Privacy Policy

This Privacy Policy explains how SmashCo, Inc. ("Smashmail," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with Smashmail and any related websites, applications, and services (collectively, the "Service").

Smashmail provides AI-assisted email classification, drafting, and workflow support within existing email providers such as Gmail and Outlook. Smashmail does not replace your inbox. It operates on top of your existing email account and acts only with your authorization.

Except where we process data on behalf of an organization customer under a separate agreement, SmashCo, Inc. is the controller of the personal data described in this Privacy Policy.

Privacy Contact: privacy@smashmail.ai

Smashmail is available to individuals and businesses worldwide.

The Service is intended for users who are at least 13 years old, or older where required by local law. The Service is not intended for children, and we do not knowingly collect personal data from children. If we learn that we have collected personal data from a child in violation of applicable law, we will take reasonable steps to delete it.

Depending on how you use the Service, we may collect the following categories of personal data.

Smashmail's core privacy design is that it does not store email content in its own database. Email content is processed transiently in memory to provide requested features, is not persisted or cached by Smashmail after processing, and is discarded after the processing task completes. Drafts generated through Smashmail are created directly in Gmail or Outlook, and Smashmail stores only reference IDs needed to support those drafts or related actions. Smashmail does not store email bodies, subject lines, snippets, sender or recipient message metadata, or thread content in its database.

To personalize outputs, Smashmail may store derived, non-reversible features such as writing style, tone patterns, and vocabulary characteristics ("voice profile"). We do not store or reuse raw email content for this purpose. We may also use de-identified or aggregated service metrics and usage statistics for security, reliability, analytics, and product improvement, but not raw email content. For Google Workspace and Gmail data, Smashmail handles information in accordance with the Google API Services User Data Policy, including the Limited Use requirements.

Except where you explicitly ask us to review specific content, where you intentionally provide content to us in a support request, where access is necessary for security or abuse investigation, or where required by law, we do not permit our personnel to read email content. We do not use Google Workspace or Gmail data, or data derived from it, to create, train, or improve generalized or non-personalized AI or machine-learning models.

We use personal data for the following purposes:

• To create and manage accounts, authenticate users, connect authorized Gmail or Outlook accounts, and provide core functionality such as classification, drafting, workflow support, and nudges
• To personalize outputs and maintain your voice profile
• To process subscriptions, billing, invoices, and related records
• To communicate with you about the Service, including transactional and support communications
• To operate, maintain, secure, debug, and improve the Service
• To prevent abuse, fraud, and unauthorized access
• To measure product usage and performance
• To comply with legal obligations and enforce our agreements

Where required by applicable law, we rely on one or more of the following legal bases: performance of a contract with you; compliance with legal obligations; our legitimate interests in operating, securing, supporting, and improving the Service; and, where required, your consent, including for certain cookies or optional communications. If we ask you to provide personal data necessary to create an account, connect a mailbox, authenticate, or process payment, and you do not provide that data, we may not be able to provide the relevant feature or Service.

Where we rely on legitimate interests, those interests generally include operating the Service, securing accounts and systems, preventing abuse, understanding how the Service performs, supporting users, and improving reliability and usability in a way that is proportionate and does not override your rights and freedoms.

We collect personal data from the following sources:

• Directly from you, when you create an account, connect a mailbox, subscribe, contact support, respond to a survey, or otherwise use the Service
• From Google, Microsoft, or other email providers when you authorize the Service to access your account
• From payment processors such as Stripe
• From analytics, cookie, and security tools used on our website or app
• From enterprise customers, workspace administrators, or teammates, where you use the Service through an organization
• From communications that you or your organization send to us

These disclosures are intended to describe both data collected directly from users and data received from other sources in connection with operating the Service.

Smashmail does not use your email content to train generalized AI models.

Email content may be processed by AI or inference providers solely to provide requested features, such as classification, drafting, summarization, or workflow assistance. Where we use third-party AI or inference providers, we do so as service providers or processors acting on our instructions to perform the requested Service.

For Google Workspace and Gmail data, Smashmail does not transfer, sell, or use that data for advertising, data brokerage, creditworthiness, or training generalized or non-personalized AI/ML models. Any personalization based on such data is limited to the same user's requested, user-facing feature set, such as the voice profile described above.

We do not sell personal data.

We do not use Google Workspace or Gmail data for cross-context behavioral advertising. On public-facing marketing properties, we may use advertising or targeting technologies as described in our Cookie Policy and subject to applicable law.

