Controller: You (the customer). Processor: GPTemail.me. Effective: 24 Nov 2025.
Subject & duration
AI email processing (ingest, summarise, translate, respond) for the term of your subscription or until deletion on request.
Data types & subjects
- Email content, headers, attachments, metadata; user identifiers; billing identifiers.
- Data subjects: your end users, correspondents, and authorised account users.
Processor obligations
- Process only on your documented instructions (including this DPA and product configuration).
- Confidentiality for authorised personnel; least‑privilege access.
- Security: TLS in transit; data isolation per tenant; secrets in Secret Manager; logging/alerting; monthly usage reset controls.
- Subprocessors only as listed below; prior notice for changes with a right to object.
- Assist with data subject requests, breach notifications, DPIAs where relevant.
- Delete or return personal data at end of contract, subject to legal retention.
Subprocessors
- Google Cloud (hosting, storage, Pub/Sub, Firestore, Cloud Run).
- OpenAI / Google Gemini (LLM inference).
- Stripe (payments/subscriptions).
- ZeptoMail (outbound email delivery).
- Cloudflare (edge/email ingress, DNS, WAF).
We will post changes on this page at least 15 days before adding a new subprocessor.
International transfers
We use SCCs and provider safeguards for transfers outside the UK/EU. An EU-only deployment option (Firestore eur3 / Cloud Run europe-west4) is available on request.
Audits
We will provide reasonable information to demonstrate compliance and will cooperate with supervisory authorities. Formal audits are subject to prior notice and confidentiality.
Contact
Email privacy@gptemail.me for data protection requests or a countersigned DPA (full PDF available on request).