Data Processing Agreement

Effective upon acceptance · GDPR-aligned

1. Parties and Roles

Data Controller: You ("User") — the individual or organization that connects email accounts to NextEmail.ai.

Data Processor: NextEmail.ai ("Company") — processes email data on behalf of the User according to this agreement.

2. Scope of Processing

2.1 Data Types Processed

Data Category	Examples	Processed
Email metadata	Subject, sender, recipients, dates, message IDs	Yes
Email body	Plain text and HTML content	Yes
Labels and folders	Gmail labels, Outlook folders, categories	Yes
Attachment metadata	File names, sizes, types	Yes
Attachment content	File binary data	No

2.2 Purpose of Processing

AI-powered email classification and folder organization
Security scanning for phishing, spam, and malicious content
Natural language email search
Two-way synchronization with email providers (Office 365, Gmail)

3. Sub-Processors

Zero sub-processors. All data processing occurs on NextEmail.ai's self-hosted hardware. No email data is transmitted to external cloud services, third-party AI providers, or any other sub-processor.

4. Data Location

All data is stored and processed in the United States on self-hosted, dedicated server infrastructure operated by NextEmail.ai. No data is transferred to other jurisdictions.

5. Security Measures

Encryption at rest: All stored data is encrypted
Encryption in transit: All communications use TLS 1.2+
Per-tenant isolation: Each user's data is stored in isolated directories
OAuth token encryption: Fernet symmetric encryption for all stored OAuth tokens
Access control: Service accounts with minimal required permissions
No shared AI models: AI inference does not mix data between users

6. Data Retention

Active account: Data is retained for the duration of the active account
Account deletion: All user data (emails, metadata, OAuth tokens, file storage) is permanently deleted within thirty (30) days of account deletion
Beta expiry: If the beta period ends and no paid subscription begins, data is retained for 30 days, then permanently deleted

7. Data Subject Rights

The Company supports the Data Controller in fulfilling data subject requests. Users may exercise the following rights:

Right	How to Exercise
Right of access	Contact support to request a copy of all stored data
Right to rectification	Update data via email provider; changes sync automatically
Right to erasure	Delete account via Settings page; all data removed within 30 days
Right to data portability	Request data export in standard format via support
Right to restrict processing	Disconnect mailbox to pause processing while retaining data

8. Breach Notification

In the event of a personal data breach, the Company shall:

Notify the Data Controller within seventy-two (72) hours of becoming aware of the breach
Provide details of the breach including: nature of the data affected, approximate number of records, likely consequences, and measures taken to mitigate
Cooperate with the Data Controller in meeting any regulatory notification obligations

9. Audit Rights

The Data Controller may request reasonable information about the Company's data processing activities and security measures. The Company shall make available all information necessary to demonstrate compliance with this Agreement.

10. Term and Termination

This DPA is effective for the duration of the beta program and any subsequent service agreement. Upon termination, the Company shall delete all personal data within thirty (30) days unless retention is required by applicable law.

11. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, United States. For users in the European Economic Area, the provisions of the GDPR shall also apply.

By checking the DPA checkbox during signup, you acknowledge that you have read, understood, and agree to be bound by the terms of this Data Processing Agreement.