Privacy Policy

1. Controller

LindenTech - IT Consulting
Owner: Gulpari Gaibulloeva
Kuckhoffstrasse 10
52064 Aachen, Germany

Email: info@lindentech.de
Phone: +49 (173) 2131713

2. What This Policy Covers

This policy covers the public website, authentication flows, tenant administration, Gmail connector setup, mailbox synchronization, AI draft generation, review workflows, audit logging, retention automation, and data subject request workflows provided by LindenTech AI Email Platform.

3. Personal Data We Process

• Account and organization data such as name, email address, tenant membership, and role.
• Authentication and security data such as session data, IP address, device/browser metadata, and sign-in activity.
• Mailbox data processed through the Gmail connector, including email subjects, bodies, headers, attachments, thread metadata, and message identifiers.
• AI workflow data such as prompts, generated drafts, risk classifications, citations, approved replies, and knowledge-source content.
• Operational and compliance data such as audit events, DSR requests, retention-policy settings, and connector status information.
• Technical website data such as server logs and essential cookies needed for secure authentication and platform operation.

4. Why We Process Personal Data

• To provide secure access to the platform and manage tenant memberships.
• To connect Gmail mailboxes and synchronize shared mailbox state.
• To generate, review, approve, reject, or send AI-assisted reply drafts requested by tenant users.
• To maintain auditability, enforce retention and legal-hold policies, and fulfill data subject requests.
• To protect the platform, investigate abuse, and maintain service reliability.
• To communicate about support, security, and service operations.

5. Legal Bases

We process personal data on the following legal bases where applicable:

• Art. 6(1)(b) GDPR, where processing is necessary to provide the requested service and perform our contract with customers.
• Art. 6(1)(c) GDPR, where processing is necessary to comply with legal obligations.
• Art. 6(1)(f) GDPR, where processing is necessary for legitimate interests such as service security, abuse prevention, incident response, and platform reliability.
• Art. 6(1)(a) GDPR, where consent is specifically required and obtained.

6. Google User Data

If you connect Gmail, we access Google account data and Gmail message data only to provide mailbox visibility, AI drafting, review, and sending features requested by your tenant. We do not use Google Workspace API data to develop, improve, or train generalized AI or machine-learning models. Access is limited to the features you enable and to the permissions granted during OAuth authorization.

The use of information received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

• We use Gmail and other Workspace API data only for user-facing mailbox, drafting, review, and delivery features inside this application.
• We do not sell Workspace API data and do not use it for advertising, profiling, or credit-related decisions.
• We do not use Workspace API data to create, train, or improve generalized AI or machine-learning models.
• Human access to connected mailbox data is limited to cases required for support, security, legal compliance, or other user-authorized operations.

7. Storage, Retention, and Deletion

• Email content and AI draft data are retained according to the tenant retention policy. The default retention period is 365 days.
• Audit events are append-only and may be retained longer where required for security, compliance, or evidentiary reasons.
• Knowledge-source content remains available until deleted, invalidated, or replaced by tenant administrators.
• Connector secrets are stored through Vault-backed credential references and remain active until the connector is removed or rotated.
• Retention purges can be paused by legal hold, and DSR delete workflows use anonymization where necessary to preserve thread integrity for other participants.

8. Subprocessors and International Transfers

We use infrastructure and service providers necessary to operate the platform, including Neon (database), AWS S3 (object storage), Vercel (hosting), Inngest (job orchestration), LiteLLM and the configured upstream AI provider, Google (OAuth/Gmail), and self-hosted Vault infrastructure. Our operating model is EU-region-first, but some providers may rely on SCC or DPF-backed transfer mechanisms where cross-border processing is necessary.

Inngest is a documented exception for metadata-only job orchestration. Email body content is not included in Inngest event payloads.

9. Security Measures

We use technical and organizational measures appropriate to the risk, including TLS for data in transit, provider-managed encryption at rest, role-based access controls, credential indirection, audit logging, and fail-closed policy checks where unsafe actions would otherwise occur.

10. Your Rights

Subject to applicable law, you may request access, rectification, erasure, restriction, objection, and data portability. You may also raise concerns with the competent data protection authority. Tenant owners can also use the in-product DSR workflows where available.

11. Cookies and Website Logs

We use essential cookies and similar mechanisms required for authentication, session continuity, and secure platform operation. Our hosting stack may also record server logs such as IP address, timestamp, user agent, and request metadata to keep the service secure and reliable.

12. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The current version will always be published on this page with the latest revision date.