Политика конфиденциальности

1. Introduction

This Privacy Policy explains how Sefaja ("we", "our", "us"), operator of the Saymail product, collects, uses, and protects your personal information when you use our website (saymail.eu) and the Saymail desktop application. Our full company details are listed on the Imprint page.

Sefaja is established in the European Union, so an Article 27 GDPR representative is not required.

2. Information We Collect

2.1 Account Information

When you purchase Saymail, we collect your email address and order information. Payment processing is handled by our Merchant of Record, Lemon Squeezy, which is also responsible for collecting and remitting applicable VAT / sales tax and issuing invoices. We do not store credit card details. Order receipts will name Lemon Squeezy as the seller of record.

2.2 License and Activation Data

We store your license key, activation status, and machine identifiers used to enforce per-machine activation limits. The machine identifier is a hardware-derived hash; where we additionally store a computer name, it is stored in a non-reversible (hashed) form.

• Legal basis: performance of the licensing contract between you and Sefaja (GDPR Art. 6(1)(b)) and our legitimate interest in preventing license abuse (GDPR Art. 6(1)(f)).
• Retention: for the lifetime of the license, plus up to 24 months thereafter for anti-abuse and accounting purposes. Upon a verified deletion request we replace identifying records with an anonymised license token so license validation continues to function.
• Revocation: you can deactivate a machine at any time from your customer dashboard or by emailing support@saymail.eu.

2.3 Email Data

Your email data stays on your computer. When you connect an email account to Saymail, the desktop application communicates directly with your provider (Google, Microsoft, or any IMAP/SMTP server) from your device and stores the synchronised data in a local SQLite database on your computer. Sefaja does not store your emails on our servers. The only cases in which email content leaves your device are described in Section 2.4 (AI processing, which occurs only on your explicit action) and Section 3 (Google API Services).

The local Saymail database may contain:

• Message headers (From, To, Cc, Bcc, Subject, Date, Message-Id, references)
• Message bodies in plain-text and HTML form
• Attachments, cached locally so they can be opened and re-attached when forwarding
• Folder and label structure, read/unread flags, stars, archive state
• Search indexes derived from your messages
• Drafts you have created in Saymail but not yet sent

The database lives under your operating-system user profile and is protected by the same OS-level access controls as the rest of your user files. Account credentials — OAuth refresh tokens for Google and Microsoft, and IMAP/SMTP passwords for self-hosted accounts — are not kept in the SQLite database. They are stored in your operating system's secret store (Windows Credential Manager, Apple Keychain, or the Secret Service / GNOME Keyring on Linux) and never transmitted to Sefaja's servers. Any third-party AI provider API keys you supply for BYOK use (Section 2.4.2) are encrypted at the application layer before being written to local storage.

2.4 AI Processing

Saymail offers three ways to use AI features. Each has different privacy implications.

2.4.1 Local model (e.g., Ollama). Email content is processed entirely on your computer. No data leaves your device. We have no visibility into local model usage.

2.4.2 Bring Your Own Key (BYOK). If you supply an API key from a third-party AI provider — currently supported: Anthropic, OpenAI, and Google — Saymail sends prompts and email content directly from your computer to that provider. We do not relay, log, or store this content. Your use of the provider is governed by that provider's privacy policy and terms, not ours, including any data-retention or model-training behaviour the provider may apply to its API. We make no Zero Data Retention claim for BYOK traffic. Your API key is stored encrypted in your local Saymail database and is never transmitted to our servers. Saymail only transmits message content to the AI provider when you explicitly invoke an AI action from the Saymail interface; no background processing of your mail takes place.

2.4.3 Saymail Cloud credits. When you choose Saymail Cloud, your prompts and email content are sent first to our routing service and then on to OpenRouter (OpenRouter, Inc.), which dispatches the request to an underlying language-model provider. This routing happens only when you explicitly invoke an AI action from the Saymail interface; no background processing of your mail takes place. For Saymail Cloud traffic, we exclusively configure OpenRouter with the Zero Data Retention (ZDR) options enabled, so OpenRouter and the downstream provider do not retain your content after the request and do not use it to train models. Our own routing service retains only the metadata needed to meter and bill credit usage (timestamp, license identifier, model used, token count, and HTTP status). It does not retain prompt or response content beyond the lifetime of the request, except for short-lived diagnostic logs (≤ 24 hours) used to investigate errors.

The ZDR claim in this section applies only to Saymail Cloud traffic, which we route exclusively through OpenRouter with ZDR options enabled. If you instead use BYOK (Section 2.4.2), the privacy and retention practices of the provider whose key you supply apply to your traffic, and we make no representation about them.

Sub-processor used for Saymail Cloud routing: OpenRouter, Inc. The current list of sub-processors is published at saymail.eu/legal/sub-processors and is updated when it changes.

2.5 Saymail Cloud Credit Purchases

When you purchase Saymail Cloud credits, we store the transaction (amount, date, license identifier) and the running credit balance. Payment details are handled by our payment processor; we do not store credit card details.

