1. Who We Are
Bye Bye Mails (“we,” “us,” “our”) operates the website byebyemails.com and the Bye Bye Mails application (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service.
If you have questions about this policy, contact us at privacy@byebyemails.com.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Your name and email address
- Authentication credentials (passwords are hashed and never stored in plain text)
- Account preferences and settings you configure
2.2 Email Data
When you connect your email account (Gmail, Outlook, or other providers), we access:
- Email content: Subject lines, message bodies (text and HTML), sender and recipient addresses, timestamps, and thread information
- Email metadata: Message IDs, thread IDs, labels/folders, read/unread status
- Attachment metadata: File names, sizes, and types (we do not download or store attachment files unless you explicitly request it in the future)
You choose how much email history the Service can access during onboarding. You can change this at any time in your settings.
2.3 OAuth Tokens
When you connect your email account, we receive OAuth access and refresh tokens from your email provider. These tokens allow us to read and send email on your behalf. Tokens are encrypted using AES-256-GCM encryption before storage and are never stored in plain text.
2.4 Usage Data
We collect anonymized usage data to improve the Service, including:
- Feature usage patterns (which features you use and how often)
- Performance data (page load times, error rates)
- Device and browser information
Usage data is collected via PostHog and is anonymized. We never include email content, recipient addresses, or personally identifiable information in usage analytics.
2.5 Information We Do NOT Collect
- We do not collect payment information (the Service is free)
- We do not collect location data
- We do not collect contacts or address books beyond what appears in your email
- We do not collect data from other apps on your device
3. How We Use Your Information
| Data | Purpose |
|---|---|
| Email content & metadata | To classify emails, generate daily briefings, power the chat interface, generate draft replies, and execute auto-replies when you enable autonomous mode |
| Account information | To authenticate you, personalize the Service, and send you transactional emails |
| OAuth tokens | To access your email on your behalf via your email provider's API |
| Usage data (anonymized) | To improve the Service, fix bugs, and understand which features are most valuable |
We never use your data for advertising. We never sell your data to third parties. We never use your email content to train AI models.
4. AI Processing
4.1 How Your Email Is Processed by AI
When the Service processes your email, the content (subject line, sender, and body text) is sent to the Anthropic Claude API for analysis. This includes:
- Classification: Determining the type, urgency, and category of each email
- Briefing generation: Synthesizing your recent emails into a daily summary
- Chat responses: Answering your questions about your email
- Draft generation: Creating reply drafts in your tone and style
4.2 Anthropic's Data Handling
We use Anthropic's Claude API under their commercial terms, which include zero-data-retention for API usage. This means:
- Anthropic does not store your email content after processing each request
- Anthropic does not use your email content to train or improve their AI models
- Your email data is transmitted to Anthropic's API via encrypted HTTPS connections
- For details, see Anthropic's privacy and usage policies
4.3 What the AI Cannot Do
- The AI cannot access emails from accounts you haven't connected
- The AI cannot send emails without your permission (unless you've explicitly enabled autonomous mode for specific categories)
- The AI cannot access your email provider password — it uses only the OAuth tokens you've authorized
5. Data Storage and Security
5.1 Where Your Data Is Stored
Your data is stored on Supabase, a managed PostgreSQL database platform hosted on Amazon Web Services (AWS) infrastructure. All data is stored in data centers within the United States.
5.2 Security Measures
- Encryption at rest: All data is encrypted at rest using AES-256
- Encryption in transit: All data is transmitted over TLS 1.2+
- OAuth token encryption: Email provider tokens are encrypted with per-user AES-256-GCM keys before storage
- Row-level security: Database access controls ensure users can only access their own data
- No plain-text passwords: All passwords are hashed using bcrypt
- Access logging: Every AI access to your email is logged with timestamps in an audit trail you can review
5.3 Data Retention
- Email data: Stored for as long as your account is active. You can restrict or expand the time range at any time.
- Chat history: Stored for as long as your account is active. You can delete individual conversations.
- Audit logs: Retained for 90 days, then automatically deleted.
- Usage analytics: Anonymized data is retained for up to 12 months.
6. Data Sharing
6.1 Third-Party Services
We share data with the following third-party services solely to operate the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude API) | AI email processing | Email content for classification, briefing, chat, and drafts |
| Supabase | Database hosting | All stored data (encrypted) |
| Vercel | Web application hosting | Application code and static assets (no user data) |
| PostHog | Anonymized usage analytics | Anonymized feature usage events (no email content or PII) |
| Inngest | Background job processing | Job metadata (no email content) |
6.2 We Do NOT Share Data With
- Advertisers or ad networks
- Data brokers
- Any party for marketing purposes
- Any party for AI model training purposes
6.3 Legal Requirements
We may disclose your information if required to do so by law, such as in response to a valid court order, subpoena, or government request. We will notify you of such requests when legally permitted.
7. Your Rights
Regardless of where you live, we provide all users with the following rights:
7.1 Right to Access
You can view all data the Service has stored about you at any time through the Data Access settings page in the app.
7.2 Right to Delete
You can delete your account and all associated data at any time. When you delete your account:
- All email data, classifications, briefings, and chat history are permanently deleted within 30 days
- All OAuth tokens are immediately revoked and deleted
- All vector embeddings are deleted
- Anonymized analytics data may be retained (it cannot be linked back to you)
7.3 Right to Disconnect
You can disconnect an individual email account at any time. The OAuth token is immediately revoked and the Service stops accessing that email account instantly.
7.4 Right to Restrict Processing
You can pause AI processing of your email at any time without deleting your data.
7.5 Right to Data Portability
You can export all your data in a standard machine-readable format (JSON) at any time from the Data Access settings page.
7.6 Right to Object
You can object to any specific type of processing. Contact us at privacy@byebyemails.com.
8. Additional Rights for EU/EEA Residents (GDPR)
If you are located in the EU/EEA, you have additional rights under GDPR:
- Legal basis: We process your email data based on your explicit consent. You can withdraw consent at any time by disconnecting your account.
- Data Protection Officer: Contact privacy@byebyemails.com.
- Right to lodge a complaint: You may file a complaint with your local data protection authority.
- International data transfers: We rely on Standard Contractual Clauses (SCCs) for international data transfers.
9. Additional Rights for California Residents (CCPA)
- Right to know: You can request a detailed report of personal information collected in the preceding 12 months.
- Right to delete: See Section 7.2.
- Right to opt out of sale: We do not sell your personal information.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
10. Children's Privacy
The Service is not intended for use by anyone under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children.
11. Cookies
We use only essential cookies required for the Service to function (authentication and session cookies). We do not use advertising or tracking cookies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes at least 14 days before they take effect.
13. Contact Us
If you have any questions:
- Email: privacy@byebyemails.com
- Website: byebyemails.com