EU EMAIL API
GDPR-compliant email, hosted in Germany
Transactional email that never leaves the EU — a developer email API + SMTP relay on EU infrastructure, GDPR by default.
What “GDPR-compliant transactional email” actually means
“GDPR-compliant” is not a badge a product earns once — it describes how an email service provider handles personal data on your behalf. When you send through an email API, two roles are in play. You are the data controller: you own the recipient list and decide what gets sent and why. The provider is a data processor: it processes that data only to carry out delivery.
In practice, GDPR compliance for transactional email comes down to concrete, checkable things: which categories of personal data the provider touches (recipient addresses, message content, and delivery events such as sent, opened, clicked, bounced, and complained), how long that data is retained, who the sub-processors are, and where the data is physically processed and stored. That last point — data residency — is where many otherwise-equivalent providers differ, and it is the focus of this page.
Why US email APIs are a data-residency concern for EU senders
Most popular transactional email APIs are operated by US companies and run on US cloud infrastructure. When an EU sender uses one of these services, the recipients’ personal data — their email addresses and the content sent to them — is transferred to and processed in the United States.
Cross-border transfers of EU personal data to the US are constrained by the GDPR’s rules on international transfers. The Court of Justice of the EU’s Schrems II ruling invalidated the Privacy Shield framework and made clear that relying on standard contractual clauses alone may not be enough; transfers can require additional safeguards and a case-by-case assessment. The EU–US Data Privacy Framework has since been adopted to provide a transfer mechanism, but it remains the subject of legal challenge, which leaves organizations weighing ongoing uncertainty.
This is a neutral, factual point, not a claim that US providers are unlawful: many EU organizations use them with appropriate safeguards in place. But every US-based provider and every US-based sub-processor in the delivery path is one more transfer to account for in your records of processing. The simplest way to reduce that surface for the email itself is to not make the transfer at all.
How zSender keeps it in the EU
zSender runs on infrastructure hosted in Germany (Hetzner). The mail you send is processed and delivered by our own mail server (a self-hosted Postal MTA) in the EU. Your recipients’ email data — addresses, message content, and the delivery events we record — is processed and stored in the EU rather than routed through US infrastructure.
You integrate the way you already work. zSender exposes a developer HTTP API for sending transactional email and an SMTP relay that authenticates with your API key, so existing SMTP clients and libraries work without a rewrite. Both paths deliver from the same EU-hosted infrastructure, which means your choice of integration never changes where the email is processed.
For the recipient data flowing through the service, zSender acts as your data processor: you stay in control of your lists, and we handle delivery, deliverability, suppression, and one-click unsubscribe on your behalf. For the full detail of what we process, how long we keep it, and our sub-processors, see our Privacy Policy.
FAQ
Where is the email I send through zSender processed and stored?
zSender runs on infrastructure hosted in Germany (Hetzner). The mail you send — message content, recipient addresses, and delivery events — is processed and delivered by our mail server in the EU, so your recipients' email data stays within the EU rather than being routed through US infrastructure.
Is zSender a data controller or a data processor?
For the recipient data in the email you send, zSender acts as a data processor under the GDPR — you remain the controller of your recipient lists and decide what mail goes out. We process that data on your behalf to deliver it, track delivery events, and honor suppression/unsubscribe signals.
Why does it matter that a transactional email API is hosted in the EU?
If your email provider processes data on US infrastructure or relies on US-based sub-processors, transfers of EU personal data to the US fall under the scrutiny raised by the Schrems II ruling, which can require additional safeguards. Keeping the processing and delivery within the EU avoids that transfer for the recipient data flowing through the API in the first place.
Can I send through both an HTTP API and SMTP?
Yes. zSender exposes a developer HTTP API for sending and an SMTP relay using your API key as the credential. Both paths deliver from the same EU-hosted infrastructure, so you can switch your application between them without changing where your email is processed.