Last updated: 9 April 2026 · Data controller: GPTemail.me (UK‑based). Contact: privacy@gptemail.me.
What we collect
- Account: email, name (if provided), authentication tokens.
- Billing: Stripe customer ID, subscription status, plan usage counts.
- Product data: emails you route to our inboxes (content, headers, metadata), processing results, logs/metrics.
- Technical: IP, user agent, request IDs, event timestamps.
- Support/comms: messages you send us.
Why we process your data (legal bases)
- Provide the service (contract).
- Billing and fraud prevention (legitimate interests/contract).
- Product analytics and reliability (legitimate interests) with IP minimisation and aggregation.
- Legal compliance (records, abuse prevention).
- Marketing emails only if you opt in (consent; you can opt out anytime).
Retention
- Email content/results: 30 days by default; you can request earlier deletion.
- Billing and audit logs: up to 6 years (tax/records).
- Account data: kept while you have an account; deleted 30 days after closure unless law requires longer.
Your rights (UK/EU GDPR)
You can request access, correction, deletion, restriction, objection to processing, and data export. Email privacy@gptemail.me. We respond within 30 days.
Data locations & transfers
We operate a US-primary application stack and an EU-routed stack for eligible accounts. When an account is
routed to the EU stack, core application storage and compute for supported product flows run in Google Cloud
eur3 / europe-west4. Some supporting services and subprocessors, including payments,
outbound email delivery, edge/security services, and certain support or transfer functions, may still process or
transfer personal data outside the UK/EU. International transfers rely on contractual and provider safeguards,
including Standard Contractual Clauses where appropriate. See the EU addendum for
more detail on lawful bases, transfers, and retention.
Subprocessors
- Google Cloud (hosting, storage, AI).
- OpenAI / Gemini models (content processing).
- Stripe (payments).
- ZeptoMail (outbound email).
- Cloudflare (edge, email ingress).
Some third-party providers, especially payment providers such as Stripe, may also process certain information under their own regulatory obligations and privacy notices. See the Data Processing Agreement for the subprocessor list and change-notification commitment.
Security
- Transport encryption (HTTPS/TLS).
- Secret Manager for keys; least-privilege service accounts.
- Per-tenant access controls in Firestore; audit logging.
- Automated monthly usage resets and abuse monitoring.
Contact & complaints
Email privacy@gptemail.me. UK residents may complain to the ICO; EU residents to their local DPA.