GDPR & Data Protection

1. Roles: controller & processor

For the personal data of your organisation’s users (mailboxes, contacts, calendar, notes), your organisation is the data controller and Deepbluework acts as the data processor, processing that data on your instructions to provide the service. For account and billing data we hold about the account owner, Deepbluework is the controller.

2. What we process & why (lawful basis)

• Account & domain data (admin name, email, domain) — to operate your account. Basis: contract.
• Mailbox & collaboration data (emails, contacts, calendar events, notes, rules, groups) — to deliver the service you requested. Basis: contract / your instructions.
• Security & audit data (last login time, IP address) — to protect accounts. Basis: legitimate interest.
• Billing data (handled by Stripe) — to take payment. Basis: contract / legal obligation.

We do not sell your data, serve ads, or scan message content for advertising.

3. Your rights

Under the GDPR you have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”) — have your data deleted.
• Portability — receive your data in a portable format (email via IMAP, calendar via ICS).
• Restriction & objection — limit or object to certain processing.
• Withdraw consent and lodge a complaint with your supervisory authority.

4. Erasing your data

Domain administrators can permanently erase their entire organisation at any time from Admin → Company Settings → Danger Zone → “Forget this domain”. This removes the domain and every user along with all mailbox settings, rules, groups, notes, contacts, calendar data and usage records, and cancels any active subscription.

To erase a single user’s data, remove the user from Admin → Users & Groups. For any request we can’t fully self-serve, contact us via the feedback form and we will action verified erasure requests within 30 days.

5. Data retention

We keep your data for as long as your account is active. After erasure, data is removed from our application database immediately; backups containing residual copies are rotated out within 30 days. Billing records may be retained longer where required by law.

6. Sub-processors & transfers

We use a small number of vetted sub-processors (e.g. payment processing via Stripe and our hosting/email infrastructure providers) strictly to deliver the service. Where data is transferred outside the EEA, it is protected by appropriate safeguards such as Standard Contractual Clauses.

7. Security

Data is encrypted in transit (TLS) and at rest. Encrypted Notes use additional end-to-end, zero-knowledge encryption so their contents are never readable by us. Access to production systems is restricted and audited.

8. Data breach notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected customers without undue delay.

9. Contact & Data Protection

For any data protection question or to exercise your rights, use our feedback form or write to the address shown on your billing receipts. See also our Privacy Policy and Terms of Service.