Last updated: 9 April 2026 · Applies to individuals in the EU, EEA, and UK. This supplements the main privacy policy.
Purposes & Legal Bases
| Purpose | Data categories | Legal basis |
|---|---|---|
| Provide the service (process inbox rules, generate AI outputs, deliver emails) | Email headers/metadata, account identifiers (uid, email), AI summaries | Contract necessity (Art. 6(1)(b)) |
| Billing & fraud prevention | Subscription status, usage counters, payment identifiers, audit logs | Contract necessity; Legitimate interests for abuse prevention (Art. 6(1)(f)) |
| Service analytics (non-essential) | Pseudonymous usage events, request identifiers, device/region | Consent (Art. 6(1)(a)) via cookie banner |
| Support & incident response | Support tickets, logs with requestId/uid, limited diagnostic metadata | Legitimate interests (Art. 6(1)(f)) |
International Transfers
- We operate both a US-primary stack and an EU-routed stack. For accounts routed to the EU stack, core
application storage and compute for supported product flows run in Google Cloud
eur3/europe-west4. - Some supporting services and subprocessors may still process or transfer personal data outside the EEA/UK, including for payments (Stripe), outbound email delivery (ZeptoMail), edge/security services (Cloudflare), and certain support or transfer functions.
- We do not represent that every processor used for the service keeps all personal data exclusively inside the EEA/UK.
- Safeguards: Standard Contractual Clauses and other provider transfer mechanisms where applicable, including the EU–US Data Privacy Framework where the relevant provider makes it available.
- Supplementary measures: TLS in transit, encryption at rest, strict access controls, minimization (no email bodies stored).
- Payment processors and other regulated service providers may also use data under their own privacy notices and legal obligations.
Retention
| Data set | Default retention | Notes |
|---|---|---|
| Email metadata | Until account deletion; stuck docs cleaned via 24h TTL | No email bodies stored |
| Processing records | ~30 days | Cleanup/archival tasks |
| Billing usage | 13 months | Financial audit window |
| API key usage | 90 days | Abuse analytics |
| Logs | dev 14d / staging 30d / prod 90d | See logging retention policy |
Your Rights
Access, rectification, erasure, restriction, portability, and objection. Submit via the in-app DSR form at
/privacy/dsr or email privacy@gptemail.me. We aim to
respond within 30 days.
Contacts
- Primary privacy contact: privacy@gptemail.me
- No dedicated Data Protection Officer is appointed for MVP at this time.
- If an Article 27 representative is appointed for the live operating model, the formal contact details will be published on this page.
Updates
Material changes will be posted here and in the dashboard notice banner with at least 14 days’ advance notice for non-essential processing changes.