Data Processing Agreement
Last updated: July 4, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, the controller) and AI Emaily, operated by Pointerflow LLC (“AI Emaily”, “we”, the processor), governing our processing of personal data on your behalf when you use the Services. It reflects the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and, where applicable, the CCPA/CPRA. Where this DPA conflicts with the Terms of Service on data protection, this DPA controls.
This page is the standard, self-serve version of our DPA. Business customers who need a countersigned copy can request one — see “Executing this DPA” below. Capitalised terms not defined here take the meaning given in the GDPR or our Terms of Service.
1. Roles of the parties
For the email, calendar, and contact content you connect and the personal data of your own contacts, you are the controller and AI Emaily acts as your processor, processing that data only on your documented instructions (the Services, this DPA, and your configuration). For your own account and billing data, AI Emaily is an independent controller as described in our Privacy Policy.
2. Subject matter, duration, nature & purpose
Subject matter & nature: provision of an AI-native email client with an autonomous assistant that triages, drafts, schedules, and (on your instruction) sends email. Purpose: to deliver the Services you subscribe to. Duration: for the term of your subscription plus the deletion window in Section 8.
3. Categories of data & data subjects
- Data subjects: you, your teammates, and the people you correspond with.
- Personal data: account & profile data; email, calendar, and contact content you connect; usage and log data; and any personal data contained within messages processed by the assistant.
- Special categories: not intentionally processed; may incidentally appear in message content, which we treat as confidential and do not use to train models.
4. Customer instructions & obligations
We process personal data only on your documented instructions, including for international transfers, unless required by law (in which case we notify you where permitted). You are responsible for the accuracy and lawful basis of the data you provide and for having any notices or consents your use requires.
5. Confidentiality
Personnel authorised to process personal data are bound by confidentiality obligations and access data on a least-privilege, need-to-know basis. We do not read your message content except in the narrow cases described in our Privacy Policy (your explicit request during support, security, or legal requirement).
6. Security measures
We implement appropriate technical and organisational measures under Article 32 — including encryption in transit and at rest, envelope-encryption of secrets (OAuth tokens, keys), object-level authorisation, audit logging, least-privilege access, and human approval (Copilot) before sending in v1. Details are on our Security page, which forms part of this DPA as our description of measures.
7. Sub-processors
You provide general authorisation for us to engage the sub-processors listed on our Sub-processors page, each bound by data-protection terms no less protective than this DPA. We will give notice before adding or replacing a sub-processor so you can raise a reasonable objection; if we cannot resolve it, you may terminate the affected Services.
8. Data-subject rights & assistance
Taking into account the nature of the processing, we assist you with appropriate measures to respond to data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection), and with your obligations under Articles 32–36. Data subjects can also contact us directly through our data request form.
9. Personal data breaches
We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification obligations.
10. International transfers
Where processing involves a transfer of personal data outside the EEA or UK, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum) or another valid transfer mechanism, together with supplementary measures as appropriate. Sub-processor locations and safeguards are listed on the Sub-processors page.
11. Deletion & return
On termination, and at your choice, we delete or return your personal data and delete existing copies within a commercially reasonable period, except where law requires retention. Encrypted backups roll off on a short, defined schedule.
12. Audits
We make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and scheduling. We may satisfy audit requests by providing our security documentation and third-party reports.
13. Executing this DPA
This self-serve DPA applies to your use of the Services. If your organisation requires a countersigned copy or has specific terms to review, email support@aiemaily.com or use our data request form and we’ll arrange it. For questions about this DPA, contact the same address.
This document is provided as a template for transparency and is not legal advice; final terms for regulated or enterprise use should be confirmed with your counsel.