Data controller

Mailqor is operated by Mathis Zeghouani, Auch, France.

• Jurisdiction: France
• Contact: support@mailqor.com

Data we collect

We divide the information we process into the following categories to stay transparent with Google and Microsoft policies:

What we do not collect

• We never automatically read the content of your emails.
• Content is only processed when you manually trigger the AI analysis.
• We minimize data (links, domains, technical indicators only) and do not keep the raw body after the analysis finishes.

Browser permissions inside Gmail / Outlook

• Read the sender address directly from the email you have opened to render the badge (no mailbox connection required).
• Parse on-screen headers to check SPF, DKIM, and DMARC locally—no Gmail or Outlook API scopes are used.
• Capture the body only if you manually start the AI analysis; otherwise the content never leaves your browser.
• Disable or remove the extension at any time from your browser; Mailqor stores zero Google/Microsoft tokens.

Manual AI analysis storage & encryption

• Email snapshots from manual AI reviews stay with the conversation history (still encrypted) until you delete that conversation or account.
• Only the email content is encrypted with AES-256-GCM at rest and it is never stored in plaintext.

Gmail compliance (DOM-only, no API tokens)

Mailqor no longer connects to Gmail via OAuth. The browser extension simply reads the Gmail tab you already opened and keeps processing local.

This means:

The DOM-only model keeps Mailqor compliant with Google API Services rules while avoiding centralized storage.

Microsoft compliance (Outlook DOM-only)

Mailqor no longer requests Microsoft Graph scopes. The extension inspects the Outlook web interface you already use and parses headers inside the browser.

Data transfers outside the European Union

Some technical services (CDN, edge runtime, optional AI processing) may temporarily transfer data outside the EU.

When this happens we apply:

No Gmail or Outlook data is permanently stored outside the EU.

Transfers occur only when strictly necessary to run Mailqor (execution, CDN delivery, or on-demand AI processing).

Sous-traitants (Processors)

Nous utilisons les fournisseurs suivants pour faire fonctionner Mailqor :

On-demand AI processing via OpenRouter may transit briefly through model providers (e.g., OpenAI, Anthropic, etc.). We request customer-data training opt-outs whenever available. No data is used for advertising.

Purpose of processing

Each type of data serves a different goal:

Legal bases under GDPR

• Article 6(1)(b) – processing necessary to deliver the Mailqor service you requested.
• Explicit consent – granted when you approve Gmail/Outlook permissions for manual analysis.
• Legitimate interest – protecting our infrastructure and detecting abuse.

The core badge still works even if you decline content analysis.

Data retention

• Account data: retained until you delete the account.
• Trusted senders you add manually: until you remove them.
• Technical and access logs: 90 days.
• AI-reviewed content: deleted right after processing; only the message ID and outcome are stored.

Data sharing and hosting

• We never sell or rent your data to commercial third parties.
• We use vetted processors such as Vercel strictly to run the platform.
• Primary servers and databases are hosted within EU data centers to keep data close to French jurisdiction.

Cookies and analytics

• We do not use advertising cookies.
• For analytics we may rely on privacy-friendly tools without third-party trackers or ad profiling.

Manage your preferences in the site settings when available.

Security measures

• All traffic uses HTTPS/TLS.
• Sensitive tokens are hashed or encrypted at rest.
• Internal access is restricted to authorized personnel.
• We log IP address and timestamps for security/abuse prevention (kept 90 days).

Your GDPR rights

You can exercise these rights via settings or by emailing support@mailqor.com:

• Access and portability.
• Erasure of your account and personal data.
• Withdrawal of Gmail/Outlook permissions from your Google/Microsoft account.
• Right to object or lodge a complaint with the authority in your region.

We respond within 30 days and may request proof of identity when necessary.

You can also contact the competent supervisory authority (CNIL): https://www.cnil.fr/fr/plaintes

Minimum age

Mailqor is not intended for individuals under 16. We do not knowingly collect data about minors.

Security incident notice

If a breach poses a high risk to your rights, we will notify you and the competent authority within the applicable timeframe.

Account deletion

Deleting your account removes personally identifiable data from our systems. Aggregated or anonymized security logs may be retained to prevent future abuse.

Deletion timeline

Deleting the account removes personal data within 7 days. Aggregated or anonymized data may remain for statistics or abuse prevention. Connected permissions (Google/Microsoft) are revoked and caches are purged within the same window.

Updates to this policy

We may update this Privacy Policy when our product or legal obligations change. We will notify you of significant updates via email or in-app notice.

Contact

Questions about privacy? Contact support@mailqor.com.

Reference language

If translations differ, the French version prevails.