Privacy Policy

Your privacy is important to us. This Privacy Policy ("Policy") applies to services provided by ActionMail LLC ("we", "us", or "ActionMail") and our website (the "Site"), product pages, mobile or web applications, or other digital products that link to or reference this Policy (collectively, the "Services") and explains what information we collect from users of our Services (a "user", "you", or "your"), including information that may be used to personally identify you ("Personal Information") and how we use it.

ActionMail does not sell your data or train AI models on your data. Your email content is processed solely to provide our services and is encrypted using industry-standard AES-256-GCM encryption. Each user has a unique encryption key stored securely in Supabase Vault, ensuring complete data isolation. You can request data export or deletion at any time through your account settings or by contacting us at privacy@actionmail.app.

We encourage you to read the details below. This Policy applies to any visitor to or user of our Services. Any capitalized terms used herein but not defined shall have the meaning set forth in our Terms of Service, available at https://actionmail.app/terms.

We reserve the right to change this Policy at any time. We will notify you of any changes to this Policy by posting a new Policy to this page and/or by sending notice to the primary email address specified in your account. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically reviewing this Policy to check for any changes. Changes to this Policy are effective when they are posted on this page. You acknowledge that your continued use of our Services after we publish or send a notice about our changes to this Policy means that the collection, use and sharing of your Personal Information is subject to the updated Policy.

Scope and Applicability

This Policy applies to your information when you visit our website or otherwise use the Services. Please note that this Policy does not apply to the extent that we process Personal Information in the role of a processor (or a comparable role such as a "service provider" in certain jurisdictions) on behalf of our Customers, including where we collect Customer Data on behalf of our Customers, or where our Customers otherwise collect, use, share or process Personal Information via our Services. Each of our Customers, not ActionMail, controls what information about you is collected by the Services on behalf of such Customer. For detailed privacy information applicable to situations where a Customer who uses the Services is the controller, please reach out to the respective customer directly. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in this Privacy Policy. If not stated otherwise either in this Privacy Policy or in a separate disclosure, we process such Personal Information in the role of a processor or service provider on behalf of a Customer (and/or its affiliates), who is the responsible controller of the applicable Personal Information.

This Privacy Policy also does not apply to any third-party applications or services that are used in connection with our Services, or any other products, services or accounts provided by other entities under their own terms of service and privacy policy (collectively, "Third-Party Services"). For example, a Customer may connect, directly or through another application, third party applications and platforms, and other products and services to ActionMail. These Third-Party Services are not part of our Services and are provided by independent third parties under their policies and terms. Lastly, the Site or Services may contain links to other websites. We have no control over these websites and they are subject to their own terms of use and privacy policies.

What Information Do We Collect?

Information You Provide to Us

Account Information. To create an account for the Services or to enable certain features, we may require that you provide us with information for your account such as name, email address, profile picture, and authentication credentials from Google or Microsoft OAuth.
Email Data. When you connect your Gmail or Microsoft Outlook account to ActionMail, we access your email messages, metadata (sender, recipient, subject, date), attachments, labels, and folders as authorized by you through OAuth. This data is used to provide our core services including email synchronization, AI-powered summarization, action item extraction, and job application tracking.
Payment Information. If you sign up for a paid subscription, we (or our payment processors) may need your billing details such as credit card information, banking information, and billing address. Your payment information, such as your payment method (valid credit card number, type, expiration date or other financial information), is collected and stored by our third-party payment processing company (the "Payment Processor") and use and storage of that information is governed by the Payment Processor's applicable privacy policy. We use Stripe as our Payment Processor; its privacy policy is available at https://stripe.com/privacy. We collect and store only your credit card type, the last four digits of your credit card number, and expiration date for display purposes.
Action Items and Job Applications. Information you create, modify, or interact with within ActionMail, including action items, task completions, job application tracking data, notes, and preferences.
Communications. When you contact us for support, provide feedback, or communicate with us in any way, we collect the content of those communications along with your contact information.
Other Information You Provide. We receive other information from you when you choose to interact with us in other ways, such as if you sign up for one of our newsletters, participate in a research study or event, or otherwise communicate with us.

