Privacy Policy for Mail Intelligence

Effective Date: January 15, 2025
Last Updated: January 15, 2025

Our Privacy Commitment

At Mail Intelligence, privacy isn't just a feature—it's our foundation. We built our service with a simple principle: your email data belongs to you, and we're just helping you protect it. We operate with minimal data collection, strong encryption, and transparent practices. No exceptions. No hidden agendas.

Information We Collect

Information You Provide Directly

  • Contact Information: Name, work email address, company name when you request a demo or trial
  • Communications: Messages you send to our support team
  • Account Information (Enterprise): Username, encrypted password, organization details, encryption keys you provide for enterprise deployments

Information We Automatically Collect

  • Usage Data: How you interact with our website (pages visited, features explored, time spent) - retained for 30 days
  • Device Information: Browser type, operating system (we do not collect or store IP addresses)
  • Log Data: Server logs, error reports, and performance metrics (personal data removed after 30 days)

Information We Don't Collect

  • We don't track your browsing activity outside our service
  • We don't collect sensitive personal information unless necessary for service provision
  • We don't use tracking technologies for advertising or cross-site purposes
  • We don't collect biometric data, health data, or financial account information
  • We do read emails sent to us or if the Mail Intelligence service is contracted and actively used

Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b)):

  • Processing demo and trial requests
  • Providing the Mail Intelligence email analysis service
  • Delivering threat intelligence reports
  • Providing customer support

Legitimate Interests (Article 6(1)(f)):

  • Improving our service through anonymized analytics
  • Preventing fraud and security threats
  • Conducting business operations and communications

Legal Obligations (Article 6(1)(c)):

  • Complying with tax and financial reporting requirements
  • Responding to lawful government requests
  • Maintaining records as required by law

Consent (Article 6(1)(a)):

  • Marketing communications (where required by law)
  • Optional analytics

How We Use Your Information

Primary Uses

  • Service Delivery: Email threat, leak, and sentiment analysis
  • Demo and Trial Management: Processing your requests and setting up evaluations
  • Customer Support: Responding to your questions and troubleshooting issues
  • Service Improvement: Analyzing anonymized usage patterns to enhance our service

Email Intelligence Processing

  • Our Outlook add-in analyzes email headers, recipients, and message body content
  • Analysis occurs in your Outlook environment and on our servers
  • We do not store email content beyond the time required to process analytics
  • All AI models used have strict no-training policies on our or our customers' data
  • Processing is performed only for contracted analysis services

Marketing and Communications

  • Service-related emails (demo confirmations, trial updates, security alerts)
  • Billing and license management communications
  • Optional marketing emails (with your explicit consent, easily unsubscribable)
  • Product updates and feature announcements (opt-out available)

Data Sharing and Disclosure

We Share Information With

Service Providers and Sub-Processors:
We work with carefully selected third-party vendors who help us operate our service:

  • Cloud hosting providers for secure infrastructure
  • Email service providers for communications (Resend)
  • CRM services for managing demo and trial requests (HubSpot)
  • Analytics providers (privacy-focused only)

Legal Requirements:

  • When required by law, court order, or legal process
  • To protect our rights, property, or safety
  • To prevent fraud or security threats
  • In connection with law enforcement investigations

Business Transfers:

  • In connection with a merger, acquisition, or sale of assets
  • Users will be notified 30 days in advance
  • Data protection standards will be maintained

We Never Share

  • Your email content with anyone except explicitly specified sub-processors above who provide the service
  • Personal information with advertisers or marketers
  • Personal information for commercial purposes unrelated to our service
  • Data with third parties for their own marketing purposes

International Data Transfers

  • Our primary servers are located in the EU (Germany)
  • We may transfer data to service providers in other countries
  • All international transfers use appropriate safeguards:
    • EU Standard Contractual Clauses (SCCs) for GDPR compliance
    • Adequacy Decisions where available
    • Binding Corporate Rules for internal transfers
  • We maintain data processing agreements with all international processors

