隱私權政策
最後更新:July 3, 2026
本文件目前僅提供英文版本。翻譯工作正在進行中。
1. Introduction
This Privacy Policy explains how Sefaja ("we", "our", "us"), operator of the Saymail product, collects, uses, and protects your personal information when you use our website (saymail.eu) and the Saymail desktop application. Our full company details are listed on the Imprint page.
Sefaja is established in the European Union, so an Article 27 GDPR representative is not required.
2. Information We Collect
2.1 Account Information
When you purchase Saymail, we collect your email address and order information. Payment processing is handled by our Merchant of Record, Lemon Squeezy, which is also responsible for collecting and remitting applicable VAT / sales tax and issuing invoices. We do not store credit card details. Order receipts will name Lemon Squeezy as the seller of record.
Marketing identifiers at checkout. If you have accepted the
Marketing cookie category (Section 2.8) and then proceed to our hosted
checkout, a small set of advertising identifiers is passed to the Lemon Squeezy checkout as
custom order fields so that a completed purchase can be attributed to the ad you clicked: the
Google click identifier (gclid), the Meta browser and click identifiers
(_fbp and _fbc), and a marketing-consent flag. These identifiers are
used solely for advertising conversion measurement (see Section 2.8) and are not
attached to checkout if you have not accepted marketing cookies.
2.2 License and Activation Data
We store your license key, activation status, and machine identifiers used to enforce per-machine activation limits. The machine identifier is a hardware-derived hash; where we additionally store a computer name, it is stored in a non-reversible (hashed) form.
- Legal basis: performance of the licensing contract between you and Sefaja (GDPR Art. 6(1)(b)) and our legitimate interest in preventing license abuse (GDPR Art. 6(1)(f)).
- Retention: for the lifetime of the license, plus up to 24 months thereafter for anti-abuse and accounting purposes. Upon a verified deletion request we replace identifying records with an anonymised license token so license validation continues to function.
- Revocation: you can deactivate a machine at any time from your customer dashboard or by emailing support@saymail.eu.
2.3 Email Data
Your email data stays on your computer. When you connect an email account to Saymail, the desktop application communicates directly with your provider (Google, Microsoft, or any IMAP/SMTP server) from your device and stores the synchronised data in a local SQLite database on your computer. Sefaja does not store your emails on our servers. The only cases in which email content leaves your device are described in Section 2.4 (AI processing, which occurs only on your explicit action) and Section 3 (Google API Services).
The local Saymail database may contain:
- Message headers (From, To, Cc, Bcc, Subject, Date, Message-Id, references)
- Message bodies in plain-text and HTML form
- Attachments, cached locally so they can be opened and re-attached when forwarding
- Folder and label structure, read/unread flags, stars, archive state
- Search indexes derived from your messages
- Drafts you have created in Saymail but not yet sent
The database lives under your operating-system user profile and is protected by the same OS-level access controls as the rest of your user files. Account credentials — OAuth refresh tokens for Google and Microsoft, and IMAP/SMTP passwords for self-hosted accounts — are not kept in the SQLite database. They are stored in your operating system's secret store (Windows Credential Manager, Apple Keychain, or the Secret Service / GNOME Keyring on Linux) and never transmitted to Sefaja's servers. Any third-party AI provider API keys you supply for BYOK use (Section 2.4.2) are encrypted at the application layer before being written to local storage.
2.4 AI Processing
Saymail offers three ways to use AI features. Each has different privacy implications.
2.4.1 Local model (e.g., Ollama). Email content is processed entirely on your computer. No data leaves your device. We have no visibility into local model usage.
2.4.2 Bring Your Own Key (BYOK). If you supply an API key from a third-party AI provider — currently supported: Anthropic, OpenAI, and Google — Saymail sends prompts and email content directly from your computer to that provider. We do not relay, log, or store this content. Your use of the provider is governed by that provider's privacy policy and terms, not ours, including any data-retention or model-training behaviour the provider may apply to its API. We make no Zero Data Retention claim for BYOK traffic. Your API key is stored encrypted in your local Saymail database and is never transmitted to our servers. Saymail only transmits message content to the AI provider when you explicitly invoke an AI action from the Saymail interface; no background processing of your mail takes place.
2.4.3 Saymail Cloud credits. When you choose Saymail Cloud, your prompts and email content are sent first to our routing service and then on to OpenRouter (OpenRouter, Inc.), which dispatches the request to an underlying language-model provider. This routing happens only when you explicitly invoke an AI action from the Saymail interface; no background processing of your mail takes place. For Saymail Cloud traffic, we exclusively configure OpenRouter with the Zero Data Retention (ZDR) options enabled, so OpenRouter and the downstream provider do not retain your content after the request and do not use it to train models. Our own routing service retains only the metadata needed to meter and bill credit usage (timestamp, license identifier, model used, token count, and HTTP status). It does not retain prompt or response content beyond the lifetime of the request, except for short-lived diagnostic logs (≤ 24 hours) used to investigate errors.
The ZDR claim in this section applies only to Saymail Cloud traffic, which we route exclusively through OpenRouter with ZDR options enabled. If you instead use BYOK (Section 2.4.2), the privacy and retention practices of the provider whose key you supply apply to your traffic, and we make no representation about them.
Sub-processor used for Saymail Cloud routing: OpenRouter, Inc. The current list of sub-processors is published at saymail.eu/legal/sub-processors and is updated when it changes.
2.5 Saymail Cloud Credit Purchases
When you purchase Saymail Cloud credits, we store the transaction (amount, date, license identifier) and the running credit balance. Payment details are handled by our payment processor; we do not store credit card details.
2.6 Desktop Application Telemetry
The Saymail desktop application contacts our servers in the following narrowly scoped cases:
- Update checks. The app periodically requests
https://saymail.eu/version.jsonto determine whether a newer version is available. The HTTP request transmits only the metadata that any HTTPS request transmits (your IP address at the moment of the request, an app User-Agent identifying Saymail and its version, and your operating system / architecture). We do not log update-check requests beyond standard short-lived web-server access logs. - License validation and activation. The app communicates with our licensing service (operated by us together with our Merchant of Record, Lemon Squeezy) to validate your license key, register and deactivate machine activations, and check entitlement to Saymail Cloud credits. The data exchanged is described in Sections 2.1–2.2.
- Crash and error reporting (Sentry). When enabled, the app sends crash reports
and unhandled-error events to Sentry (operated by Functional Software, Inc., d/b/a Sentry).
Before transmission, every event passes through a redaction step that strips email addresses,
Bearertokens, password / secret / auth / cookie field values, operating-system usernames in file paths, and long opaque token-like strings. File attachments produced by the app are dropped entirely and never transmitted. Crash reports are used solely to diagnose and fix bugs. - Usage analytics (PostHog). When you enable Send usage data (off
unless you opt in), the app sends pseudonymous product-usage events — for example that a
feature was used or a screen was opened — to PostHog (PostHog, Inc.), hosted
in the EU (
eu.i.posthog.com). These events are keyed to a random per-installation identifier that is not linked to your name, email address, or account, and never include email content, contact lists, or credentials. You can turn this off at any time in Settings; turning it off stops all further events. Legal basis: your consent (GDPR Art. 6(1)(a)), given by your affirmative in-app opt-in to Send usage data, which is off by default. You can withdraw it at any time in Settings. Retention: up to 7 years (84 months). - Server-side product events (PostHog). Two events are sent from our backend
rather than from the app:
trial started(when a trial is created) andllm call completed(when a Saymail Cloud AI request finishes). Both are gated on the same Send usage data opt-in. Each is keyed to a pseudonymous account identifier (a random UUID), not your name or email. The properties are limited to non-content metadata — fortrial started, the trial length and included credits; forllm call completed, the model used, a coarse purpose category drawn from a fixed list, and your remaining credit balance. They never include email content, prompts, or AI output. They are sent to PostHog, hosted in the EU. Legal basis: your consent (GDPR Art. 6(1)(a)), given by your affirmative in-app opt-in to Send usage data, which is off by default. You can withdraw it at any time in Settings. Retention: up to 7 years (84 months).
Aside from the pseudonymous usage analytics and product events described above — which are sent only if you opt in to Send usage data — the desktop application does not transmit your email content, account credentials, or contact lists.
2.7 Website Analytics
Our website may use PostHog (PostHog, Inc.) for privacy-friendly product analytics — page views, feature usage, and aggregated funnel metrics. PostHog is loaded only after you accept analytics cookies via the cookie banner. If you reject or ignore the banner, no analytics script is loaded and no analytics cookie is set. The site otherwise uses only cookies strictly necessary for essential functionality (language preference, theme, and authentication for the affiliate dashboard). This section covers analytics on our website only; the separate, opt-in product analytics sent from the desktop application is described in Section 2.6. Retention: website analytics events are stored in the same PostHog project as our product analytics and are retained for up to 7 years (84 months).
2.8 Advertising and Conversion Measurement
With your consent (the Marketing cookie category), our website uses the
Meta Pixel (Meta Platforms Ireland Limited) to measure the effectiveness of our
advertising and to reach relevant audiences. The pixel loads only after you accept marketing
cookies in the cookie banner; if you reject or ignore the banner, no Meta script is loaded and no
Meta cookie is set. When active it may set the _fbp first-party cookie and, if you
arrived from a Meta ad, record the associated click identifier (_fbc).
With the same consent, our website also uses the Google Ads tag (Google Ireland
Limited) for the same purposes. It likewise loads only after you accept marketing cookies; when
active it may set the _gcl_aw first-party cookie, which records the Google click
identifier (gclid) if you arrived from a Google ad. When you click a download link we
record an anonymous "trial download" conversion with Meta and Google so we can measure which ads
lead to installs.
If you complete a purchase after consenting to marketing cookies, we additionally send a
server-side Purchase event to Meta through the Meta Conversions API and to Google through
the Google Ads API. The Meta event contains the purchase value and currency, a one-way hashed
(SHA-256) form of your email address, and the _fbp / _fbc identifiers
above; the Google upload contains the purchase value, currency, order reference, and the
gclid identifier above. Meta and Google use these to attribute the conversion. We do
not send these events, and do not attach these identifiers to checkout, unless you have accepted
marketing cookies. Legal basis: your consent (GDPR Art. 6(1)(a), and the ePrivacy
Directive for the cookie access). You can withdraw consent at any time via the "Cookie
preferences" link in the footer.
3. Google API Services and Limited Use
Saymail connects to Gmail using Google's OAuth 2.0 flow and the Google Gmail API. This section describes which Google APIs we access, what data we receive, and how that data is used, transferred, and protected. It is the public statement required by Google's API Services User Data Policy for applications that use restricted Gmail scopes.
Limited Use commitment. Saymail's use of raw or derived user data received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
3.1 Scopes requested
When you connect a Gmail account, Saymail requests the following OAuth scopes, displayed on Google's consent screen at the moment you connect:
-
https://mail.google.com/— restricted Gmail scope. Required to read, organise, compose, send, and permanently delete messages on your behalf. This is the core function of a full email client; Gmail's narrower scopes do not collectively cover all operations Saymail performs (such as expunging messages via IMAP). -
https://www.googleapis.com/auth/contacts.readonly— read-only access to your Google Contacts so Saymail can offer name and address auto-complete when you compose mail, and display sender names for incoming messages. -
email— your Google account's primary email address, used only to identify the connected account in the Saymail account list.
Saymail does not request any scopes that are not used. The scopes shown on Google's consent screen are the complete list.
3.2 What Google data Saymail receives
- Mailbox content: message headers, bodies, and attachments
- Labels, folders, read/unread state, stars, and other Gmail metadata
- Contact names and addresses (read-only)
- Your Google account's primary email address
All of this data is fetched directly from Google's servers to your device. No Sefaja-operated server is interposed in the Gmail data path.
3.3 OAuth token storage
The OAuth refresh token and short-lived access tokens issued by Google are stored in your operating system's secret store — Windows Credential Manager on Windows, Apple Keychain on macOS, and the Secret Service (GNOME Keyring / KWallet) on Linux. They are not written to Saymail's SQLite database in plaintext and are never transmitted to Sefaja's servers. You can revoke Saymail's access to your Google account at any time from your Google Account permissions page or by removing the account from Saymail.
3.4 Limited Use commitments in detail
Concretely, the Limited Use requirements mean the following for Saymail:
- Use is limited to user-facing features. Google user data is used only to provide and improve the email-client, search, organisation, classification, drafting, and AI-assistance features the user invokes inside the Saymail application.
- No advertising use. Saymail does not use Google user data, including any data derived from it, for advertising of any kind. The application contains no ads and Sefaja does not run an advertising business.
- No human reading. Because Saymail is a local-first desktop application and Sefaja operates no server that holds a copy of your mailbox, Sefaja personnel have no ordinary means of reading your Gmail content. The narrow exceptions permitted by the Limited Use policy apply: (a) with your specific consent — for example, if you choose to attach a redacted message to a support request; (b) where necessary for security purposes such as investigating abuse; (c) where required to comply with applicable law; or (d) for internal operations and only after the data has been aggregated and anonymised so it can no longer identify a user.
- No use for training generalised AI/ML models. Google user data — and any data derived from it — is not used to develop, improve, or train generalised AI or machine-learning models. In-app AI features call either a local model on your device (Section 2.4.1), a third-party provider whose key you supply (Section 2.4.2, where the provider's own data-use terms apply to your traffic), or our Saymail Cloud routing under a Zero Data Retention configuration that contractually prohibits the downstream provider from retaining or training on your content (Section 2.4.3).
- No data transfer except as necessary. Saymail does not sell, rent, or share Google user data. Google user data is transferred off your device only when (a) you initiate a network operation against Google (sync, send, delete) which is the entire purpose of the application; (b) you explicitly invoke an AI action that uses BYOK or Saymail Cloud; (c) transfer is required to comply with applicable law; or (d) it is necessary to investigate a specific security incident.
3.5 Telemetry and Google user data
Saymail's optional crash- and error-reporting transport (Sentry, described in Section 2.6) runs every event through a redaction step before transmission that strips email addresses, bearer tokens, password / secret / auth / cookie field values, operating-system usernames in file paths, and long opaque token-like strings. Attachments and message bodies produced by the application are dropped entirely. This redaction is a Limited Use safeguard: it prevents Google user data from being transmitted to Sentry as a side-effect of diagnosing a crash.
3.6 Retention and deletion
Because Sefaja does not store a server-side copy of your Gmail data, we have no Gmail data to delete when you uninstall Saymail or disconnect a Google account. Locally, removing the account from Saymail deletes the synchronised mailbox content and tokens from your device, and uninstalling Saymail removes the local database. You can additionally revoke Saymail's access to your Google account from myaccount.google.com/permissions at any time, with immediate effect.
4. How We Use Your Information
- To provide and manage your Saymail license
- To send purchase confirmations and important product updates
- To process affiliate commissions and payouts
- To respond to support requests
5. Data Sharing
We do not sell, rent, or share your personal information with third parties, except:
- Lemon Squeezy, our Merchant of Record, to process payments, collect and remit VAT / sales tax, deliver license keys, manage machine activations, and issue invoices and refunds.
- OpenRouter, when you use Saymail Cloud, strictly to fulfill AI requests you initiate (Section 2.4.3).
- Sentry, when crash and error reporting is enabled, to receive redacted diagnostic events from the desktop application (Section 2.6).
- PostHog (hosted in the EU), to receive pseudonymous product-analytics events — from our website after you accept analytics cookies (Section 2.7), and from the desktop application when you enable Send usage data (Section 2.6).
- Meta (Meta Platforms Ireland Limited), only on the website and only after you accept marketing cookies, to receive Meta Pixel and Conversions API events for advertising measurement (Section 2.8).
- Google (Google Ireland Limited), only on the website and only after you accept marketing cookies, to receive Google Ads tag and Google Ads API conversion events for advertising measurement (Section 2.8).
- Supabase (Supabase, Inc., data stored in the EU), our backend edge-function and database provider for the website, to process license/order registration, the Lemon Squeezy purchase webhook, trial validation, server-side advertising conversion uploads, cookie-consent logging, and mobile-app lead capture.
- As required by law or legal process
A complete list of sub-processors is available on our sub-processors page.
6. Data Security
We apply layered technical and organisational measures appropriate to the data we hold and to the data that lives only on your device.
- Encryption in transit. All communication between Saymail and Sefaja's services, between Saymail and Google's APIs, and between Saymail and the AI providers described in Section 2.4 uses TLS 1.2 or higher.
- Encryption at rest. The Saymail local database is stored under your operating-system user account and is protected by OS-level access controls. Account credentials — OAuth refresh tokens for Google and Microsoft, and IMAP/SMTP passwords — are stored in the OS secret store (Windows Credential Manager, Apple Keychain, or the Secret Service / GNOME Keyring on Linux), not in the Saymail database. Any third-party AI provider API keys you supply are additionally encrypted at the application layer.
- Access control. Sefaja staff have no access to the contents of your local Saymail database. Server-side systems we operate (the licensing service, the Saymail Cloud routing service, and website analytics) are accessible only by authorised Sefaja personnel using multi-factor authentication, with role-based access scoped to what each task requires.
- Diagnostic data minimisation. Crash reports, license traffic, and AI-routing metadata are minimised, redacted, and short-lived as described in Sections 2.4.3, 2.6, and 3.5.
- Vulnerability disclosure. Suspected vulnerabilities can be reported to security@saymail.eu. We acknowledge reports within three business days, keep researchers informed during investigation, and do not pursue legal action against good-faith research conducted in accordance with our disclosure policy.
- Incident response. In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Dutch Autoriteit Persoonsgegevens within 72 hours of becoming aware of it, and we will notify affected users without undue delay where required under Article 34 GDPR.
No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
7. Your Rights
You have the right to access, correct, or delete your personal data. Contact us at privacy@saymail.eu to exercise these rights.
8. Cookies and Consent
Our website distinguishes three categories of cookies:
- Strictly necessary. Always set: language / locale preference, theme preference, and an authentication cookie for the affiliate dashboard. These cannot be disabled and do not require consent under the ePrivacy Directive.
- Analytics (optional). PostHog cookies are set only after you click Accept in the cookie banner. We default to not loading the analytics script; ignoring or rejecting the banner means no analytics cookie is set and no analytics request is made. Your choice is stored locally in your browser and you can change it at any time via the "Cookie preferences" link in the page footer. This cookie choice governs analytics on the website only: the desktop application uses no cookies, and its usage analytics is governed instead by the in-app Send usage data opt-in described in Section 2.6.
- Marketing (optional). Meta Pixel cookies (
_fbp, and_fbcif you arrived from a Meta ad) and the Google Ads cookie (_gcl_aw, if you arrived from a Google ad) are set only after you click Accept for the Marketing category in the cookie banner. We default to not loading the Meta or Google scripts; ignoring or rejecting the banner means no Meta or Google cookie is set and no Meta or Google request is made (see Section 2.8). Your choice is stored locally and can be changed at any time via the "Cookie preferences" link in the page footer.
To meet our obligation to demonstrate consent (GDPR Art. 7(1)), each banner decision (accept, reject, or a later change) is recorded with a timestamp under a random identifier that is also stored in your browser. This identifier is not linked to your name, email address, IP address, or any other personal data. If you ask us to, we will delete the records associated with your identifier; contact privacy@saymail.eu.
Advertising cookies are used only with your explicit, prior consent for the Marketing category (Section 2.8); they are never set if you reject or ignore the banner. We do not sell your personal data.
9. International Data Transfers
Several of our sub-processors are established in, or may process personal data in, the United States. These include Lemon Squeezy (payments) and the AI providers listed in Section 2.4.3; Sentry (Functional Software, Inc.), which receives redacted crash and error reports only when you enable them (Section 2.6); Netlify (Netlify, Inc.), which hosts our website and processes request and server logs, including IP addresses; and our website advertising and conversion-measurement recipients Meta (Meta Platforms Ireland Limited / Meta Platforms, Inc.) and Google (Google Ireland Limited / Google LLC), which receive Pixel / Conversions API and Google Ads tag / Ads API events only after you accept marketing cookies (Section 2.8).
PostHog (PostHog, Inc.) is a special case: the usage and product-analytics data
described in Sections 2.6 and 5 is sent to and stored on PostHog's EU infrastructure
(eu.i.posthog.com), so it stays within the EU/EEA. To the extent PostHog, Inc. (US)
may access that data for support or maintenance, such access relies on the safeguards described
below.
Where personal data is transferred to the United States, we rely on the EU–US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795) for sub-processors that are DPF-certified and, where applicable or as a fallback, on the European Commission's Standard Contractual Clauses, in each case supplemented by the technical and organisational measures described in this Privacy Policy and in each sub-processor's own documentation. A complete and current list of sub-processors, their locations, and the applicable transfer mechanism is published on our sub-processors page.
10. Children
Saymail is a productivity tool for professional and personal email use. It is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@saymail.eu and we will delete the information.
11. Business Customers (DPA)
If you use Saymail in the course of your business and act as a controller for personal data processed through Saymail Cloud, you can request a Data Processing Agreement (DPA) by emailing privacy@saymail.eu.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email where we have your address on file, and via a notice on our website. The Last updated date at the top of this page always reflects the date of the most recent revision.
13. Contact
If you have questions about this Privacy Policy, contact us at privacy@saymail.eu. Our full company details are listed on the Imprint page.