Information We Collect Automatically

When you visit, use, and interact with the Services, we may receive the following information about your visit, use, or interactions ("Technical Information"):

Log Data. Information that your browser automatically sends whenever you use our website ("log data"). Log data includes your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and how you interacted with our website.
Usage Data. We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, computer connection, IP address, and the like.
Device Information. Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
Analytics. We may use a variety of online analytics products that use cookies to help us analyze how users use our Services and enhance your experience when you use the Services. We use Vercel Analytics for performance monitoring.

We use cookies and other tracking technologies to help us collect and process Technical Information. Please see our Cookie Policy for more information.

Information We Receive from Third Parties

Third-Party Authentication. If you sign up or log in to our Services using one of our sign-on providers (Google or Microsoft), we collect authentication information provided to us by the provider to allow you to log in. This includes your name, email address, and profile picture.
Email Provider Data. When you connect your Gmail or Microsoft Outlook account, we receive email data as authorized by you through OAuth, including email content, metadata, labels, and folders.
Service Providers. We may receive information from our service providers who help us operate our business.
Information from Other Sources. We may obtain information from other sources, including, but not limited to, publicly available sources, third-party data providers, and through transactions such as mergers and acquisitions. We may combine this information with other information we collect from or about you.

How Do We Use The Information We Collect?

We use the information we collect:

To provide and maintain our Services, including email synchronization, AI-powered email summarization, action item extraction, job application tracking, email categorization, and notifications
To process your emails using AI to generate summaries, extract action items and deadlines, identify job application emails, and categorize emails for better organization
To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity
To develop, improve, or expand our business, products, and services
To conduct internal reporting, auditing, and research, including focus groups and surveys
To compare and verify information for accuracy and update our records
To email, message, or otherwise contact you with information and updates about us and the Services
To respond to your comments and questions and provide customer service
To send you information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages
To analyze how you use the Services with tools such as Vercel Analytics to help us understand traffic patterns and know if there are problems with the Services
In connection with a merger, acquisition, reorganization, or similar transaction
When required by law or to respond to legal process
To protect our users, other individuals' lives, and/or the rights or property of ActionMail
To maintain the security of the Services
At your direction or instruction, or for any other purpose with your consent
To create aggregate and de-identified data. We will maintain such data in a de-identified form and will not attempt to re-identify any de-identified data, except that we may attempt to re-identify the data solely for the purpose of determining whether our de-identification processes are compliant with applicable laws

AI Processing

ActionMail uses artificial intelligence to provide core features of our Services:

Email Summarization: We use AI to generate concise summaries of your emails
Action Item Extraction: AI identifies tasks, deadlines, and priorities from your emails
Job Application Detection: AI detects job-related emails and extracts application information
Email Categorization: AI automatically categorizes emails into relevant categories

Important: We use third-party AI services (OpenAI and Anthropic) to process your email content. These services:

Process your data only to provide the requested AI features
Do not retain your data after processing
Do not use your data to train their AI models
Are bound by data processing agreements with us

We do not use your email content or personal data to train any AI models.

In addition to the specific situations discussed elsewhere in this privacy policy, we disclose personal information in the following circumstances:

With our corporate affiliates and subsidiaries
With third parties that perform services to support our core business functions and internal operations, which may include:
- Database administrators and cloud computing services (Supabase)
- Hosting and deployment services (Vercel)
- Payment processors (Stripe)
- AI processing services (OpenAI, Anthropic)
- Email API providers (Google Gmail API, Microsoft Graph API)
- Analytics providers (Vercel Analytics)
- Support and customer service providers
To support our audit, compliance, and corporate governance functions
In connection with a change of ownership or control of all or part of our business (such as a merger, acquisition, reorganization, or bankruptcy)
If we have a good-faith belief that access, use, preservation, or disclosure of such information is reasonably necessary to detect, protect against, or investigate fraud or security issues
If required or permitted by applicable law or regulation, including laws and regulations of the United States and other countries, or in the good faith belief that such action is necessary to:
- (a) comply with a legal obligation or in response to a request from law enforcement or other public authorities wherever ActionMail may do business
- (b) protect and defend the rights or property of ActionMail
- (c) act in urgent circumstances to protect the personal safety of users, customers, and employees of ActionMail or others
- (d) enforce our Terms of Service or otherwise protect against any legal liability
With your consent or at your direction

We do not sell your personal information to third parties.

