Privacy Policy — Mail-Organiser

Plain English Summary: Mail-Organiser classifies your emails using metadata only. We never read the body of your emails. We are a UK company, GDPR compliant, and you can delete your data at any time.

1. Who We Are

Mail-Organiser is operated by BakersGuild Limited, a company registered in England and Wales (the "Company", "we", "us", or "our"). Our registered office is in the United Kingdom.

For the purposes of UK GDPR and the Data Protection Act 2018, BakersGuild Limited is the Data Controller for personal data processed through the Mail-Organiser service.

You can contact us about data protection matters at: privacy@mail-organiser.com

2. What Data We Collect

2.1 Account Data

When you connect your Microsoft account to Mail-Organiser, we collect and store:

Your name and email address (from your Microsoft 365 profile)
Your Microsoft account ID (used to identify your account)
Your Microsoft OAuth token (stored securely, used to access the Graph API)
Your time zone (used to display activity in local time)

2.2 Email Metadata

When you run a scan, Mail-Organiser requests the following metadata from the Microsoft Graph API for each email analysed:

Sender email address and display name
Email subject line
Date and time received
Microsoft email message ID
Current folder location

We do not access, read, store, or transmit the body content of any email. This is an architectural constraint, not a policy choice — our API never requests email body data from Microsoft.

2.3 Classification Results

The category assigned to each email and whether it was flagged as protected are stored in our database to:

Enable the Inbox Score calculation
Support the "Undo Last Batch" feature
Provide activity history in your dashboard

2.4 Usage Data

Number of scans performed (for quota enforcement)
Feature usage events (for product improvement)
Error logs (for debugging, anonymised)

2.5 Billing Data

Payment processing is handled entirely by Stripe. We receive confirmation of payment status and your subscription plan level. We do not store card numbers or payment details — all billing data is held by Stripe under their own privacy policy.

3. How We Use Your Data

Purpose	Legal Basis
Providing the classification service	Contract performance (Article 6(1)(b))
Quota management and billing	Contract performance (Article 6(1)(b))
Fraud prevention and security	Legitimate interests (Article 6(1)(f))
Improving AI classification accuracy	Legitimate interests (Article 6(1)(f))
Legal compliance	Legal obligation (Article 6(1)(c))
Marketing communications (opt-in only)	Consent (Article 6(1)(a))

4. Who We Share Data With

We engage the following sub-processors to deliver the service:

Sub-processor	Purpose	Location
Cloudflare, Inc.	Infrastructure, edge compute, database, KV storage	EU/UK edge nodes
Microsoft Corporation	Outlook integration via Graph API	EU data residency
Anthropic, PBC	AI classification (metadata only, no email content)	USA (SCCs applied)
Stripe, Inc.	Payment processing and subscription management	EU/UK
Resend, Inc.	Transactional email delivery	USA (SCCs applied)

We do not sell your personal data to any third party. We do not share your data with advertisers.

5. International Transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place — specifically, Standard Contractual Clauses (SCCs) approved by the UK ICO (or their equivalent international data transfer agreement (IDTA)).

6. Data Retention

We retain personal data for as long as your account is active, and for a period thereafter as required by law or legitimate business purposes:

Account data: Retained until account deletion + 30 days
Classification metadata: Retained for 12 months from scan date
Billing records: Retained for 7 years (UK legal requirement)
Security logs: Retained for 90 days

See our full Data Retention Policy for details.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access: Request a copy of all personal data we hold about you
Right to rectification: Correct inaccurate or incomplete data
Right to erasure: Request deletion of your personal data ("right to be forgotten")
Right to restriction: Restrict how we process your data
Right to portability: Receive your data in a structured, machine-readable format
Right to object: Object to processing based on legitimate interests
Rights related to automated decision-making: Not to be subject to solely automated decisions that have significant effects on you

To exercise any of these rights, email privacy@mail-organiser.com. We will respond within 30 days. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

You can exercise your right to deletion directly within the Mail-Organiser task pane (Settings → Delete My Account).

8. Security

We implement industry-standard security measures to protect your data:

All data in transit is encrypted using TLS 1.3
OAuth tokens are stored encrypted at rest
Access to production systems is restricted by role
We conduct regular security reviews of our code and infrastructure
Sentinel monitors for prompt injection attacks in real-time

See our full Security Policy for details. To report a vulnerability, see our Vulnerability Disclosure Policy.

9. Cookies

Mail-Organiser uses only strictly necessary session cookies. We do not use tracking cookies, analytics cookies, or advertising cookies. See our full Cookie Policy for details.

10. Children's Privacy

Mail-Organiser is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at privacy@mail-organiser.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the Mail-Organiser task pane at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact:

BakersGuild Limited
Email: privacy@mail-organiser.com
Website: mail-organiser.com