Data Retention and Deletion

Form Submissions

  • Retention: Until you request deletion or service relationship ends
  • Deletion: Within 30 days of request
  • Anonymization: Personal identifiers removed for analytics after 90 days

Usage and Log Data

  • Detailed Logs: Personal identifiers removed after 30 days unless agreed in your contract and retained for your use and access
  • Anonymized Analytics: Retained for service improvement (no personal data)
  • Security Logs: Retained for 90 days (no IP addresses are collected or stored)

Communications

  • Support Emails: Retained for 2 years for quality assurance
  • Upon Request: Removed within 30 days of deletion request

Your Privacy Rights

Rights for All Users

  • Access: Request a copy of your personal data we hold
  • Correction: Update or correct your personal information
  • Deletion: Request deletion of your data
  • Portability: Export your data in a machine-readable format
  • Objection: Object to processing for marketing purposes

Additional Rights for EU Users (GDPR)

  • Restriction: Limit how we process your personal data
  • Withdraw Consent: Revoke consent for marketing or optional processing
  • Automated Decision-Making: Protection against purely automated decisions
  • Complaint: File a complaint with your local Data Protection Authority
  • Data Protection Officer: Contact our DPO for privacy matters

Additional Rights for California Users (CCPA)

  • Categories of Information: Know what personal information we collect
  • Sources and Recipients: Understand where data comes from and who receives it
  • Business Purpose: Know why we collect and use your information
  • Deletion Rights: Request deletion of personal information
  • Non-Discrimination: Equal service regardless of privacy choices
  • Opt-Out Rights: Opt out of sale (we don't sell data) and targeted advertising

How to Exercise Your Rights

Response Times:

  • Data export requests: Within 30 days
  • Deletion requests: Within 30 days
  • Privacy inquiries: Within 48 hours

Security Measures

Technical Safeguards

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Multi-factor authentication, role-based access
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Data Isolation: Secure containers and isolated processing environments

Operational Safeguards

  • Employee Training: Regular privacy and security training
  • Background Checks: Security screening for employees with data access
  • Audit Logging: Comprehensive logging of all data access and changes
  • Incident Response: 24/7 monitoring and immediate breach response procedures

Third-Party Security

  • Vendor Assessment: Security audits of all service providers
  • Contractual Obligations: Data processing agreements with security requirements
  • Regular Reviews: Ongoing monitoring of third-party security practices

Children's Privacy

  • Our service is not intended for users under 16 years of age
  • We do not knowingly collect personal information from children under 16
  • If we discover we've collected such information, we'll delete it immediately
  • Parents/guardians can contact us to request deletion of their child's information

Data Breach Notification

Our Commitment

  • Immediate investigation of any potential breach
  • Notification within 72 hours of discovery (where legally required)
  • Clear communication about what happened and what we're doing
  • Free credit monitoring services if sensitive data is involved

Your Protection

  • Minimal data collection reduces breach impact
  • Strong encryption makes data unreadable
  • Regular security testing and improvements
  • Incident response team available 24/7

Changes to This Policy

  • Material Changes: 30 days advance notice via email
  • Minor Updates: Notice through website announcements
  • Emergency Changes: Immediate notification for security-related updates
  • Version History: All previous versions available upon request
  • Legal Updates: Immediate compliance with new privacy laws

Contact Information

Privacy Questions: [email protected]
Data Requests: [email protected]
Security Issues: [email protected]
General Support: [email protected]

Data Protection Officer (EU Matters): Email: [email protected] Response Time: 48 hours

Governing Law: This Privacy Policy is governed by Irish law and applicable EU regulations including GDPR.

Language: This policy is available in multiple languages. In case of conflicts, the English version prevails.

Accessibility: Available in accessible formats upon request. Contact [email protected] for assistance.

Last Updated: January 15, 2025
This policy is effective immediately and supersedes all previous versions.