Data Security

We take reasonable steps to protect your Personal Information against unauthorized access, alteration, disclosure, misuse, or destruction. We implement the following security measures:

Encryption

Data at Rest: All sensitive data is encrypted using AES-256-GCM encryption, including:
- Email content (subject, body text, HTML content)
- Sender and recipient information (email addresses, names)
- Email summaries and key points
- Action items (titles and descriptions)
- Job application data (company names, positions, job descriptions, notes)
Encryption Keys: Each user has a unique 32-byte encryption key that is automatically generated when they sign up. These keys are stored securely in Supabase Vault, a dedicated secrets management system that provides an additional layer of encryption using pgsodium cryptographic extensions. Each user's data is encrypted with their own unique key, ensuring complete data isolation.
Data in Transit: All data transfers use TLS 1.3 encryption
OAuth Tokens: Access tokens and refresh tokens for Gmail and Microsoft integrations are stored securely in Supabase Vault, using the same pgsodium cryptographic extensions. Tokens are never stored in plain text.

Access Controls

Row-Level Security (RLS): Database-level security ensures users can only access their own data
Authentication: Secure authentication via Supabase Auth with Google and Microsoft OAuth support
Regular Security Audits: We conduct regular security reviews and audits

Data Isolation

Each user's data is logically separated in our database
Each user has a unique encryption key stored in Supabase Vault, generated automatically on signup
Data is encrypted with the user's unique key, ensuring complete cryptographic isolation between users
No cross-user data access is possible through application-level controls
OAuth tokens are stored in isolated vault secrets per connection

If you have an account with us, you are responsible for keeping your account credentials confidential. We urge you to take steps to keep your Personal Information safe by not disclosing your password and by logging out of your account after each use. By using the Services, you acknowledge that you understand and agree to assume these risks.

Data Retention

We retain your Personal Information while your account is in existence or as needed to provide the Services to you. Specific retention periods:

Email Data: Retained while your account is active and your email account is connected
Action Items: Retained until completed and deleted, or until account deletion
Job Applications: Retained until you delete them or until account deletion
Usage Data and Analytics: Retained for up to 2 years for service improvement purposes
Audit Logs: Retained for 2 years for compliance and security purposes

After account deletion:

Personal data is permanently deleted within 30 days
Backup copies may be retained for up to 90 days for disaster recovery purposes
De-identified and aggregated data may be retained indefinitely

Please note that we may retain information that is otherwise deleted in de-identified and aggregated form, in archived or backup copies as required pursuant to records retention obligations, or otherwise as required by law.

How Do We Use Tracking Technologies?

We use cookies and similar tracking technologies to collect and use personal information about you. For detailed information about the cookies we use and your choices regarding cookies, please see our Cookie Policy.

Type of Cookies	Description	Managing Settings
Required cookies	Required cookies enable you to navigate the Services and use their features, such as accessing secure areas of the Services. These cookies allow us to uniquely identify you when you are logged into the Services and to process your requests.	Because required cookies are essential to operate the Services, there is no option to opt out of these cookies.
Performance cookies	These cookies collect information about how you use our Services, including which pages you go to most often and if they receive error messages from certain pages. These cookies do not collect information that individually identifies you. Information is only used to improve how the Services function and perform.	To learn how to opt out of performance cookies using your browser settings, click here.
Functionality cookies	Functionality cookies allow our Services to remember information you have entered or choices you make and provide enhanced, more personal features. These cookies also enable you to optimize your use of the Services after logging in.	To learn how to opt out of functionality cookies using your browser settings, click here.

Managing Your Privacy

All users may request to review, update, correct, or delete the Personal Information furnished by a user in their user account by contacting us at privacy@actionmail.app or by accessing your user account settings.

