Privacy
Policy

Who We Are

MailMind is operated as an independent software service. For privacy inquiries or data requests, contact us at privacy@mailmind.app.

As we are based in the European Union (Malta), we are subject to the General Data Protection Regulation (GDPR) and act as the Data Controller for any personal data we process.

What Data We Collect

Account Information

When you sign in with Google, we receive:

• Your Google account email address
• Your name and profile picture (from Google OAuth)
• An OAuth access token allowing us to read your Gmail

Email Data

To provide the triage service, we temporarily access:

• Email headers (sender, subject, date)
• Email body snippets (first 200 characters)
• Email metadata (read/unread status, labels)

Usage Data

We collect basic analytics to improve the service:

• Number of triage sessions run
• Feature usage (e.g. draft replies, filters used)
• Error logs (anonymised)
• Browser type and device type (anonymised)

Payment Data

Payment processing is handled entirely by LemonSqueezy. We never see or store your credit card details. We only receive confirmation of successful payment and your subscription status.

How We Use Your Data

We use your data solely to:

• Provide the email triage and draft reply service
• Maintain your account and subscription status
• Send transactional emails (receipts, service notices)
• Improve the service through anonymised usage analytics
• Comply with legal obligations

Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on the following legal grounds:

• Contractual necessity — processing required to provide the service you signed up for
• Legitimate interests — anonymised analytics to improve product quality
• Legal obligation — retaining billing records as required by law
• Consent — where you have explicitly provided it (e.g. marketing emails)

Gmail API Usage

MailMind uses the Gmail API under Google's Limited Use policy. This means:

• We only request read-only access to your Gmail
• We cannot send, delete, or modify emails without your explicit action
• Your Gmail data is used only to provide the triage service you requested
• We do not transfer Gmail data to third parties except as necessary to provide the service
• We do not use Gmail data for advertising or to train AI/ML models

Our use of Gmail data complies fully with Google's API Services User Data Policy, including the Limited Use requirements.

Data Sharing

We share your data only with:

• Google — OAuth authentication and Gmail API access
• LemonSqueezy — payment processing
• Anthropic — AI processing of email content (subject to Anthropic's data policies)
• Hosting providers — infrastructure only; no access to email content

We require all third-party providers to maintain appropriate security standards. We do not sell your personal data to any party.

Data Retention

• Account information — retained while your account is active
• Email content — never stored; processed in memory and discarded immediately
• Usage analytics — retained for 12 months in anonymised form
• Billing records — retained for 7 years as required by EU tax law

When you delete your account, all personal data is permanently deleted within 30 days, except billing records required by law.

Your Rights Under GDPR

As a data subject, you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ('right to be forgotten')
• Restriction — request we limit how we process your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time, where processing is based on consent

To exercise any of these rights, email us at privacy@mailmind.app. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Malta, this is the Information and Data Protection Commissioner (idpc.org.mt).

Security

We implement appropriate technical and organisational measures to protect your data:

• All data transmitted using HTTPS/TLS encryption
• OAuth tokens stored encrypted at rest
• Regular security reviews and vulnerability assessments
• Access to production systems limited to essential personnel only
• Email content never written to persistent storage

While we take security seriously, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@mailmind.app.

Cookies

We use only essential cookies required for the service to function:

• Session cookie — keeps you logged in during your session
• Preference cookie — remembers your triage settings

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Children's Privacy

MailMind is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@mailmind.app.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the 'Last updated' date at the top of this document
• Notify active users by email at least 14 days before changes take effect
• Post a notice on our website

Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

Contact Us

For any privacy questions, data requests, or concerns: