STAGING
KeepMyMail logo KeepMyMail

Privacy Policy

Effective date: March 27, 2026

Data Controller

The data controller for KeepMyMail is:

Adam Dobrawy
Sole proprietorship (jednoosobowa działalność gospodarcza)
NIP: 7011027851 | REGON: 388642835
al. Jerozolimskie 89/43, 02-001 Warszawa, Poland
Email: privacy@keepmymail.net

What KeepMyMail Does

KeepMyMail is a service that periodically fetches email from your POP3 or IMAP mailboxes and imports them into your Gmail account using the Gmail API. This privacy policy describes how we collect, use, protect, and share your information when you use our service.

Information We Collect

We collect only the minimum data required to provide the service:

  • Google account information — your name, email address, and profile picture, obtained via Google OAuth during sign-in.
  • Google OAuth tokens — access and refresh tokens used to import email into your Gmail account. These are encrypted with AES-256-GCM before storage.
  • Mailbox connection details — server hostname, port, username, and password for your POP3/IMAP mailboxes. Passwords are encrypted with AES-256-GCM before storage.
  • Mailbox configuration — protocol (POP3/IMAP), TLS mode, folder selection, Gmail label assignment, and delete-after-import preference.
  • Sync metadata — timestamps, message counts, and error logs generated during email import operations.
  • Subscription data — your email address and subscription plan, managed through Stripe.

Information We Do Not Collect

  • Email content — email messages are fetched from your POP3/IMAP server, held in memory only during the active import, and delivered directly to Gmail. Email content is never written to disk or persistent storage on our infrastructure.
  • Gmail passwords — we use Google OAuth 2.0 exclusively for authentication. There is no password-based login.
  • Payment card details — all payment processing is handled by Stripe. We do not receive, transmit, or store card numbers or payment credentials.

We process your IP address temporarily for security purposes such as rate limiting and abuse prevention. IP addresses are not stored permanently and are not used for marketing, advertising, or behavioral profiling.

How We Use Your Data and Legal Basis

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR Art. 6)
Authenticate your identity and manage your accountContract performance (Art. 6(1)(b))
Fetch email from your POP3/IMAP mailboxes and import into GmailContract performance (Art. 6(1)(b))
Process payments and manage subscriptionsContract performance (Art. 6(1)(b))
Send transactional service notificationsLegitimate interest (Art. 6(1)(f))
Monitor errors and maintain service reliability (via Sentry)Legitimate interest (Art. 6(1)(f))

Google API Services — Limited Use Disclosure

KeepMyMail's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We request the following Google OAuth scopes:

  • openid, email, profile — to authenticate your identity and display your account information.
  • gmail.insert — write-only access to import email messages into your Gmail account. This scope does not allow reading, modifying, or deleting any existing emails.
  • gmail.labels — read-only access to your Gmail label names, so you can choose which label to apply to imported messages.

In accordance with the Limited Use requirements:

  • We do not use Google user data for advertising, retargeting, or any form of personalized or interest-based advertising.
  • We do not sell, rent, or transfer Google user data to third parties, data brokers, or information resellers.
  • We do not use Google user data to determine creditworthiness or for lending purposes.
  • Human employees do not read your Google user data unless you have given explicit consent, it is required by law, or it is necessary for security purposes.

Third-Party Service Providers (Subprocessors)

Provider Data Shared Purpose
CloudflareEncrypted application dataInfrastructure, hosting, edge compute
GoogleOAuth tokens, email content (imported to Gmail)User authentication, email import
StripeEmail address, subscription planPayment processing
ResendEmail addressTransactional email notifications
SentryError diagnostics, user email (for error context)Error tracking and monitoring

International Data Transfers

Your data is processed on Cloudflare's globally distributed infrastructure and may be transferred to countries outside the European Economic Area (EEA), including the United States. Where such transfers occur, they are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) and data processing agreements with each provider.

Data Security

  • Google OAuth tokens and mailbox passwords are encrypted with AES-256-GCM using unique initialization vectors before storage.
  • All network communication uses TLS 1.2 or higher, enforced by Cloudflare's edge network.
  • The database is protected by Cloudflare's platform-level encryption at rest.
  • Production database access is restricted to application code only — there is no direct external access.

Cookies and Sessions

KeepMyMail uses a single session cookie to keep you signed in. This cookie is:

  • HttpOnly — not accessible to JavaScript
  • Secure — transmitted only over HTTPS
  • SameSite=Lax — protected against cross-site request forgery
  • Expires after 7 days, requiring re-authentication

We do not use third-party tracking cookies, analytics trackers, advertising pixels, or behavioral profiling tools.

Data Retention

Data Category Retention Period Deletion Method
User account dataUntil account deletionHard delete from database
Google OAuth tokensOverwritten on each refresh; deleted with accountHard delete from database
Mailbox credentials and configurationUntil mailbox or account deletionHard delete from database
Sync history and notificationsUntil account deletionHard delete from database
Session data7 daysAutomatic expiration
Error logs (Sentry)90 daysManaged by Sentry

Account and Data Deletion

You can delete your account at any time from the Settings page in the KeepMyMail dashboard. When you delete your account:

  1. Your Google OAuth refresh token is revoked via Google's revocation endpoint.
  2. All your data is permanently deleted from our database.
  3. Your session is invalidated and the session cookie is cleared.
  4. Emails already imported to your Gmail remain in your Gmail account. They are owned by you, not by KeepMyMail.

Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data.
  • Restriction — request that we restrict processing of your data.
  • Data portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@keepmymail.net. We will respond within 30 days.

You also have the right to lodge a complaint with the supervisory authority:
Prezes Urzędu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
uodo.gov.pl

Children's Privacy

KeepMyMail is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@keepmymail.net.

Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email using the address associated with your account.

Contact

For privacy-related questions or to exercise your rights, contact us at:

Adam Dobrawy
al. Jerozolimskie 89/43, 02-001 Warszawa, Poland
Email: privacy@keepmymail.net