Data Export

You can export your data at any time through Settings > Privacy > Export My Data. We provide your data in a portable, machine-readable format (JSON).

Data Deletion

You can request deletion of your data through Settings > Privacy > Delete My Data or by contacting us at privacy@actionmail.app. Upon request:

Your account and all associated data will be permanently deleted within 30 days
Your unique encryption key stored in Supabase Vault will be automatically deleted
Connected email accounts will be disconnected and OAuth tokens will be revoked
Backup copies will be purged within 90 days

Revoking Email Access

You can disconnect your Gmail or Microsoft account at any time through Settings > Connections. You can also revoke ActionMail's access directly through:

Google: https://myaccount.google.com/permissions
Microsoft: https://account.microsoft.com/privacy/app-access

We may use some of the information we collect for marketing purposes, including to send you promotional communications about new features, products, or other opportunities. If you wish to stop receiving these communications or to opt out of use of your information for these purposes, please follow the opt-out instructions, such as clicking "Unsubscribe" in those communications. You may also change your communication preferences via your account settings.

How We Respond to Do Not Track Signals

Your browser settings may allow you to automatically transmit a Do Not Track signal to websites and other online services you visit. We do not alter our practices when we receive a Do Not Track signal from a visitor's browser because we do not track our visitors to provide targeted advertising.

To find out more about Do Not Track, please visit http://www.allaboutdnt.com.

Children Under 16

The Services are not directed to individuals who are under the age of sixteen (16) and we do not solicit nor knowingly collect Personal Information from children under the age of sixteen (16).

If you believe that we have unknowingly collected any Personal Information from someone under the age of sixteen (16), please contact us immediately at privacy@actionmail.app and the information will be deleted.

International Data Transfers

Our Services are based in the United States. Your data may be processed in countries outside your residence, including the United States. We ensure appropriate safeguards for international data transfers:

Standard Contractual Clauses (SCCs) where required
Data processing agreements with all vendors
Adequacy decisions where applicable

Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers. By using the Services you consent to the transfer of information to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Information.

Region-Specific Disclosures

A Note to California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

Right to Know: You have the right to request that we disclose certain information about our collection and use of your personal information over the past 12 months, including:

Categories of personal information collected
Categories of sources from which we collected personal information
Business or commercial purpose for collecting personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information we collected about you

Right to Delete: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, please contact us at privacy@actionmail.app. We will respond to your request within 45 days.

A Note to Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at privacy@actionmail.app with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR):

Legal Bases for Processing: We typically process your information pursuant to the following legal bases:

With your consent - for optional features and marketing communications
As necessary to perform our agreement to provide Services to you - for core service functionality
As necessary for our legitimate interests - for security, fraud prevention, and service improvement
As necessary to comply with a legal obligation - for regulatory compliance

Your Rights: Under GDPR, you have the following rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate personal data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Data Portability: Receive your data in a portable format
Right to Restriction: Restrict processing of your personal data
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
Right to Lodge a Complaint: Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@actionmail.app. We will respond within 30 days as required by GDPR.

Data Protection Officer: For GDPR-related inquiries, you may contact our Data Protection Officer at dpo@actionmail.app.

Third-Party Services and Integrations

ActionMail integrates with the following third-party services:

Service	Purpose	Privacy Policy
Google (Gmail API)	Email synchronization and OAuth authentication	Google Privacy Policy
Microsoft (Graph API)	Email synchronization and OAuth authentication	Microsoft Privacy Statement
Supabase	Database hosting and authentication	Supabase Privacy Policy
Vercel	Application hosting and analytics	Vercel Privacy Policy
OpenAI	AI processing for email features	OpenAI Privacy Policy
Anthropic	AI processing for email features	Anthropic Privacy Policy
Stripe	Payment processing	Stripe Privacy Policy

Contact Us

If you have any questions about this Policy, your Personal Information, or the Services, you can contact us at:

General Privacy Inquiries: privacy@actionmail.app
Data Protection Officer: dpo@actionmail.app
Security Issues: security@actionmail.app
General Support: support@actionmail.app
Legal Inquiries: legal@actionmail.app

Data Processing Agreement

For business users requiring a Data Processing Agreement (DPA), please contact us at legal@actionmail.app or visit https://actionmail.app/dpa.

