Evermail evermail
Private beta

Privacy Policy

Last updated: April 2026 · Version 1.0

1. Introduction

Evermail ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Evermail service (www.evermail.ai and app.evermail.ai).

We are a data controller established in the European Union. All processing complies with the General Data Protection Regulation (GDPR) (EU) 2016/679.

2. Data We Collect

Account information

When you create an account, we collect your email address, name (if provided), and authentication credentials (hashed password or OAuth token from Google/Microsoft).

Email archive data

When you upload mailbox files (.mbox, PST, EML, etc.), we process and store the contents including email headers, body text, and attachments. This is the primary data you entrust to us and is treated with the highest level of protection.

Usage data

We collect anonymised usage logs (search queries, page views, feature usage) to improve the service. We do not link these to individual email content.

Billing information

Payment processing is handled by Stripe. We store only a Stripe customer reference — we never see or store your full card number.

3. How We Use Your Data

  • Provide the service: Index and search your uploaded email archives.
  • AI features: Power AI search and email summaries (Pro plans and above). We never use your email content to train AI models.
  • Account management: Send transactional emails (account confirmation, billing receipts, security alerts).
  • Service improvement: Analyse anonymised usage patterns to improve performance and features.
  • Legal compliance: Meet our obligations under GDPR and applicable EU law.

4. Data Storage and Security

EU data residency

All data is stored on Azure infrastructure in EU regions (West Europe / North Europe). Your data never leaves the European Economic Area.

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). For Pro plans and above, you may choose "Confidential Processing" mode where decryption only occurs within an attested Trusted Execution Environment (TEE). Enterprise users may select "Zero-Access" mode where encryption and decryption occur entirely on your device — we store only ciphertext.

Access controls

Access to production data is restricted to a minimal set of authorised personnel. All access is logged and audited. We use Azure Key Vault for secrets management.

5. Data Retention

  • Free plan: Email data is automatically deleted 30 days after upload.
  • Paid plans: Email data is retained for as long as your subscription is active. After cancellation, a 30-day export grace period applies, after which data is permanently deleted.
  • Enterprise GDPR Archive: Immutable WORM (write-once, read-many) storage. Data cannot be deleted during the retention period as required by compliance rules.
  • Account data: Retained for as long as your account is active plus 90 days after deletion for legal/fraud prevention purposes.

6. Your Rights Under GDPR

As an EU data subject, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data ("right to be forgotten").
  • Right to data portability: Export your email archive in EML or MBOX format at any time.
  • Right to object: Object to processing of your data in certain circumstances.
  • Right to restrict processing: Request we limit how we use your data.

To exercise any of these rights, email privacy@evermail.ai. We will respond within 30 days.

7. Third-Party Services

  • Stripe: Payment processing. Subject to Stripe's privacy policy.
  • Azure (Microsoft): Cloud infrastructure for storage and compute. All services are provisioned in EU regions under our EU Data Processing Agreement with Microsoft.
  • Application Insights: Anonymised application performance monitoring (no email content).

We do not sell your personal data to any third party.

8. Cookies

We use strictly necessary cookies for authentication and session management. We do not use tracking or advertising cookies. No consent banner is required for strictly necessary cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before significant changes take effect. The latest version is always available at www.evermail.ai/privacy.

10. Contact

Data Controller: Evermail
Contact: privacy@evermail.ai
EU Representative: Available upon request.

You have the right to lodge a complaint with your national data protection authority. In Finland, this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu).