Privacy policy
Last updated: July 5, 2026
1. Controller
simple.email (an LC39 company)
[STREET AND NUMBER], 83022 Rosenheim, Germany
Email: privacy@simpleemail.now
This policy explains how simple.email ("we") processes personal data under the EU General Data Protection Regulation (GDPR).
2. What simple.email does with your email
simple.email lets you automate your inbox with agents you describe in plain language. Understanding our data model matters:
- Your emails stay in your mailbox. We do not copy, store, or archive email bodies. All actions (move, label, archive, forward) are performed inside your Google or Microsoft account via their APIs.
- What we read per email: sender name and address, recipients, subject, attachment metadata, and a short preview snippet (approx. 100–300 characters) provided by your email provider. Full bodies are accessed only when you approve a forward action (to transmit the original message).
- What we store: your account data, mailbox connection tokens (encrypted at rest), your agent instructions and their compiled rules, and a decision log per processed email containing sender, a subject excerpt (max. 120 characters), the action taken, a one-line reason, and timestamps.
3. Categories of data, purposes, and legal bases
- Account data (name, email address, profile picture from Google/Microsoft sign-in) — to provide your account. Legal basis: Art. 6(1)(b) GDPR (contract).
- Mailbox access tokens (OAuth access/refresh tokens) — to read incoming email metadata and execute the actions you configured. Legal basis: Art. 6(1)(b) GDPR; you grant and can revoke this access at any time in your Google or Microsoft security settings.
- Email metadata and decision log (see section 2) — to run your agents, show you an auditable activity log, and enable undo. Legal basis: Art. 6(1)(b) GDPR.
- Agent instructions and feedback you submit — to provide and improve the service. Legal bases: Art. 6(1)(b) and (f) GDPR.
- Billing data — handled by our merchant of record (see section 4); we store only your subscription plan and status. Legal basis: Art. 6(1)(b) GDPR.
- Technical logs (IP address, timestamps, request data) — for security and operation of the service. Legal basis: Art. 6(1)(f) GDPR.
4. Processors and recipients
We use the following providers. Where providers are located outside the EU/EEA, transfers are safeguarded by the EU–US Data Privacy Framework and/or EU Standard Contractual Clauses (Art. 46 GDPR).
- Vercel Inc. (USA) — application hosting. Our application functions run in Frankfurt, Germany (region fra1); request logs may be processed by Vercel in the USA.
- Neon Inc. (USA) — database hosting. All stored data (section 2) resides in Frankfurt, Germany (AWS eu-central-1).
- Anthropic PBC(USA) — AI processing. To classify an email against your agents, we transmit sender, subject, and the preview snippet to Anthropic's Claude API; to compile an agent, we transmit your instruction. Anthropic retains API inputs and outputs for up to 30 days for abuse prevention and does not use them to train models.
- Creem(merchant of record) — payment processing, invoicing, and VAT handling for paid plans. Creem acts as the seller of record and independent controller for payment data (card details never reach us). See Creem's privacy policy.
- Google LLC (USA) — if you connect Gmail: sign-in (OAuth), Gmail API access, and Google Cloud Pub/Sub for new-mail notifications (notifications contain your email address and a history reference, no message content).
- Microsoft Corporation (USA) — if you connect Outlook: sign-in (OAuth) and Microsoft Graph API access including change notifications.
Google API Services — Limited Use disclosure
simple.email's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for advertising, do not allow humans to read it (except with your explicit consent for support, or for security purposes), and do not transfer it except to provide the features you requested.
5. Retention and deletion
- Decision log entries are retained while your account exists.
- Deleting an agent keeps its past log entries (audit trail) but removes the agent and its rules.
- Deleting your account removes all stored data (account, tokens, agents, decision log, feedback) via cascading deletion. To delete your account, contact privacy@simpleemail.now.
- Revoking mailbox access in your Google/Microsoft settings immediately stops all processing of that mailbox.
6. Cookies
We use only strictly necessary cookies: a session cookie to keep you signed in. We use no advertising, tracking, or analytics cookies. Therefore no cookie consent banner is required.
7. Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection to processing based on legitimate interests (Art. 21). You also have the right to lodge a complaint with a supervisory authority, e.g. the data protection authority of your German federal state. Contact: privacy@simpleemail.now.
8. Automated decision-making
Agents classify and act on emails automatically according to rules you defined yourself. Sensitive actions (forwarding, drafting) always require your explicit approval, executed actions are logged and — where technically possible — undoable. No automated decision-making with legal or similarly significant effect within the meaning of Art. 22 GDPR takes place.
9. Changes
We will update this policy when the service or our providers change and note the date above. Material changes will be announced in the product.