Privacy Policy

Last updated: November 14, 2025

BadAtMail ("we", "us", or "our") provides an email management service that reads, analyzes, and organizes your Gmail inbox. This Privacy Policy explains what data we collect, how we use it, how we protect it, and the rights you have over it.

Data Controller

BadAtMail Ltd is the data controller responsible for your personal data.
Email: privacy@badatmail.com

Lawful Basis for Processing

We process your data under the following legal bases:

• Performance of Contract: Displaying your emails, analyzing messages, generating drafts, detecting important information, and providing the core functionality of BadAtMail.
• Legitimate Interests: Improving product quality, securing the service, preventing misuse, and training your private personalized model. We have assessed these interests against your rights and freedoms and determined that the impact on your privacy is minimal and proportionate. You may object to this processing at any time.
• Consent: Voice notifications via Twilio and any optional features that rely on explicit opt-in.
• Legal Obligations: Compliance with applicable laws, regulatory requirements, or law enforcement requests.

1. Information We Collect

When you use BadAtMail, we collect and store:

Email Content

We access and store the text of your email messages, including full message bodies, subject lines, sender and recipient details, and related email metadata.

We also access and store attachment metadata only such as file name, size, and MIME type so that we can show that an attachment exists inside the platform.

We do not access, open, store, download, analyze, or process the content of email attachments. This covers all file types. Attachment content is fully excluded from product features and all AI processes.

Account Information

Your Gmail address, display name, and the OAuth tokens required to connect your Gmail account.

Usage Data

Actions you take inside the product such as viewing an email, requesting a summary, applying rules, or generating drafts.

Optional Contact Information

If you enable voice notifications, you may provide a phone number.

2. How We Use Your Information

We process your information to:

• Display your emails inside our app
• Read and analyze email content
• Generate draft replies and suggestions
• Detect information that may need to be remembered
• Notify you about urgent or important messages
• Improve our models and the quality of suggestions
• Operate and secure the service

We never delete, modify, or archive emails in your Gmail account. The only Gmail action we perform is creating drafts when you request them.

3. AI Processing and Model Training

We send the text of your emails to OpenAI’s API so that we can analyze messages, generate replies, and provide suggested actions. OpenAI does not use data sent via their API to train their own models.

BadAtMail uses your email text solely to train and improve machine learning systems dedicated to your account. Your data is never combined with or used to train systems for other users. This includes fine tuning and reinforcement learning to produce a private user specific generative model that learns your writing style and improves the relevance of drafts and suggestions.

This personalized model is considered personal data because it is derived from your emails and can produce text in your writing voice. The model is private to your account. It is never shared, combined with, or trained using data from other users.

We do not create separate training datasets beyond the email content we store to provide the service. After training, we only persist the resulting model parameters. Raw email content remains stored solely for operating BadAtMail.

If you opt out of personalized training, we stop using your email text for fine tuning. If you delete your account, we permanently delete your personalized model, all training artefacts, and all stored email content.

Attachments Are Not Used for AI. We never access, store, analyze, or transmit attachment content for any purpose.

4. Third Party Services

OpenAI (United States)

Used to analyze email text and generate responses.

Twilio (United States)

Used to send optional voice notifications. Only your phone number is shared.

Google (Global, including United States)

We access your Gmail account using the official Gmail API. We only request permissions required to read emails and create drafts.

5. International Transfers and SCCs

Our servers operate in eu-west-1 (Ireland).

When your data is processed by providers outside the EU, such as OpenAI or Twilio, we rely on Standard Contractual Clauses and supplementary safeguards such as encryption to ensure compliance with EU data transfer rules.

All data transferred to providers outside the EU, including OpenAI and Twilio, is encrypted in transit before leaving the EU.

6. Data Storage and Security

• All data is stored on encrypted servers
• Email text and user data are encrypted in transit and at rest
• OAuth tokens are encrypted and isolated per user
• Access to production systems is restricted and logged
• Backups are encrypted and retained for 90 days
• Each user's data is logically separated and never mixed with others

No Attachment Storage: We do not access, store, or retain email attachments in any form. Attachment content does not appear in our databases, logs, backups, or training systems.

7. Data Retention and Deletion

We keep your data for as long as your account is active. We store email text in order to display messages, generate drafts, maintain your personalized model, and provide fast and reliable service. We do not use stored email content for any unrelated purpose.

When you delete your account:

1. All stored email content, summaries, rules, settings, and model training data are deleted immediately.
2. Your personalized model and all training artefacts are deleted.
3. OAuth tokens are revoked.
4. Backups are overwritten within 90 days.

You may revoke our Gmail access at any time through your Google Account settings.

8. Data Export

You may export your data at any time. Exports are provided as a machine readable SQLite database containing:

• Email content stored in BadAtMail
• Summaries and extracted information
• Rules and preferences
• Drafts and usage metadata

This meets GDPR portability requirements.

9. Your Rights

You have the right to:

• Access your data
• Correct inaccurate information
• Export your data
• Request deletion of your account
• Restrict certain forms of processing
• Object to processing based on legitimate interests including AI training
• Revoke Gmail access at any time
• File a complaint with a supervisory authority

10. Children's Privacy

BadAtMail is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the service. Continued use of BadAtMail after updates means you accept the revised policy.

12. Contact Us

For privacy related questions, contact us at:
privacy@badatmail.com

Data Protection Officer
dpo@badatmail.com