Evermail evermail
Private beta

Privacy Policy

Effective date: 28 March 2026
Last updated: 28 March 2026

1. Data Controller

The data controller for the Evermail service is:

Ludoitte Oy
Email: privacy@evermail.ai

2. What Data We Collect

Account data

When you register, we collect:

  • Name (first and last)
  • Email address
  • Password (stored as a salted hash, never in plain text)
  • Organization/tenant name
  • Timestamp and version of terms acceptance

Email archive content

You upload email archive files (PST, OST, MBOX, EML, Google Takeout) to the Service. The content of these files is processed and stored according to the security mode you select:

  • Full Service: We process and index the content to provide search and AI features.
  • Confidential Processing: Content is decrypted only within attested confidential compute environments.
  • Zero-Access: Content is encrypted with your keys before upload. We store ciphertext only and cannot read it.

Usage and technical data

  • IP address and user agent (for audit logs and security)
  • Pages visited and features used (for improving the Service)
  • Error logs and performance metrics
  • Authentication events (login, logout, 2FA)

Payment data

Payment processing is handled by Stripe. We do not store your full credit card number. Stripe provides us with a customer ID, subscription status, and billing history. See Stripe's Privacy Policy.

3. Legal Basis for Processing (GDPR Article 6)

We process your data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Service you signed up for, including account management, email parsing, search, and storage.
  • Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, service improvement, and audit logging.
  • Legal obligation (Art. 6(1)(c)) — Where required by Finnish law or EU regulation (e.g., accounting records).
  • Consent (Art. 6(1)(a)) — For optional features such as AI-powered analysis, where applicable. You may withdraw consent at any time.

4. How We Use Your Data

  • Provide and maintain the Service (email parsing, indexing, search, display)
  • Authenticate you and manage your account
  • Process payments and manage subscriptions
  • Manage archive storage for the duration of your subscription
  • Send transactional emails (account verification, password reset, billing)
  • Monitor service health, security, and performance
  • Generate anonymized, aggregated usage statistics
  • Comply with legal obligations

We do not sell your personal data. We do not use your email archive content for advertising. We do not train AI models on your data.

5. Data Storage and Location

All data is stored on Microsoft Azure infrastructure in the European Union (West Europe and North Europe regions). This includes:

  • Azure SQL Database (account data, email metadata, audit logs)
  • Azure Blob Storage (email archive files, attachments, GDPR exports)
  • Azure Key Vault (encryption keys, secrets)

Data does not leave the EU unless you explicitly grant access from outside the EU.

6. Sub-Processors

We use the following third-party services to operate Evermail:

Sub-Processor Purpose Data Location
Microsoft Azure Cloud infrastructure, compute, database, storage, encryption EU (West Europe / North Europe)
Stripe, Inc. Payment processing and subscription management EU / US (Stripe processes payment data globally; see Stripe DPA)
Azure OpenAI Service AI-powered search and email summaries (opt-in features) EU (deployed in EU regions)
Azure Application Insights Performance monitoring and error tracking EU

We will notify you before adding new sub-processors that handle personal data.

7. Data Retention

We retain data according to the following policies:

Data Type Retention Period
Email archives (Free tier) 30 days from upload
Email archives (paid plans) Duration of active subscription + 30-day grace period after cancellation
Account data Until account deletion + 30-day grace period
Audit logs Anonymized upon account deletion; retained for compliance
Payment records As required by Finnish accounting law (6 years)
GDPR data exports 7 days from generation (then auto-deleted)

8. Your Rights Under GDPR

As an EU data subject, you have the right to:

  • Access — Request a copy of all personal data we hold about you. Use the data export feature in your account settings, or contact us.
  • Rectification — Correct inaccurate personal data via your account settings or by contacting us.
  • Erasure ("Right to be Forgotten") — Delete your account and all associated data. You can initiate this from your account settings. We will anonymize audit logs, delete all mailboxes and blobs, and cancel any active subscription.
  • Data Portability — Export your data in standard formats (JSON, EML). Available as a self-service feature in your account.
  • Restriction of Processing — Request that we limit processing of your data in certain circumstances.
  • Objection — Object to processing based on legitimate interest.
  • Withdraw Consent — Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, use the self-service tools in your account or contact us at privacy@evermail.ai. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.

9. Cookies and Local Storage

Evermail uses minimal cookies and browser local storage:

  • Authentication tokens (local storage) — Required for the Service to function. These are JWT access tokens and refresh tokens.
  • Theme preference (local storage) — Remembers your light/dark mode choice.
  • Anti-forgery cookies — Required by ASP.NET Core for form security.

We do not use third-party tracking cookies, advertising cookies, or analytics that track individual users across websites.

10. Security Measures

We protect your data through:

  • Encryption in transit (TLS 1.2+) and at rest (Azure TDE, SSE)
  • Optional client-side encryption (Zero-Access mode)
  • Bring Your Own Key (BYOK) support
  • Multi-tenant data isolation with global query filters
  • Role-based access control with mandatory 2FA support
  • Comprehensive audit logging of all sensitive operations
  • Azure Key Vault for secrets and encryption key management
  • Rate limiting and DDoS protection
  • Security headers (HSTS, CSP, X-Frame-Options)

11. International Transfers

Your data is stored and processed within the EU. Stripe may process payment data outside the EU under Standard Contractual Clauses (SCCs) and Stripe's Data Processing Agreement. No other personal data is transferred outside the EU/EEA.

12. Children's Privacy

Evermail is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For privacy-related questions or to exercise your data rights:

Ludoitte Oy
Data Protection Contact: privacy@evermail.ai
General Support: support@evermail.ai

Supervisory authority: Finnish Data Protection Ombudsman
tietosuoja.fi

An unhandled error has occurred. Reload 🗙