2.6 Desktop Application Telemetry

The Saymail desktop application contacts our servers in the following narrowly scoped cases:

• Update checks. The app periodically requests https://saymail.eu/version.json to determine whether a newer version is available. The HTTP request transmits only the metadata that any HTTPS request transmits (your IP address at the moment of the request, an app User-Agent identifying Saymail and its version, and your operating system / architecture). We do not log update-check requests beyond standard short-lived web-server access logs.
• License validation and activation. The app communicates with our licensing service (operated by us together with our Merchant of Record, Lemon Squeezy) to validate your license key, register and deactivate machine activations, and check entitlement to Saymail Cloud credits. The data exchanged is described in Sections 2.1–2.2.
• Crash and error reporting (Sentry). When enabled, the app sends crash reports and unhandled-error events to Sentry (operated by Functional Software, Inc., d/b/a Sentry). Before transmission, every event passes through a redaction step that strips email addresses, Bearer tokens, password / secret / auth / cookie field values, operating-system usernames in file paths, and long opaque token-like strings. File attachments produced by the app are dropped entirely and never transmitted. Crash reports are used solely to diagnose and fix bugs.

The desktop application does not contain web analytics (e.g., PostHog) and does not transmit your email content, account credentials, or contact lists.

2.7 Website Analytics

Our website may use PostHog (PostHog, Inc.) for privacy-friendly product analytics — page views, feature usage, and aggregated funnel metrics. PostHog is loaded only after you accept analytics cookies via the cookie banner. If you reject or ignore the banner, no analytics script is loaded and no analytics cookie is set. The site otherwise uses only cookies strictly necessary for essential functionality (language preference, theme, and authentication for the affiliate dashboard).

3. Google API Services and Limited Use

Saymail connects to Gmail using Google's OAuth 2.0 flow and the Google Gmail API. This section describes which Google APIs we access, what data we receive, and how that data is used, transferred, and protected. It is the public statement required by Google's API Services User Data Policy for applications that use restricted Gmail scopes.

Limited Use commitment. Saymail's use of raw or derived user data received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3.1 Scopes requested

When you connect a Gmail account, Saymail requests the following OAuth scopes, displayed on Google's consent screen at the moment you connect:

• https://mail.google.com/ — restricted Gmail scope. Required to read, organise, compose, send, and permanently delete messages on your behalf. This is the core function of a full email client; Gmail's narrower scopes do not collectively cover all operations Saymail performs (such as expunging messages via IMAP).
• https://www.googleapis.com/auth/contacts.readonly — read-only access to your Google Contacts so Saymail can offer name and address auto-complete when you compose mail, and display sender names for incoming messages.
• email — your Google account's primary email address, used only to identify the connected account in the Saymail account list.

Saymail does not request any scopes that are not used. The scopes shown on Google's consent screen are the complete list.

3.2 What Google data Saymail receives

• Mailbox content: message headers, bodies, and attachments
• Labels, folders, read/unread state, stars, and other Gmail metadata
• Contact names and addresses (read-only)
• Your Google account's primary email address

All of this data is fetched directly from Google's servers to your device. No Sefaja-operated server is interposed in the Gmail data path.

3.3 OAuth token storage

The OAuth refresh token and short-lived access tokens issued by Google are stored in your operating system's secret store — Windows Credential Manager on Windows, Apple Keychain on macOS, and the Secret Service (GNOME Keyring / KWallet) on Linux. They are not written to Saymail's SQLite database in plaintext and are never transmitted to Sefaja's servers. You can revoke Saymail's access to your Google account at any time from your Google Account permissions page or by removing the account from Saymail.

3.4 Limited Use commitments in detail

Concretely, the Limited Use requirements mean the following for Saymail:

1. Use is limited to user-facing features. Google user data is used only to provide and improve the email-client, search, organisation, classification, drafting, and AI-assistance features the user invokes inside the Saymail application.
2. No advertising use. Saymail does not use Google user data, including any data derived from it, for advertising of any kind. The application contains no ads and Sefaja does not run an advertising business.
3. No human reading. Because Saymail is a local-first desktop application and Sefaja operates no server that holds a copy of your mailbox, Sefaja personnel have no ordinary means of reading your Gmail content. The narrow exceptions permitted by the Limited Use policy apply: (a) with your specific consent — for example, if you choose to attach a redacted message to a support request; (b) where necessary for security purposes such as investigating abuse; (c) where required to comply with applicable law; or (d) for internal operations and only after the data has been aggregated and anonymised so it can no longer identify a user.
4. No use for training generalised AI/ML models. Google user data — and any data derived from it — is not used to develop, improve, or train generalised AI or machine-learning models. In-app AI features call either a local model on your device (Section 2.4.1), a third-party provider whose key you supply (Section 2.4.2, where the provider's own data-use terms apply to your traffic), or our Saymail Cloud routing under a Zero Data Retention configuration that contractually prohibits the downstream provider from retaining or training on your content (Section 2.4.3).
5. No data transfer except as necessary. Saymail does not sell, rent, or share Google user data. Google user data is transferred off your device only when (a) you initiate a network operation against Google (sync, send, delete) which is the entire purpose of the application; (b) you explicitly invoke an AI action that uses BYOK or Saymail Cloud; (c) transfer is required to comply with applicable law; or (d) it is necessary to investigate a specific security incident.

3.5 Telemetry and Google user data

Saymail's optional crash- and error-reporting transport (Sentry, described in Section 2.6) runs every event through a redaction step before transmission that strips email addresses, bearer tokens, password / secret / auth / cookie field values, operating-system usernames in file paths, and long opaque token-like strings. Attachments and message bodies produced by the application are dropped entirely. This redaction is a Limited Use safeguard: it prevents Google user data from being transmitted to Sentry as a side-effect of diagnosing a crash.

3.6 Retention and deletion

Because Sefaja does not store a server-side copy of your Gmail data, we have no Gmail data to delete when you uninstall Saymail or disconnect a Google account. Locally, removing the account from Saymail deletes the synchronised mailbox content and tokens from your device, and uninstalling Saymail removes the local database. You can additionally revoke Saymail's access to your Google account from myaccount.google.com/permissions at any time, with immediate effect.

4. How We Use Your Information

• To provide and manage your Saymail license
• To send purchase confirmations and important product updates
• To process affiliate commissions and payouts
• To respond to support requests

5. Data Sharing

We do not sell, rent, or share your personal information with third parties, except:

• Lemon Squeezy, our Merchant of Record, to process payments, collect and remit VAT / sales tax, deliver license keys, manage machine activations, and issue invoices and refunds.
• OpenRouter, when you use Saymail Cloud, strictly to fulfill AI requests you initiate (Section 2.4.3).
• Sentry, when crash and error reporting is enabled, to receive redacted diagnostic events from the desktop application (Section 2.6).
• PostHog, only on the website and only after you accept analytics cookies, to receive product-analytics events (Section 2.7).
• As required by law or legal process

A complete list of sub-processors is available on our sub-processors page.

6. Data Security

We apply layered technical and organisational measures appropriate to the data we hold and to the data that lives only on your device.

• Encryption in transit. All communication between Saymail and Sefaja's services, between Saymail and Google's APIs, and between Saymail and the AI providers described in Section 2.4 uses TLS 1.2 or higher.
• Encryption at rest. The Saymail local database is stored under your operating-system user account and is protected by OS-level access controls. Account credentials — OAuth refresh tokens for Google and Microsoft, and IMAP/SMTP passwords — are stored in the OS secret store (Windows Credential Manager, Apple Keychain, or the Secret Service / GNOME Keyring on Linux), not in the Saymail database. Any third-party AI provider API keys you supply are additionally encrypted at the application layer.
• Access control. Sefaja staff have no access to the contents of your local Saymail database. Server-side systems we operate (the licensing service, the Saymail Cloud routing service, and website analytics) are accessible only by authorised Sefaja personnel using multi-factor authentication, with role-based access scoped to what each task requires.
• Diagnostic data minimisation. Crash reports, license traffic, and AI-routing metadata are minimised, redacted, and short-lived as described in Sections 2.4.3, 2.6, and 3.5.
• Vulnerability disclosure. Suspected vulnerabilities can be reported to security@saymail.eu. We acknowledge reports within three business days, keep researchers informed during investigation, and do not pursue legal action against good-faith research conducted in accordance with our disclosure policy.
• Incident response. In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Dutch Autoriteit Persoonsgegevens within 72 hours of becoming aware of it, and we will notify affected users without undue delay where required under Article 34 GDPR.

No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

You have the right to access, correct, or delete your personal data. Contact us at privacy@saymail.eu to exercise these rights.

8. Cookies and Consent

Our website distinguishes two categories of cookies:

• Strictly necessary. Always set: language / locale preference, theme preference, and an authentication cookie for the affiliate dashboard. These cannot be disabled and do not require consent under the ePrivacy Directive.
• Analytics (optional). PostHog cookies are set only after you click Accept in the cookie banner. We default to not loading the analytics script; ignoring or rejecting the banner means no analytics cookie is set and no analytics request is made. Your choice is stored locally in your browser and you can change it at any time by clearing site data.

We do not use third-party advertising cookies and do not sell or share cookie data with advertisers.

9. International Data Transfers

Some of our sub-processors (notably Lemon Squeezy and the AI providers listed in Section 2.4.3) are established in the United States. Where personal data is transferred to the United States, we rely on the EU–US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795) and, where applicable, on the European Commission's Standard Contractual Clauses, supplemented by the technical and organisational measures described in this Privacy Policy and in our sub-processors' own documentation.

10. Children

Saymail is a productivity tool for professional and personal email use. It is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@saymail.eu and we will delete the information.

11. Business Customers (DPA)

If you use Saymail in the course of your business and act as a controller for personal data processed through Saymail Cloud, you can request a Data Processing Agreement (DPA) by emailing privacy@saymail.eu.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email where we have your address on file, and via a notice on our website. The Last updated date at the top of this page always reflects the date of the most recent revision.

13. Contact

If you have questions about this Privacy Policy, contact us at privacy@saymail.eu. Our full company details are listed on the Imprint page.