Privacy
Privacy Policy
How DeclutterMyMail handles mailbox access, metadata, payment metadata, retention, and support requests.
Stand: May 21, 2026
1. Controller
Privacy and support requests: support@decluttermymail.com.
2. Overview
DeclutterMyMail is a one-time IMAP mailbox cleanup service with no account and no subscription. We process personal data to connect your mailbox, scan metadata, build your cleanup plan, process your choices, take payment, run the cleanup, and provide support.
3. Data We Process
- Email address, IMAP/SMTP host, port, username, security mode, and encrypted credentials during the active session.
- Sender metadata, sender names and addresses, message counts, sizes, categories, dates, subject lines, read/starred flags, attachment flags, and unsubscribe headers.
- Cleanup selections, excluded messages, progress, summary data, receipt delivery status, unsubscribe attempt status, method, reason code, HTTP status, and optional reminder preferences.
- Stripe payment metadata such as checkout session ID, payment intent ID, payment status, amount, and webhook event ID. Card details are handled directly by Stripe.
- Technical logs, security events, Cloudflare Turnstile verification data, support emails, and information you include in support requests.
4. Data We Do Not Store
Email body content is not stored by the app. We do not store full message text and do not use mailbox data to train our own AI models.
Mailbox credentials are encrypted for the session and removed after cleanup completes or the session expires.
5. Legal Bases
| Purpose | Legal basis |
|---|---|
| Scan, cleanup plan, execution, and receipt | Art. 6(1)(b) GDPR |
| Payment processing and fraud prevention | Art. 6(1)(b) and Art. 6(1)(f) GDPR |
| Security, abuse prevention, troubleshooting, and logs | Art. 6(1)(f) GDPR |
| Optional reminders or non-essential cookies | Art. 6(1)(a) GDPR and § 25 TDDDG |
| Tax and legal retention duties | Art. 6(1)(c) GDPR |
6. Recipients And Service Providers
- Amazon Web Services (AWS), especially AWS region eu-central-1 (Frankfurt), for hosting, DynamoDB, SQS, Lambda, Fargate, KMS, and logs.
- Stripe Payments Europe, Ltd. for checkout, payments, receipts, and payment events.
- Cloudflare Turnstile for abuse protection when Turnstile is enabled.
- Your email provider, because IMAP/SMTP access, unsubscribe requests, moving messages to Trash, and sending receipt email operate through the connected mailbox.
- Support and infrastructure providers only where needed for operation, security, troubleshooting, or legal obligations.
We use Article 28 GDPR data processing agreements with processors. For transfers outside the EEA, we rely on adequacy decisions, EU-US Data Privacy Framework certification, or standard contractual clauses where required.
7. Retention
| Data category | Retention |
|---|---|
| Session records and mailbox metadata | 24 hours DynamoDB TTL |
| Encrypted credentials | Until cleanup completes or the session expires |
| Stripe webhook event records | 30 days TTL for payment idempotency |
| Production application and worker logs | 30 days |
| Payment and tax-relevant records | According to statutory retention periods |
| Messages moved to Trash | Provider retention; your email provider controls restore and permanent deletion |
9. Your Rights
- Access, correction, and deletion.
- Restriction of processing and data portability.
- Objection to processing based on legitimate interests.
- Withdrawal of consent for the future.
- Complaint to a data protection supervisory authority, especially where you live or with the Hamburg authority.
10. Automated Recommendations
DeclutterMyMail automatically classifies senders and messages to suggest cleanup candidates. The app does not make legally binding decisions about you under Art. 22 GDPR. You choose what to clean.