GDPR Compliance
Last updated: 2025-01-24
TenguMail is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page explains how we handle your personal data and what rights you have. For our full privacy practices, see our Privacy Policy.
Who we are
Data Controller: TenguMail
Contact Email: privacy@treetank.net
Location: Poland / European Union
We act as the Data Controller for personal data we collect directly from you when you use TenguMail. This means we determine why and how your personal data is processed.
When you use TenguMail to process emails from other people, you may be the Data Controller for that data, and we act as your Data Processor.
What data we collect and why
| Data type | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account data Email, password hash, name | Account creation and authentication | Contract | Until account deletion |
| Email credentials IMAP/SMTP host, username, password | Connecting to your email server | Contract | Until config deletion |
| Email content Subject, body, attachments | Processing by AI pipelines | Contract | Not stored (real-time only) |
| Pipeline configuration Prompts, tools, agent settings | Providing the automation service | Contract | Until pipeline deletion |
| Conversation history Chat messages with AI agents | Maintaining conversation context | Contract | 90 days (server) |
| Execution logs Pipeline runs, errors, timing | Debugging and troubleshooting | Legitimate interest | 90 days |
| Security logs Login attempts, IP addresses | Fraud prevention, security | Legitimate interest | 30 days |
| Payment records Transaction IDs, invoices | Billing, legal requirements | Legal obligation | 7 years |
| Marketing preferences Newsletter subscription | Product updates, tips | Consent | Until withdrawal |
Legal basis for processing
Under GDPR, we need a legal basis to process your personal data. Here is what we rely on:
Contract performance (Article 6(1)(b))
Most of our processing is necessary to provide you with the service you signed up for:
- Creating and managing your account
- Processing your emails through AI pipelines
- Storing your IMAP credentials to connect to your email server
- Executing your configured automations
- Processing payments and sending invoices
Legitimate interests (Article 6(1)(f))
Some processing is based on our legitimate interests, balanced against your rights:
- Security monitoring and fraud prevention (protecting all users)
- Maintaining execution logs for debugging when things go wrong
- Service improvement based on aggregated usage patterns
- Browser fingerprinting for session security
We have conducted balancing tests to ensure our interests do not override your rights.
Legal obligation (Article 6(1)(c))
Some processing is required by law:
- Maintaining financial records for tax purposes (7 years)
- Responding to valid legal requests from authorities
Consent (Article 6(1)(a))
We ask for your consent for optional processing:
- Marketing communications (you can unsubscribe anytime)
You can withdraw consent at any time through your account settings or by contacting us.
Your rights under GDPR
You have the following rights. We have tried to make them easy to exercise - most can be done directly from your account settings.
Right of access (Article 15)
You can request a copy of all personal data we hold about you.
How to exercise:
- Go to Settings > Account > Export Data
- Or use our API endpoint:
/api/auth/gdpr-export - Or email privacy@treetank.net
Right to rectification (Article 16)
You can correct any inaccurate personal data.
How to exercise:
- Update your profile in Settings > Account
- Update email configurations in Settings > Email
- If you cannot change something yourself, email us
Right to erasure (Article 17)
You can request deletion of your personal data, subject to certain exceptions (like legal retention requirements for payment records).
How to exercise:
- Go to Settings > Account > Delete Account
- Or email privacy@treetank.net
Note: After initiating deletion, there is a 14-day grace period during which you can cancel. After that, all your data is permanently and irreversibly deleted (cascade delete of all related records).
Right to data portability (Article 20)
You can receive your data in a structured, machine-readable format.
How to exercise:
- Go to Settings > Account > Export Data
- You will receive a JSON file containing all your data
- This includes: account info, configurations, pipelines, execution history
Right to object (Article 21)
You can object to processing based on legitimate interests.
How to exercise:
- Email privacy@treetank.net explaining your objection
- We will stop processing unless we have compelling legitimate grounds
- To stop a specific pipeline from processing, you can disable it in Pipelines
Right to restrict processing (Article 18)
You can ask us to restrict how we use your data while we address a concern.
How to exercise:
- Email privacy@treetank.net with details of your request
Right to withdraw consent
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
How to exercise:
- For marketing emails: use the unsubscribe link in any email
- For other consents: use Settings or email us
Right to lodge a complaint
If you are unhappy with how we handle your data, you can complain to your local supervisory authority.
Supervisory authorities:
- Poland: UODO (Urząd Ochrony Danych Osobowych)
- Other EU countries: Find your authority
We would appreciate a chance to address your concern first - please email us at privacy@treetank.net.
Response times
We will respond to your request within 30 days. If your request is complex, we may extend this by up to two months, but we will let you know within the first 30 days.
International data transfers
TenguMail is based in Poland (European Union) and our primary servers are located in the EU. However, when you use AI features, your email content may be sent to third-party AI providers located in the United States.
| Third party | Purpose | Location | Safeguards |
|---|---|---|---|
| OpenAI | AI email processing | USA | Standard Contractual Clauses |
| Anthropic | AI email processing | USA | Standard Contractual Clauses |
| Google (Gemini) | AI email processing | USA | Standard Contractual Clauses |
| LemonSqueezy | Payment processing | USA | Standard Contractual Clauses |
About Standard Contractual Clauses (SCCs)
SCCs are legal contracts approved by the European Commission that ensure your data receives equivalent protection when transferred outside the EU. All our US-based providers have signed SCCs and are committed to protecting your data according to EU standards.
You control which AI provider processes your emails. You can configure your preferred LLM provider in Settings > LLM. If you prefer to keep your data within the EU, you can use EU-hosted models when available, or self-host compatible models.
How we protect your data
We implement appropriate technical and organizational measures to protect your data. For full details, see our Security Overview.
- Encryption at rest: All sensitive data (credentials, API keys) encrypted with AES-256-GCM
- Encryption in transit: TLS 1.3 for all communications
- Per-user encryption: Each user's credentials encrypted with derived keys
- Access controls: Role-based access, audit logging of admin actions
- Data isolation: Strict tenant separation - users cannot access each other's data
Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (UODO) within 72 hours of becoming aware
- Notify affected individuals without undue delay if the breach poses a high risk
- Document all breaches, their effects, and remedial actions taken
Contact us
For any questions about GDPR compliance or your data rights, please contact us:
Privacy inquiries: privacy@treetank.net
General support: support@treetank.net
Based on the nature and scale of our data processing, we are not required to appoint a Data Protection Officer. For privacy inquiries, please contact us at the email above.
Related policies
- Privacy Policy - Full details on what data we collect and how we use it
- Terms of Service - Your agreement with us
- Security Overview - How we protect your data
- Cookie Policy - How we use cookies
Changes to this page
We may update this page to reflect changes in our practices or legal requirements. Significant changes will be communicated via email and through the service.
Adapted from Basecamp's open-source policies, used under CC BY 4.0.