Privacy Policy for MailMap

Effective Date: 1.6.2025

Last Updated: 1.6.2025

1. Introduction

Welcome to MailMap ("we," "us," "our"). We provide a service that helps users organize their Gmail inbox by automatically labeling emails using artificial intelligence based on user-defined rules and prompts (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and handling your data in an open and transparent manner. Our company, MailMap, is based in Finland.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access or use the Service.

2. Information We Collect

We collect information about you in various ways when you use our Service. This includes:

Information You Provide Directly:

• Account Information: When you sign up using Google Sign-In, we receive access to your basic Google profile information (such as your name, email address, and profile picture) as permitted by Google and your settings.
• User Configuration: We store the labels you define and the corresponding prompts you create to guide the AI classification.

Information Collected Automatically:

• Email Data: To provide the core functionality of our Service, we require access to your Gmail account. This includes:
  • Email Content and Metadata: We access the content (body, subject) and metadata (sender, recipients, date, headers, unique identifiers) of emails in your connected Gmail account solely for the purpose of classifying and applying labels according to the rules and prompts you have defined.
  • Labels: We access and modify labels within your Gmail account to apply the classifications generated by the Service.
• Usage Data: We may collect information about how you interact with our Service, such as features used, clicks, session duration, and performance metrics. This helps us improve the Service. This data is typically anonymized or aggregated.
• Device and Connection Information: We may collect information about the device you use to access our Service, such as IP address, browser type, operating system, and referring URLs (potentially collected via Cloudflare or DigitalOcean logs).

Information from Third Parties:

• Google: As mentioned, we use Google Sign-In for authentication and the Gmail API to access and manage your emails as instructed by you via the Service. Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements (see Section 12).
• Polar.sh: If you subscribe to a paid plan, your payment information (like credit card details) is processed directly by Polar.sh. We do not store your full payment card details on our servers, though we may receive information like subscription status, transaction IDs, and billing contact details from Polar.sh.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Manage the Service:
  • Authenticate your access via Google Sign-In.
  • Fetch emails from your connected Gmail account.
  • Process email content and metadata using the Gemini Large Language Model (LLM) based strictly on the labels and prompts you define.
  • Apply the generated labels to the corresponding emails in your Gmail account.
  • Manage your account, subscriptions, and settings.
• To Process Payments: Facilitate transactions for paid subscriptions via Polar.sh.
• To Improve the Service: Analyze usage patterns to understand how our Service is used, diagnose technical issues, and enhance user experience. We strive to use aggregated or anonymized data for this purpose where possible.
• To Communicate With You: Respond to your inquiries, send service-related announcements (e.g., maintenance, policy updates), and provide customer support.
• To Ensure Security and Compliance: Protect against fraud, abuse, and security threats. Comply with legal obligations and enforce our terms.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), Switzerland, or the UK, our legal basis for collecting and using the personal information described above will depend on the information concerned and the specific context:

• Consent: We rely on your explicit consent to access your Gmail account and process your email content and metadata for the purpose of providing the AI labeling Service. You provide this consent before connecting your account (see Section 11). You can withdraw this consent at any time.
• Contractual Necessity: We process certain information (like account details, subscription status) as necessary to provide the Service you have requested under our Terms of Service, including managing your subscription and processing payments.
• Legitimate Interests: We may process limited usage data or technical information based on our legitimate interests in operating, securing, and improving our Service, provided these interests are not overridden by your data protection rights.
• Legal Obligation: We may process information if required to comply with applicable laws or regulations.

