Mail 4 AI
Sign in

Privacy Policy

v1.0-alphaLast updated:

title: Privacy Policy version: "1.0-alpha" lastUpdated: "2026-05-22"

This Privacy Policy describes how Castelis SAS (registered office in Ivry-sur-Seine, France — see Legal notice) processes personal data when you use Mail 4 AI as a User of the web console.

When Mail 4 AI processes email content on behalf of a customer (e.g. messages sent or received by an AI agent), Castelis acts as a data processor. Those processing activities are governed by the Data Processing Agreement.

1. Data controller

  • Controller: Castelis SAS, registered office in Ivry-sur-Seine, France.
  • DPO: dpo@mail4ai.eu.

2. Scope

This policy covers data we process as controller in connection with your User account and use of the console. It does not cover the content of emails routed for your agents — see the DPA for that.

3. Data we collect

| Category | Examples | |---|---| | Identity / contact | Email address, optional display name | | Authentication | Password hash, sessions, OAuth tokens | | Technical logs | IP address, user-agent, timestamps | | Audit events | Account creation, login, configuration changes | | Agent provisioning | Agent name, configured allowlists |

4. Purposes and legal bases (GDPR art. 6)

| Purpose | Legal basis | |---|---| | Providing the Service | Performance of the contract | | Security, anti-abuse, audit logging | Legitimate interest | | Service communications (activation, incidents) | Performance of the contract | | Anonymous usage statistics | Legitimate interest |

No marketing processing during the alpha preview. No third-party advertising or analytics cookies.

5. Recipients

Data is accessed by authorised Castelis personnel only and by our technical sub-processor:

  • OVH SAS — hosting infrastructure (France/EU).

No other sub-processor is used during the alpha preview.

6. International transfers

None. All processing takes place within the European Union. Any future change will be notified and will rely on Standard Contractual Clauses (SCCs) or another art. 46 GDPR safeguard.

7. Retention

We retain the minimum legally required:

  • Account data: for the duration of the relationship + 30 days after deletion (automatic purge).
  • Connection / IP logs: 12 months (mandatory floor under French law — LCEN art. 6-II and decree 2021-1363).
  • Application technical logs (non-connection): 30 days, rolling.
  • Security audit logs: 12 months.
  • Email content routed for your agents: per the DPA — 30 days on the FREE tier.

8. Your rights (GDPR art. 15-22)

You may exercise the following rights free of charge by writing to dpo@mail4ai.eu: access, rectification, erasure, restriction, portability, objection, withdrawal of consent (where applicable), and — for any specifically requested fully-automated decision — the right not to be subject to such a decision.

We will reply within one month. You may also lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): https://www.cnil.fr.

9. Cookies

The Service uses only strictly necessary cookies: authentication session, CSRF token, language preference. No tracking, no analytics, no advertising cookies during the alpha. As these cookies are strictly necessary, no consent banner is required (ePrivacy / CNIL guidance).

10. Security

We apply technical and organisational measures aligned with GDPR art. 32, including encryption at rest and in transit, tenant isolation, antivirus scanning of attachments, audit logging, MFA for privileged personnel, least-privilege access, encrypted backups. See the DPA Annex 2 for details.

11. Minors

The Service is not intended for users under 16. We do not knowingly collect data from minors below this age. If you believe a minor has provided personal data, contact the DPO.

12. Changes

We will publish updates here with a new version and date. Material changes will be notified by email or in the console at least 15 days before they take effect.