Last updated: 24 Nov 2025 · Applies to individuals in the EU, EEA, and UK. This supplements the main privacy policy.
Purposes & Legal Bases
| Purpose | Data categories | Legal basis |
|---|---|---|
| Provide the service (process inbox rules, generate AI outputs, deliver emails) | Email headers/metadata, account identifiers (uid, email), AI summaries | Contract necessity (Art. 6(1)(b)) |
| Billing & fraud prevention | Subscription status, usage counters, payment identifiers, audit logs | Contract necessity; Legitimate interests for abuse prevention (Art. 6(1)(f)) |
| Service analytics (non-essential) | Pseudonymous usage events, request identifiers, device/region | Consent (Art. 6(1)(a)) via cookie banner |
| Support & incident response | Support tickets, logs with requestId/uid, limited diagnostic metadata | Legitimate interests (Art. 6(1)(f)) |
International Transfers
- Primary hosting: Google Cloud `nam5` (United States multi-region). AI providers (OpenAI, Google Vertex AI), messaging (ZeptoMail), payments (Stripe), edge (Cloudflare) are US-based.
- Safeguards: EU–US Data Privacy Framework where available; Standard Contractual Clauses (2021/914) as fallback.
- Supplementary measures: TLS in transit, encryption at rest, strict access controls, minimization (no email bodies stored).
- EU-only option: Firestore/Cloud Run/Pub/Sub in `eur3` / `europe-west4` available on request.
Retention
| Data set | Default retention | Notes |
|---|---|---|
| Email metadata | Until account deletion; stuck docs cleaned via 24h TTL | No email bodies stored |
| Processing records | ~30 days | Cleanup/archival tasks |
| Billing usage | 13 months | Financial audit window |
| API key usage | 90 days | Abuse analytics |
| Logs | dev 14d / staging 30d / prod 90d | See logging retention policy |
Your Rights
Access, rectification, erasure, restriction, portability, and objection. Submit via the in-app DSR form at
/privacy/dsr or email privacy@gptemail.me. We aim to
respond within 30 days.
Contacts
- Data Protection Officer: ops@gptemail.me
- EU representative (Article 27): representative@gptemail.me
Updates
Material changes will be posted here and in the dashboard notice banner with at least 14 days’ advance notice for non-essential processing changes.