MailSynth ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-driven email organization and daily-digest service (the "Service"). We believe in transparency regarding data practices and have designed this policy to clearly communicate how we protect your personal information.

1. Information We Collect

1.1 Account Information

When you sign up for MailSynth, we collect the following account information:

  • Google account email address

  • Your name (as provided by your Google account)

  • Your profile picture (as provided by your Google account)

  • OAuth 2.0 authentication tokens for Gmail API access

1.2 Email Data

To provide the Service, we access and process the following email data from your Gmail account:

  • Email metadata: sender, recipient(s), subject line, date and time sent, Gmail labels, thread information, and message flags

  • Email content: full message body text used to generate AI summaries and categorizations

  • Email attachments: we do NOT access, download, or process any file attachments

1.3 Usage Data

We automatically collect certain information about your interactions with the Service:

  • IP address

  • Browser type and version

  • Device type and operating system

  • Pages visited and features accessed

  • Time and date of access

  • Referring URLs and navigation paths

1.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies for the following purposes:

  • Session maintenance and user authentication

  • Remembering user preferences and settings

  • Aggregated analytics to understand usage patterns and improve the Service

2. How We Use Your Information

2.1 Providing the Service

We use the information we collect to provide, maintain, and improve the MailSynth Service:

  • Reading and analyzing your emails to generate summaries and categorizations

  • Delivering daily email digests and organizational recommendations

  • Improving the Service's features and user experience (through aggregated, anonymized usage analytics only — never through analysis of individual email content)

  • Maintaining account credentials and access controls

2.2 Service Operations

We use your information for essential operational purposes:

  • User authentication and account management

  • Providing customer support and responding to inquiries

  • Sending service communications and important notices

  • Monitoring and analyzing Service performance and usage patterns

2.3 Legal and Compliance

We may use your information when required by law or to protect the rights, property, and safety of MailSynth, our users, or the general public.

3. Artificial Intelligence and Data Processing

3.1 No AI Training

We want to be absolutely clear: We do NOT use any user data — including email content, email metadata, summaries, categorizations, or usage patterns — to train, fine-tune, improve, or develop any artificial intelligence or machine learning models, whether our own or those operated by third parties. Your data is never used to enhance or modify AI models.

3.2 AI Models Used by MailSynth

MailSynth processes your emails using third-party AI models provided by:

  • Google Gemini

  • Anthropic Claude

3.3 Contractual Prohibitions with AI Providers

Our agreements with Google (for Gemini) and Anthropic (for Claude) contractually prohibit these providers from using any MailSynth user data for the purpose of training, fine-tuning, improving, or developing their AI models. These restrictions apply to all user data, including email content, metadata, summaries, categorizations, and any derived information.

Data sent to these providers is processed solely for the purpose of generating real-time responses (such as email summaries and categorizations) and is not retained by these providers for any other purpose. Processing occurs in real-time or near-real-time, with no long-term storage of full email content by the AI providers.

3.4 No Data Sales or Commercial Distribution

We never sell, rent, lease, license, trade, or otherwise distribute user data to any third party for any commercial purpose whatsoever. This includes but is not limited to:

  • Data brokers or aggregators

  • Advertisers or marketing companies

  • Analytics firms

  • Artificial intelligence and machine learning training companies

  • Any other commercial entity for any commercial purpose

3.5 Data Processing Scope

When an email is processed through MailSynth:

  • The email content and metadata are securely transmitted to the selected AI provider (Google Gemini or Anthropic Claude)

  • The AI provider generates a summary and categorization

  • The summary and categorization are returned to MailSynth

  • The full email content is NOT retained by the AI provider beyond the processing session

  • MailSynth retains the generated summary (not the full email content) for a limited period as described in Section 6

4. How We Process Email Data

4.1 Real-Time Processing

Email processing occurs in real-time or near-real-time when you access your MailSynth dashboard or when scheduled digest generation occurs. Your emails are processed at the moment of access, not stored indefinitely for processing.

4.2 Data Minimization

We follow the principle of data minimization, meaning we collect and retain only the minimum data necessary to provide the Service. We do not retain full email content beyond what is strictly necessary for generating summaries and categorizations.

4.3 Temporary Caching

Generated summaries and categorizations are cached for user convenience. This cached data is retained for up to seven (7) days to allow quick access to previously generated digests. After this period, cached summaries are automatically deleted.

5. Sharing Your Information

5.1 Service Providers

We share certain information with trusted service providers who assist us in operating the Service. These providers include:

  • Google Cloud Platform (for infrastructure, storage, and computing services)

  • Firebase (for authentication, real-time database, and hosting)

  • Google Gemini (for AI processing of email content)

  • Anthropic Claude (for AI processing of email content)

We have Data Processing Agreements (DPAs) in place with all service providers that handle personal data. These agreements include contractual requirements that service providers use data only to provide the requested services and maintain strict confidentiality and security standards.

5.2 Legal Requirements

We may disclose your information when required by law, such as in response to a valid subpoena, court order, or other legal process. We will make reasonable efforts to notify you of such requests unless prohibited by law.

5.3 What We Never Do

To be absolutely clear, we never:

  • Sell your data

  • Rent, lease, or trade your data

  • Use your data for advertising or marketing purposes

  • Share your email content with third parties except for the AI processing described above

  • Allow humans (outside of authorized support staff) to read your emails except with explicit consent or as required by law

6. Data Security

We take data security seriously and implement multiple layers of security measures to protect your information:

  • TLS/SSL encryption for all data in transit

  • AES-256 encryption for data at rest

  • OAuth 2.0 for secure authentication

  • Regular security audits and penetration testing

  • Strict access controls and role-based permissions

  • Google Cloud Platform enterprise-grade security infrastructure

While we implement strong security measures, no system is 100% secure. We encourage you to use strong, unique passwords and enable two-factor authentication on your Google account for additional protection.

7. Data Retention

7.1 Retention Periods

We retain your data according to the following schedule:

  • Account information: Retained while your account is active

  • OAuth tokens: Retained until revoked by you or expired

  • Cached summaries: Retained for up to seven (7) days

  • Usage logs: Retained for ninety (90) days

  • Aggregated analytics (anonymized): Retained indefinitely for service improvement

7.2 Account Cancellation

When you request account cancellation, we delete your personal data within thirty (30) days, except where we are legally required to retain it. You may revoke MailSynth's access to your Gmail account at any time through your Google Account settings.

7.3 Inactive Accounts

We automatically delete the account data of users who have not accessed the Service for twelve (12) consecutive months. You will receive warning notifications before such deletion.

8. Your Rights and Choices

8.1 General Rights

Regardless of your location, you have the following rights with respect to your personal data:

  • Right to access: You may request a copy of the personal data we hold about you

  • Right to correction: You may request that we correct inaccurate or incomplete information

  • Right to deletion: You may request deletion of your personal data

  • Right to revoke access: You may revoke MailSynth's authorization to access your Gmail account at any time

  • Right to opt-out: You may opt-out of non-essential data collection and communications

8.2 European Economic Area (EEA) Residents

Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

  • Contract Performance (Article 6(1)(b)): We process your email data and account information to perform our contract with you and provide the Service

  • Consent (Article 6(1)(a)): You provide explicit consent when you grant OAuth access to your Gmail account

  • Legitimate Interest (Article 6(1)(f)): We process aggregated usage data, technical logs, and security information for service security, fraud prevention, and service improvement

Data Controller

MailSynth is the data controller with respect to your personal data. Our data protection contact information is provided in Section 13 of this Privacy Policy.

Sub-Processors

We use the following sub-processors who act as data processors on our behalf:

Sub-Processor

Purpose

Location

Safeguards

Google Cloud Platform

Infrastructure, storage, computing

USA

SCCs, ISO 27001, SOC 2

Firebase

Authentication, hosting

USA

SCCs, SOC 2

Google Gemini

AI email processing

USA

SCCs, no-training clause

Anthropic Claude

AI email processing

USA

SCCs, no-training clause

International Data Transfers

MailSynth transfers personal data of EEA residents to the United States to provide the Service. These transfers are implemented with appropriate safeguards as follows:

  • Standard Contractual Clauses (SCCs): Our contracts with all US-based sub-processors, including Google Cloud Platform, Firebase, Google Gemini, and Anthropic Claude, include Standard Contractual Clauses approved by the European Commission

  • Adequacy Mechanisms: Google has adequate transfer mechanisms in place for Gemini services

  • Transfer Impact Assessments: We have conducted Transfer Impact Assessments under GDPR Article 27 to evaluate potential risks for high-risk processing activities

Additional EEA Rights

In addition to the rights listed in Section 8.1, EEA residents have the following rights under the GDPR:

  • Right to data portability: You may request that we provide your personal data in a portable format

  • Right to restrict processing: You may request that we limit how we process your data

  • Right to object: You may object to our processing of your data for legitimate interest purposes

  • Right to withdraw consent: You may withdraw your consent at any time

  • Right to lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority

Breach Notification

In the event of a personal data breach affecting EEA residents, we commit to notifying the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, and notifying affected individuals without undue delay.

Data Protection Impact Assessment

We conduct Data Protection Impact Assessments (DPIAs) for processing activities involving special categories of personal data or presenting high risks to individuals' rights and freedoms, in accordance with GDPR Article 35.

8.3 United Kingdom Residents

Residents of the United Kingdom have similar rights to those of EEA residents under the UK GDPR (Data Protection Act 2018). All rights and safeguards described in Section 8.2 apply equally to UK residents. UK residents may lodge complaints with the UK Information Commissioner's Office (ICO).

8.4 California Residents (CCPA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You may request what personal information we collect and how it is used

  • Right to delete: You may request deletion of personal information we have collected

  • Right to opt-out: You may opt-out of the sale or sharing of your personal information (note: we do not sell or share your data)

  • Right to correct: You may request that we correct inaccurate personal information

  • Right to limit use: You may limit our use of sensitive personal information

8.5 Exercising Your Rights

To exercise any of your privacy rights, please contact us at:

Email: support@mailsynth.com

We will respond to your request within thirty (30) days of receipt. If we need additional information to verify your identity, we will request it promptly.

9. Google API Services Compliance

MailSynth uses Google API Services to access your Gmail data. Our use of Google API data is subject to the Google API Services User Data Policy and the following principles:

  • We only request the minimum Gmail API scopes necessary to provide the Service

  • We do not use Gmail data for advertising purposes

  • We do not use Gmail data to develop, improve, or train AI/ML models (except for real-time processing with contractual restrictions)

  • We maintain clear privacy and security standards for all Google data we access

10. Third-Party Links

MailSynth may contain links to third-party websites and services that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services before providing your information.

11. Children's Privacy

MailSynth is not intended for users under the age of 16. We do not knowingly collect or solicit personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete such information immediately. If you believe we have collected information from a child under 16, please contact us at support@mailsynth.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and updating the Last Updated date. Your continued use of the Service following the posting of changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

MailSynth Support

Email: support@mailsynth.com

We are committed to addressing your privacy concerns and will respond to all inquiries within thirty (30) business days.