Mailflow LogoMailflow

Privacy Policy

Last Updated: June 11, 2026

1. Data Controller

Flowful AI
Nicolas Chourrout
Avenue Beau Séjour, 79A
1410 Waterloo, Belgium
VAT: BE 1010.797.804
Email: contact@mailflowai.com

2. Data Collected

  • From Google Sign-In: Name, email, profile picture.
  • From Emails: Gmail message and thread identifiers, signature templates you choose to store, and an in-memory copy of incoming email content used only to generate a draft reply. We do not store raw email content.
  • From Knowledge Base: Webpages, files, Q&A pairs you upload.
  • From Billing: We rely on Stripe for payment processing. Stripe stores cardholder data; Mailflow only stores your Stripe customer ID, plan, subscription status, and trial / period-end dates.
  • Automatically: Anonymous usage analytics via Umami (privacy-focused, no cookies required).

3. How We Use Data

  • We use data collected from Google Sign-In and Email content exclusively to provide and improve Mailflow's email drafting services. We do not store raw email content.
  • We do not use any user data obtained via Google Workspace APIs for developing or training generalized AI models.
  • For billing via Stripe (payment data processed externally).

Mailflow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Sub-processors

We share data with the following sub-processors:

  • Clerk — Authentication and Gmail OAuth token management (US, SCCs).
  • Hetzner — Infrastructure hosting for the frontend, backend, and self-hosted PostgreSQL database (Germany, EU).
  • Vectoria (Flowful AI) — Knowledge-base storage and retrieval, and orchestration of AI draft generation (EU).
  • OpenRouter — LLM gateway that routes email content to the underlying model provider for two purposes: generating a draft reply (the email being replied to plus relevant knowledge-base context), and, if you use AI smart-rule conditions (intent or sentiment), classifying an incoming email's sender, subject, and body, regardless of the rule's resulting action. Currently configured to use OpenAI's GPT-4o (US, SCCs).
  • Stripe — Subscription billing and payment processing (US/EU, SCCs).
  • Google — Gmail API access and Cloud Pub/Sub email notifications.

All providers are GDPR-compliant and process data under Data Processing Agreements (DPAs).

5. Cookies and Analytics

We use Umami for privacy-focused analytics. Umami does not use cookies and does not collect any personally identifiable information. All analytics data is anonymized and aggregated.

6. Data Retention

  • Retained while your account is active.
  • Deleted within 30 days of termination.

7. Security

  • JWT tokens authenticate frontend/backend communication over TLS.
  • Application-level access controls and parameterized queries.
  • Data encrypted in transit (TLS) and at rest.
  • CASA Tier 2 certified for Google Workspace integrations.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (right to be forgotten).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time.
  • Lodge a complaint with your supervisory authority.

To exercise any of these rights, email contact@mailflowai.com.

9. Your Rights (CCPA / California residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and share.
  • Delete the personal information we hold about you (subject to legal exceptions).
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of your personal information.
  • Not be discriminated against for exercising any of these rights.

Do Not Sell or Share My Personal Information: We do not sell or share personal information for cross-context behavioral advertising. We have no need or ability to do so under our current processing model.

To exercise any of these rights, email contact@mailflowai.com. We will verify your identity before responding and reply within 45 days.

10. International Transfers

Data may be transferred outside the EU via third parties (Clerk, Stripe, Google, and OpenRouter, which routes prompt content to the model provider used to draft your replies). We use Standard Contractual Clauses (SCCs) or other approved safeguards to ensure adequate protection.

11. Automated Decision-Making

Mailflow uses AI to generate draft email replies. These drafts are never automatically sent on your behalf; you review and approve every reply before it leaves your inbox. No automated decision producing legal or similarly significant effects (per GDPR Article 22) is made about you or your recipients.

12. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be posted on our website.

13. AI and Machine Learning Usage

  • No Generalized AI/ML Training: We do not use Google user data for training generalized AI models.
  • Personalized AI Assistance Only: AI features remain specific to your account.
  • No Third-Party Generalized AI Training: We do not share your data for third-party model training.