We may disclose personal data only as necessary to operate the Service, including to the following categories of recipients:

• Email providers, including Google (Gmail) and Microsoft (Outlook)
• Payment processors, including Stripe
• Analytics providers, including Google Analytics and PostHog
• AI and inference providers that process email content transiently to provide requested features
• Hosting, infrastructure, security, logging, customer support, and communications vendors
• Professional advisors, auditors, insurers, or transaction counterparties, where reasonably necessary
• Government authorities, regulators, courts, or law enforcement where required by law or to protect rights, safety, and the Service

Depending on the feature you use, the information disclosed may include account data, organization data, usage data, billing data, support communications, draft reference IDs, and transient email content for processing only. We require service providers, processors, contractors, and similar vendors to handle personal data under contracts and only for authorized purposes.

We use cookies and similar technologies for:

• Authentication and session management
• Service functionality
• Security
• Product analytics

We may use advertising or targeting cookies on public-facing marketing properties as described in our Cookie Policy. Where required by law, we obtain consent before placing or using non-essential cookies. On our marketing site, we use browser timezone as a conservative approximation for when to show the initial consent banner to visitors in the EU, EEA, and UK. Outside that scope, non-essential cookies may be accepted by default. In prompted regions, the consent flow starts from Accept all, and you can change those choices before saving.

You can manage these choices through Cookie settings and our Cookie Policy, in addition to your browser settings.

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and protect the Service.

Our retention practices generally include the following:

• Account, contact, organization, settings, and connection data: retained while your account is active and thereafter only as needed for account closure, dispute resolution, compliance, and normal backup cycling
• Authentication tokens: retained while the relevant mailbox connection remains active; revoked, invalidated, or deleted when no longer needed, subject to limited backup retention
• Billing and transaction records: retained as necessary for billing, accounting, tax, chargeback, and contractual recordkeeping purposes
• Usage logs and diagnostics: retained for a limited period, generally 30 to 90 days
• Support and communications data: retained for as long as needed to respond to the matter and maintain reasonable business records
• Voice profile data: retained while your account is active or until it is reset or deleted
• Draft reference IDs and similar operational identifiers: retained as long as needed to support the associated feature, security, or audit trail
• Email content: not stored by Smashmail
• Backups: retained for a limited period, generally up to 30 days

If you delete your account or ask us to delete your personal data, we will delete or de-identify data from active systems within a reasonable period, subject to legal obligations, dispute resolution needs, fraud prevention, and backup cycling. Residual copies may remain in backups until those backups expire in the ordinary course.

We implement reasonable and appropriate administrative, technical, and organizational safeguards designed to protect personal data, including:

• Encryption in transit (such as TLS)
• Encryption at rest
• Role-based access controls
• Restricted internal access
• Monitoring and logging of system activity
• Protections for credentials and tokens, including encryption of OAuth access and refresh tokens at rest
• Key-management controls appropriate to the sensitivity of the data

Access to personal data is limited to authorized personnel and service providers who need that access to operate, secure, or support the Service.

Smashmail operates in the United States and may process personal data in other countries where we or our service providers operate.

If you are located in the EEA, UK, or Switzerland, and your personal data is transferred outside your jurisdiction, we use appropriate safeguards as required by applicable law. Those safeguards may include Standard Contractual Clauses and, where applicable, an adequacy decision such as the EU-U.S. Data Privacy Framework. You may contact us to request information about the safeguards that apply to your data transfers.

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete personal data
• Restrict or object to certain processing
• Receive portable copies of certain personal data
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority or regulator

These rights are not absolute and may be subject to exceptions under applicable law. Any portability request covers personal data we maintain about you; it does not include email content that remains stored only with your email provider. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority.

To exercise your rights, contact us at privacy@smashmail.ai or write to us at the address listed above. Where available, you may also use in-product settings or account tools to access, correct, disconnect integrations, or delete certain data. We may ask you to verify your identity before acting on a request, and we may request additional information where reasonably necessary to confirm that the request relates to the correct account. Authorized agents may submit requests on behalf of California residents where permitted by law and with appropriate written authorization.

We will respond within the time required by applicable law. For example, GDPR generally requires a response within one month, subject to extension in certain cases, and the CCPA generally requires a response within 45 days, subject to extension in certain cases.

This section supplements the rest of this Privacy Policy for California residents and describes Smashmail's information practices during the preceding 12 months, using categories aligned with California law.

If you access Smashmail through an employer, client, school, or other organization, that organization may provide us with account, role, workspace, or administrator information and may instruct us regarding provisioning, billing, access, retention, export, or deletion of business account data. In those cases, Smashmail may process certain personal data on the organization's behalf as a processor or service provider under a separate agreement. If your use of Smashmail is governed by an organization, you may need to direct certain privacy requests to that organization first.

Smashmail provides AI-generated suggestions and workflow assistance only. Smashmail does not make solely automated decisions that produce legal effects concerning you or similarly significantly affect you without human review. Users retain control over whether to act on suggestions, including whether to send an email or apply a draft.

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by email, in-app notice, or other means appropriate under applicable law, and we will update the "Last Updated" date above.

If you have questions about this Privacy Policy or would like to exercise your rights, contact: