Data Processing Agreement

Terms used in this DPA and not otherwise defined have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Controller" and "Processor" have the meanings set out in Article 4 GDPR. "Services" means the SmartEmails email classification, reply drafting and related features provided to the Controller.

• Subject-matter: processing of Personal Data contained in the Controller's inbox for the purpose of classifying, prioritizing and drafting replies to emails.
• Duration: for the duration of the Services plus the retention period described in Section 7.
• Nature: collection, storage, transmission, analysis, automated classification via AI (Anthropic Claude), generation of draft replies.
• Purpose: providing the Services as described in the Controller's subscription.

Data Subjects:

• The Controller's authorized users
• Correspondents of those users (senders and recipients of emails in the users' inboxes)

Categories of Personal Data processed:

• Identification: name, email address
• Email metadata: sender, subject, date, thread ID
• Email preview ("snippet"): a short preview of the email body, capped at 400 characters and provided directly by Gmail or Outlook(the truncation is performed by the source mailbox provider, not by SmartEmails). This is the same one-line preview already visible in the user's inbox list.
• Full email body: transmitted to the AI provider at classification time only (see Section 8) and not persistedin SmartEmails' database. Recipients (To, Cc, Bcc) and attachments are not accessed, transmitted or stored.
• Derived data: AI-generated category, priority, and a short reason (one sentence) per email; cached AI thread summaries and extracted action items for threads opened in the Chrome extension.
• Draft replies: generated on demand when the user requests a draft, returned to the user, and not stored.
• Technical: OAuth tokens (encrypted at rest), session cookies, request logs.

The Controller determines the purposes and means of processing the Personal Data. The Controller is responsible for the lawfulness of the data it submits to the Services, including having a valid legal basis for processing correspondent data.

SmartEmails as Processor will: (a) process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service; (b) ensure that persons authorized to process Personal Data are under a duty of confidentiality; (c) implement the technical and organizational measures listed in Section 6; (d) assist the Controller in responding to Data Subject requests; (e) notify the Controller of Personal Data breaches without undue delay, and in any event within 72 hours of becoming aware.

The Controller authorizes SmartEmails to engage the subprocessors listed on the Subprocessors page to process Personal Data on its behalf. SmartEmails will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA.

SmartEmails will provide notice of any intended addition or replacement of subprocessors at least 30 days before the change. The Controller may object to such change in writing within 30 days on reasonable data-protection grounds; failing resolution, the Controller may terminate the affected Services.

SmartEmails implements the following measures (full detail at /security):

• Access control: OAuth 2.0, role-based access, strict tenant isolation at the database layer
• Encryption in transit: industry-standard TLS on all traffic
• Encryption at rest: database-level encryption; OAuth tokens encrypted at the application layer
• Data minimization: only metadata, the provider-supplied 400-character snippet and AI-derived classifications are persisted; full email bodies, recipients and attachments are not stored
• Incident response: monitored logs, 72-hour breach notification commitment
• Resilience: daily database backups retained for 30 days
• Vulnerability management: responsible-disclosure process at security@smartemails.ai

Upon termination of the Services, SmartEmails will delete or return all Personal Data to the Controller within 30 days, except where retention is required by applicable law. Backups are purged within 30 days of termination.

The Controller may at any time request earlier deletion by writing to privacy@smartemails.ai.

SmartEmails primarily processes Personal Data within the European Union. Where a subprocessor processes data outside the EU (e.g. Anthropic in the United States for AI classification), the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) as published in Commission Implementing Decision 2021/914, together with supplementary measures described at /subprocessors.

For AI classification, SmartEmails relies on Anthropic's standard commercial API terms. These terms contractually exclude customer-submitted data (including the email content transmitted at classification time) from being used to train Anthropic models — this is Anthropic's default policy applicable to all API customers since 2023. SmartEmails has not negotiated any additional terms beyond this standard agreement.

SmartEmails provides the Controller with tools to respond to Data Subject requests directly (access, rectification, export, deletion from within the application). For requests that cannot be served through the application, SmartEmails will assist the Controller at no additional cost, within the timeframes required by GDPR.

SmartEmails will provide the Controller, upon reasonable written request and no more than once per year, with the information necessary to demonstrate compliance with this DPA.

Liability under this DPA is governed by the Terms of Service. Nothing in this DPA excludes or limits liability where it cannot be excluded or limited by applicable law.

This DPA is governed by the laws of France. Disputes arising out of or in connection with this DPA are subject to the jurisdiction specified in the Terms of Service.

Questions, signed-copy requests, audit requests, Data Subject requests: privacy@smartemails.ai.