Summary of Your Data

Data Type	Purpose	Encryption	Retention
Email Content (subject, body)	Display, AI processing	AES-256-GCM (per-user key)	Account lifetime
Email Metadata (sender, recipients)	Organization, search	AES-256-GCM (per-user key)	Account lifetime
Encryption Keys	Data encryption	Supabase Vault (pgsodium)	Account lifetime (auto-deleted on account deletion)
OAuth Tokens	Email access	Supabase Vault (pgsodium)	Account lifetime
Action Items (title, description)	Task management	AES-256-GCM (per-user key)	Until deleted
Job Applications (company, position)	Job tracking	AES-256-GCM (per-user key)	Until deleted
Email Summaries	Quick overview	AES-256-GCM	Account lifetime
Usage Analytics	Service improvement	N/A	2 years
Audit Logs	Compliance, security	Yes	2 years

Processing Activity	Legal Basis
Providing core services	Contract performance
Email synchronization	Contract performance + Consent
AI processing of emails	Contract performance + Consent
Security measures	Legitimate interest
Analytics and improvement	Legitimate interest
Marketing (if any)	Consent
Legal compliance	Legal obligation

Scope and Applicability

What Information Do We Collect?

Information You Provide to Us

Account Information. To create an account for the Services or to enable certain features, we may require that you provide us with information for your account such as name, email address, profile picture, and authentication credentials from Google or Microsoft OAuth.
Email Data. When you connect your Gmail or Microsoft Outlook account to ActionMail, we access your email messages, metadata (sender, recipient, subject, date), attachments, labels, and folders as authorized by you through OAuth. This data is used to provide our core services including email synchronization, AI-powered summarization, action item extraction, and job application tracking.
Payment Information. If you sign up for a paid subscription, we (or our payment processors) may need your billing details such as credit card information, banking information, and billing address. Your payment information, such as your payment method (valid credit card number, type, expiration date or other financial information), is collected and stored by our third-party payment processing company (the "Payment Processor") and use and storage of that information is governed by the Payment Processor's applicable privacy policy. We use Stripe as our Payment Processor; its privacy policy is available at https://stripe.com/privacy. We collect and store only your credit card type, the last four digits of your credit card number, and expiration date for display purposes.
Action Items and Job Applications. Information you create, modify, or interact with within ActionMail, including action items, task completions, job application tracking data, notes, and preferences.
Communications. When you contact us for support, provide feedback, or communicate with us in any way, we collect the content of those communications along with your contact information.
Other Information You Provide. We receive other information from you when you choose to interact with us in other ways, such as if you sign up for one of our newsletters, participate in a research study or event, or otherwise communicate with us.

Information We Collect Automatically

When you visit, use, and interact with the Services, we may receive the following information about your visit, use, or interactions ("Technical Information"):

Log Data. Information that your browser automatically sends whenever you use our website ("log data"). Log data includes your Internet Protocol (IP) address, browser type and settings, the date and time of your request, and how you interacted with our website.
Usage Data. We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, computer connection, IP address, and the like.
Device Information. Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
Analytics. We may use a variety of online analytics products that use cookies to help us analyze how users use our Services and enhance your experience when you use the Services. We use Vercel Analytics for performance monitoring.

We use cookies and other tracking technologies to help us collect and process Technical Information. Please see our Cookie Policy for more information.

Information We Receive from Third Parties

Third-Party Authentication. If you sign up or log in to our Services using one of our sign-on providers (Google or Microsoft), we collect authentication information provided to us by the provider to allow you to log in. This includes your name, email address, and profile picture.
Email Provider Data. When you connect your Gmail or Microsoft Outlook account, we receive email data as authorized by you through OAuth, including email content, metadata, labels, and folders.
Service Providers. We may receive information from our service providers who help us operate our business.
Information from Other Sources. We may obtain information from other sources, including, but not limited to, publicly available sources, third-party data providers, and through transactions such as mergers and acquisitions. We may combine this information with other information we collect from or about you.

How Do We Use The Information We Collect?

We use the information we collect:

To provide and maintain our Services, including email synchronization, AI-powered email summarization, action item extraction, job application tracking, email categorization, and notifications
To process your emails using AI to generate summaries, extract action items and deadlines, identify job application emails, and categorize emails for better organization
To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity
To develop, improve, or expand our business, products, and services
To conduct internal reporting, auditing, and research, including focus groups and surveys
To compare and verify information for accuracy and update our records
To email, message, or otherwise contact you with information and updates about us and the Services
To respond to your comments and questions and provide customer service
To send you information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages
To analyze how you use the Services with tools such as Vercel Analytics to help us understand traffic patterns and know if there are problems with the Services
In connection with a merger, acquisition, reorganization, or similar transaction
When required by law or to respond to legal process
To protect our users, other individuals' lives, and/or the rights or property of ActionMail
To maintain the security of the Services
At your direction or instruction, or for any other purpose with your consent
To create aggregate and de-identified data. We will maintain such data in a de-identified form and will not attempt to re-identify any de-identified data, except that we may attempt to re-identify the data solely for the purpose of determining whether our de-identification processes are compliant with applicable laws

AI Processing

ActionMail uses artificial intelligence to provide core features of our Services:

Email Summarization: We use AI to generate concise summaries of your emails
Action Item Extraction: AI identifies tasks, deadlines, and priorities from your emails
Job Application Detection: AI detects job-related emails and extracts application information
Email Categorization: AI automatically categorizes emails into relevant categories

Important: We use third-party AI services (OpenAI and Anthropic) to process your email content. These services:

Process your data only to provide the requested AI features
Do not retain your data after processing
Do not use your data to train their AI models
Are bound by data processing agreements with us

We do not use your email content or personal data to train any AI models.

In addition to the specific situations discussed elsewhere in this privacy policy, we disclose personal information in the following circumstances:

With our corporate affiliates and subsidiaries
With third parties that perform services to support our core business functions and internal operations, which may include:
- Database administrators and cloud computing services (Supabase)
- Hosting and deployment services (Vercel)
- Payment processors (Stripe)
- AI processing services (OpenAI, Anthropic)
- Email API providers (Google Gmail API, Microsoft Graph API)
- Analytics providers (Vercel Analytics)
- Support and customer service providers
To support our audit, compliance, and corporate governance functions
In connection with a change of ownership or control of all or part of our business (such as a merger, acquisition, reorganization, or bankruptcy)
If we have a good-faith belief that access, use, preservation, or disclosure of such information is reasonably necessary to detect, protect against, or investigate fraud or security issues
If required or permitted by applicable law or regulation, including laws and regulations of the United States and other countries, or in the good faith belief that such action is necessary to:
- (a) comply with a legal obligation or in response to a request from law enforcement or other public authorities wherever ActionMail may do business
- (b) protect and defend the rights or property of ActionMail
- (c) act in urgent circumstances to protect the personal safety of users, customers, and employees of ActionMail or others
- (d) enforce our Terms of Service or otherwise protect against any legal liability
With your consent or at your direction

We do not sell your personal information to third parties.

Data Security

We take reasonable steps to protect your Personal Information against unauthorized access, alteration, disclosure, misuse, or destruction. We implement the following security measures:

Encryption

Data at Rest: All sensitive data is encrypted using AES-256-GCM encryption, including:
- Email content (subject, body text, HTML content)
- Sender and recipient information (email addresses, names)
- Email summaries and key points
- Action items (titles and descriptions)
- Job application data (company names, positions, job descriptions, notes)
Encryption Keys: Each user has a unique 32-byte encryption key that is automatically generated when they sign up. These keys are stored securely in Supabase Vault, a dedicated secrets management system that provides an additional layer of encryption using pgsodium cryptographic extensions. Each user's data is encrypted with their own unique key, ensuring complete data isolation.
Data in Transit: All data transfers use TLS 1.3 encryption
OAuth Tokens: Access tokens and refresh tokens for Gmail and Microsoft integrations are stored securely in Supabase Vault, using the same pgsodium cryptographic extensions. Tokens are never stored in plain text.

Access Controls

Row-Level Security (RLS): Database-level security ensures users can only access their own data
Authentication: Secure authentication via Supabase Auth with Google and Microsoft OAuth support
Regular Security Audits: We conduct regular security reviews and audits

Data Isolation

Each user's data is logically separated in our database
Each user has a unique encryption key stored in Supabase Vault, generated automatically on signup
Data is encrypted with the user's unique key, ensuring complete cryptographic isolation between users
No cross-user data access is possible through application-level controls
OAuth tokens are stored in isolated vault secrets per connection

Data Retention

We retain your Personal Information while your account is in existence or as needed to provide the Services to you. Specific retention periods:

Email Data: Retained while your account is active and your email account is connected
Action Items: Retained until completed and deleted, or until account deletion
Job Applications: Retained until you delete them or until account deletion
Usage Data and Analytics: Retained for up to 2 years for service improvement purposes
Audit Logs: Retained for 2 years for compliance and security purposes

After account deletion:

Personal data is permanently deleted within 30 days
Backup copies may be retained for up to 90 days for disaster recovery purposes
De-identified and aggregated data may be retained indefinitely

How Do We Use Tracking Technologies?

Type of Cookies	Description	Managing Settings
Required cookies	Required cookies enable you to navigate the Services and use their features, such as accessing secure areas of the Services. These cookies allow us to uniquely identify you when you are logged into the Services and to process your requests.	Because required cookies are essential to operate the Services, there is no option to opt out of these cookies.
Performance cookies	These cookies collect information about how you use our Services, including which pages you go to most often and if they receive error messages from certain pages. These cookies do not collect information that individually identifies you. Information is only used to improve how the Services function and perform.	To learn how to opt out of performance cookies using your browser settings, click here.
Functionality cookies	Functionality cookies allow our Services to remember information you have entered or choices you make and provide enhanced, more personal features. These cookies also enable you to optimize your use of the Services after logging in.	To learn how to opt out of functionality cookies using your browser settings, click here.

Managing Your Privacy

Data Export

You can export your data at any time through Settings > Privacy > Export My Data. We provide your data in a portable, machine-readable format (JSON).

Data Deletion

You can request deletion of your data through Settings > Privacy > Delete My Data or by contacting us at privacy@actionmail.app. Upon request:

Your account and all associated data will be permanently deleted within 30 days
Your unique encryption key stored in Supabase Vault will be automatically deleted
Connected email accounts will be disconnected and OAuth tokens will be revoked
Backup copies will be purged within 90 days

Revoking Email Access

You can disconnect your Gmail or Microsoft account at any time through Settings > Connections. You can also revoke ActionMail's access directly through:

Google: https://myaccount.google.com/permissions
Microsoft: https://account.microsoft.com/privacy/app-access

How We Respond to Do Not Track Signals

To find out more about Do Not Track, please visit http://www.allaboutdnt.com.

Children Under 16

The Services are not directed to individuals who are under the age of sixteen (16) and we do not solicit nor knowingly collect Personal Information from children under the age of sixteen (16).

International Data Transfers

Standard Contractual Clauses (SCCs) where required
Data processing agreements with all vendors
Adequacy decisions where applicable

Region-Specific Disclosures

A Note to California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

Right to Know: You have the right to request that we disclose certain information about our collection and use of your personal information over the past 12 months, including:

Categories of personal information collected
Categories of sources from which we collected personal information
Business or commercial purpose for collecting personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information we collected about you

Right to Delete: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, please contact us at privacy@actionmail.app. We will respond to your request within 45 days.

A Note to Nevada Residents

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR):

Legal Bases for Processing: We typically process your information pursuant to the following legal bases:

With your consent - for optional features and marketing communications
As necessary to perform our agreement to provide Services to you - for core service functionality
As necessary for our legitimate interests - for security, fraud prevention, and service improvement
As necessary to comply with a legal obligation - for regulatory compliance

Your Rights: Under GDPR, you have the following rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate personal data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Data Portability: Receive your data in a portable format
Right to Restriction: Restrict processing of your personal data
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
Right to Lodge a Complaint: Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@actionmail.app. We will respond within 30 days as required by GDPR.