5. Data Sharing and Third Parties

We do not sell your personal information. We may share your information with third-party service providers who perform services for us or on our behalf, under strict confidentiality agreements and data processing agreements where applicable:

• Google (Authentication & Gmail API): To authenticate you and access/manage your Gmail data as directed by the Service configuration.
• Google Cloud / Gemini LLM: Your email content and metadata, along with your defined prompts, are sent to Google's Gemini LLM infrastructure for processing to generate classification labels. Google processes this data according to their terms and privacy policies. We rely on Google's security and privacy commitments for this processing.
• DigitalOcean: Our application hosting provider. Your configuration data and potentially temporarily cached data might reside on their servers.
• Cloudflare: Our Content Delivery Network (CDN) and domain provider. They may process technical data like IP addresses to deliver content efficiently and provide security services (e.g., DDoS protection).
• Polar.sh: Our payment processing partner. They handle payment information directly according to their own privacy policy and security standards (PCI-DSS compliant).
• Legal Requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction, subject to the commitments made in this Privacy Policy.

6. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your own, including countries outside the EEA, Switzerland, or the UK (such as the United States where Google, Cloudflare, DigitalOcean, and potentially Polar.sh operate infrastructure). These countries may have data protection laws that are different from the laws of your country.

When we transfer your personal information internationally, we take appropriate safeguards to ensure your information remains protected. This includes relying on adequacy decisions by the European Commission where applicable, or implementing Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate legal mechanisms, along with supplementary measures as needed.

7. Data Security

We implement administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. These include encryption, access controls, and secure development practices.

However, please be aware that no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against interception or misuse. We cannot guarantee the absolute security of your information. You are also responsible for maintaining the security of your Google account credentials.

8. Data Retention

We retain your personal information for as long as necessary to provide the Service, fulfill the purposes outlined in this Privacy Policy, comply with our legal obligations (e.g., tax, accounting), resolve disputes, and enforce our agreements.

• Account Information & Configuration: Retained as long as your account is active, and for a reasonable period thereafter for backup or legal purposes.
• Email Data: Email content and metadata are processed transiently for classification. We do not store the content of your emails on our systems long-term. We may store metadata related to processed emails (e.g., email ID, applied label, timestamp) for operational purposes or history features, but we minimize this storage.
• Payment Information: Handled by Polar.sh; we retain only transactional metadata as needed for billing and compliance.

Upon account deletion request or inactivity beyond a defined period, we will take steps to delete or anonymize your information according to our data retention policies, unless retention is legally required.

9. Your Data Protection Rights (GDPR and others)

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: Request access to the personal information we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal information.
• Right to Erasure ('Right to be Forgotten'): Request deletion of your personal information, subject to certain exceptions.
• Right to Restrict Processing: Request restriction of the processing of your personal information under certain conditions.
• Right to Data Portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to Object: Object to the processing of your personal information based on legitimate interests.
• Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent as the legal basis for processing (e.g., accessing your Gmail). Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. Note that withdrawing consent for Gmail access will prevent the Service from functioning.
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority (like the Data Protection Ombudsman in Finland or your local authority) if you believe our processing infringes data protection laws.

To exercise these rights, please contact us using the details below. We may need to verify your identity before responding to your request.

10. Children's Privacy

Our Service is not intended for individuals under the age of 16 (or a higher age if stipulated by local law). We do not knowingly collect personal information from children.

If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

11. Connecting Your Google Account & Withdrawing Consent

Before you can use MailMap, you will be asked to grant us permission to access your Gmail account via Google's authorization process. We will clearly state the permissions required and link to this Privacy Policy. By granting this permission, you explicitly consent to us accessing and processing your email data as described herein.

You can revoke our access to your Google Account at any time through your Google Account settings. Revoking access will stop the Service from processing new emails and applying labels.

12. Google Limited Use Disclosure

Notwithstanding anything else in this Privacy Policy, our use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements. This means:

• We only use access to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings to provide the MailMap service that allows users to automatically label their emails based on their defined rules and prompts, and to improve this user-facing feature.
• We do not transfer this Gmail data to others unless doing so is necessary to provide or improve these user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
• We do not use this Gmail data for serving advertisements.
• We do not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations and even then only when the data have been aggregated and anonymized.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on our website and updating the "Last Updated" date. We may also notify you via email or through the Service. We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: