 hours of submission maximum).

  • No analytics or advertising on submission pages

    The /submit/ page loads no third-party analytics, advertising scripts, or social media embeds. The only external resource allowed there is Cloudflare Turnstile for bot protection. Delivery status pages remain privacy-sensitive and have a limited Microsoft Clarity exception documented in the Privacy Policy.

What to verify before you trust any anonymous feedback tool

  1. Open the submission page in your browser dev tools and check for third-party analytics, ads, or social scripts.
  2. Ask what happens to submission content after delivery and whether it is ever written to a long-term database.
  3. Ask whether the product depends on submitter accounts, reply threads, or stored history to function.
  4. Read the privacy policy and look for IP handling, retention windows, and provider-side logging disclosures.

How submissions flow

From the submitter's browser to your inbox, step by step.

  1. 1

    Submitter visits relayclear.com/submit

    Connection is encrypted via HTTPS/TLS. Cloudflare Turnstile verifies the submitter is human. No account required. Rate-limiting is in place for abuse prevention. Each access code is verified before submission proceeds.

  2. 2

    Content held in isolated temporary storage

    Submission content is encrypted and placed in temporary isolated storage. It is not written to the main database at any point.

  3. 3

    Delivered to your organization's email

    After the chosen delay window (randomly within 2 hours or 24 hours), the submission is sent to your designated email address via our email provider. The delay is random within the chosen delivery window to make timing correlation harder.

  4. 4

    Content deleted immediately after delivery

    Once the email is sent, the submission content is deleted from our systems. Maximum retention in temporary storage is 24 hours. If the delivery fails after repeated tries to the primary and backup receiving accounts, the submission is discarded and submitters will have to start again by submitting again later.

  5. 5

    Delivery metadata retained for tracking link

    Delivery status metadata (not the content) is retained for 30 days to power the submitter's tracking link. After 30 days, the tracking link expires and the metadata is deleted.

Data retention at a glance

Data type Retention Notes
Submission content Up to 24 hours Deleted immediately after delivery
Delivery status metadata 30 days Powers the submitter's tracking link
IP-derived identifier (one-way) 30 days Abuse prevention only; cannot identify a submitter
Organization account data While active Email addresses, billing identifiers - encrypted at field level
Infrastructure logs Up to 24 hours Provider-side request logs; see Privacy Policy
Email provider logs Up to 24 hours Email delivery logs as configured

Encryption overview

  • All connections use HTTPS/TLS

    Data in transit between submitters, the RelayClear service, and email providers is encrypted.

  • Data encrypted at rest

    All data stored in the RelayClear database is encrypted at rest.

  • Field-level encryption for sensitive organization data

    Sensitive fields in organization records, including email addresses and payment identifiers, are encrypted at the field level, separate from database-level encryption at rest.

  • Submission content encrypted in isolated storage

    While in temporary storage awaiting delivery, submission content is encrypted and held in isolated storage separate from the main database.

Infrastructure and vendors

RelayClear is built on Cloudflare's edge network and uses a small number of third-party providers.

  • Cloudflare

    Core infrastructure: serverless compute (Workers), database (D1), temporary storage (Durable Objects), and bot protection (Turnstile). Data is processed on Cloudflare's global edge network, with servers in Canada, the US, and elsewhere. See Cloudflare's privacy policy.

  • Mailgun

    Email delivery provider. Submission emails are sent to organization inboxes via Mailgun's transactional email service. No submission content is stored by Mailgun beyond what is necessary for delivery. Log retention is configured for 24 hours for troubleshooting purposes. See Mailgun's privacy policy.

  • Stripe

    Billing and payment processing for organization subscriptions only. Stripe does not have access to any submission content or submitter data. See Stripe's privacy policy.

  • No analytics vendors on submission page

    The /submit/ page does not load any analytics, advertising, or social media scripts. This is a hard privacy constraint, not a preference.

Data location

RelayClear's infrastructure runs on Cloudflare's global edge network. Primary data storage is configured in Canada and the US. Because Cloudflare operates globally, request processing may occur in other regions. If data residency is a requirement for your organization, contact us to discuss options.

Where RelayClear fits in your process

RelayClear protects the intake path. It does not replace your mailbox security, your internal triage and investigation process, or your legal and compliance judgment.

  • Protect the receiving inbox. Use team-managed destination email accounts with strong access controls and clear internal ownership.
  • Publish clear usage guidance. Tell people when to use RelayClear and when urgent, named, or emergency channels are more appropriate.
  • Handle follow-up in your own systems. RelayClear is intentionally narrow: anonymous intake and delivery first, operational workflow second.

Questions about security or privacy?

Contact us at support@relayclear.com. For responsible disclosure of a security vulnerability, use the security@relayclear.com

Privacy Policy Terms of Service FAQ