Data Protection Officer: For GDPR-related inquiries, you may contact our Data Protection Officer at dpo@actionmail.app.

Third-Party Services and Integrations

ActionMail integrates with the following third-party services:

Service	Purpose	Privacy Policy
Google (Gmail API)	Email synchronization and OAuth authentication	Google Privacy Policy
Microsoft (Graph API)	Email synchronization and OAuth authentication	Microsoft Privacy Statement
Supabase	Database hosting and authentication	Supabase Privacy Policy
Vercel	Application hosting and analytics	Vercel Privacy Policy
OpenAI	AI processing for email features	OpenAI Privacy Policy
Anthropic	AI processing for email features	Anthropic Privacy Policy
Stripe	Payment processing	Stripe Privacy Policy

Contact Us

If you have any questions about this Policy, your Personal Information, or the Services, you can contact us at:

General Privacy Inquiries: privacy@actionmail.app
Data Protection Officer: dpo@actionmail.app
Security Issues: security@actionmail.app
General Support: support@actionmail.app
Legal Inquiries: legal@actionmail.app

Data Processing Agreement

For business users requiring a Data Processing Agreement (DPA), please contact us at legal@actionmail.app or visit https://actionmail.app/dpa.

Summary of Your Data

Data Type	Purpose	Encryption	Retention
Email Content (subject, body)	Display, AI processing	AES-256-GCM (per-user key)	Account lifetime
Email Metadata (sender, recipients)	Organization, search	AES-256-GCM (per-user key)	Account lifetime
Encryption Keys	Data encryption	Supabase Vault (pgsodium)	Account lifetime (auto-deleted on account deletion)
OAuth Tokens	Email access	Supabase Vault (pgsodium)	Account lifetime
Action Items (title, description)	Task management	AES-256-GCM (per-user key)	Until deleted
Job Applications (company, position)	Job tracking	AES-256-GCM (per-user key)	Until deleted
Email Summaries	Quick overview	AES-256-GCM	Account lifetime
Usage Analytics	Service improvement	N/A	2 years
Audit Logs	Compliance, security	Yes	2 years

Processing Activity	Legal Basis
Providing core services	Contract performance
Email synchronization	Contract performance + Consent
AI processing of emails	Contract performance + Consent
Security measures	Legitimate interest
Analytics and improvement	Legitimate interest
Marketing (if any)	Consent
Legal compliance	Legal obligation

Scope and Applicability

What Information Do We Collect?

Information You Provide to Us

Information We Collect Automatically

Information We Receive from Third Parties

How Do We Use The Information We Collect?

AI Processing

Do We Share Your Personal Information?

Data Security

Encryption

Access Controls

Data Isolation

Data Retention

How Do We Use Tracking Technologies?

Managing Your Privacy

Data Export

Data Deletion

Revoking Email Access

How We Respond to Do Not Track Signals

Children Under 16

International Data Transfers

Region-Specific Disclosures

A Note to California Residents (CCPA/CPRA)

A Note to Nevada Residents

A Note to European Residents (GDPR)

Third-Party Services and Integrations

Contact Us

Data Processing Agreement

Summary of Your Data

Legal Bases for Processing (GDPR)

Table of Contents

Privacy Policy

Scope and Applicability

What Information Do We Collect?

Information You Provide to Us

Information We Collect Automatically

Information We Receive from Third Parties

How Do We Use The Information We Collect?

AI Processing

Do We Share Your Personal Information?

Data Security

Encryption

Access Controls

Data Isolation

Data Retention

How Do We Use Tracking Technologies?

Managing Your Privacy

Data Export

Data Deletion

Revoking Email Access

How We Respond to Do Not Track Signals

Children Under 16

International Data Transfers

Region-Specific Disclosures

A Note to California Residents (CCPA/CPRA)

A Note to Nevada Residents

A Note to European Residents (GDPR)

Third-Party Services and Integrations

Contact Us

Data Processing Agreement

Summary of Your Data

Legal Bases for Processing (GDPR)

Table of Contents