Privacy Policy

We believe in transparency. Here's how we protect your privacy and handle your data.

Effective: 26 August 2025
Last updated: 26 August 2025
1

Who is the controller

Datashop Ltd is the data controller for your personal data.

Address: Station F, 5 Parvis Alan Turing, 75013 Paris, France

Email: privacy@datashop.xyz

2

What we collect & why

Category
Examples
Purpose
Lawful basis
Account
Name, email, Google ID
Sign-in, account management
Contract (Art. 6(1)(b))
Service telemetry
Basic logs, error details (no email content)
Security, reliability
Legitimate interests (Art. 6(1)(f))
Gmail (optional)Optional
Headers (From, Subject, Date)Short, redacted snippets when needed (≤ ~1,500 chars)
Compute and show your Data Value and personal footprint
Consent (Art. 6(1)(a))

We do not store email bodies. We keep derived data only (totals, counts, brand/domain, last-seen) needed to present your Data Value and to support export/deletion.

3

Gmail scope (what, when, and how)

  • Scope we request: https://www.googleapis.com/auth/gmail.readonlyonly when you click Connect Gmail.
  • What we process:
  • Always: message headers (From, Subject, Date).
  • Sometimes (only if necessary): short, redacted text snippets to detect signals.
  • What we store: Derived aggregates only (no message bodies).
  • Your controls: Disconnect Gmail, Export, and Delete my data in-app (you can also disconnect from Google Account → Security).

Google "Limited Use" (required):

We use Gmail-sourced and Gmail-derived data only to provide user-visible features (your Data Value & dashboard). We do not use Gmail-sourced/derived data for advertising, and we do not sell or transfer it except as necessary to provide or secure the service. We store derived data onlyno email bodies.

4

How we process (privacy by design)

  • Data minimisation: headers-first; fetch minimal text only when needed to detect signals.
  • Ephemeral handling: any text we read is processed in memory and not stored; we keep only derived results.
  • Processing modes:
  • Default: local processing on our servers.
  • Optional (off by default): short, redacted snippets may be sent to a trusted AI processor (e.g., Google Gemini API or Microsoft Azure OpenAI) strictly to detect signals for your Data Value. If enabled, we disclose this clearly in-product. Providers do not train foundation models on your content under their terms.
5

Sharing & recipients

We share data only with:

  • Hosting & infrastructure: Vercel (hosting), Supabase (database), and similar providers needed to run Datashop.
  • Optional AI processor (only if enabled): receives redacted snippets (≤ ~1,500 chars) strictly to detect signals for your Data Value.
  • Compliance/security: when required by law or to protect rights.

We keep an up-to-date list of vendors at /en/sub-processors.

6

Trading & user-directed sharing

If you opt into offers or choose to share information with third parties, we enable that using non-Google sources (e.g., data you upload or connect that wasn't obtained via Google's APIs) or in ways that do not involve Gmail-sourced/derived data. Gmail-sourced/derived data stays purpose-limited to providing your Data Value and related in-product features.

7

Data retention

  • Session cookies: typically 7 days.
  • Derived aggregates & your export files: user-controlled; deleted when you click Delete my data or after 12 months of inactivity.
  • Security logs (no content): typically 30 days.

Minimal records may be retained to comply with legal obligations or resolve disputes.

8

Your rights

You can Access, Port, Delete, Rectify, Object/Restrict, and Withdraw consent at any time (withdrawal affects future processing).

How: use in-app controls (Disconnect, Export, Delete) or email contact@datashop.xyz.

You can also complain to your local supervisory authority (e.g., ICO in the UK or your EU authority).

9

International transfers

Your data may be processed outside your country. Where applicable, we rely on safeguards such as Standard Contractual Clauses. Ask us for details at contact@datashop.xyz.

10

Changes to this policy

We'll post updates here with a new effective date. For material changes, we may also notify you in-app or by email.

Quick reference (Gmail)

Requested when

you click Connect Gmail

Processed

headers + short, redacted snippets only when necessary

Stored

derived data only — no email bodies

Used for

computing and presenting your Data Value and enabling export/deletion

Never used (Gmail-sourced/derived)

advertising; sale/transfer except to provide or secure the service

Controls

Disconnect, Export, Delete anytime

Questions about your privacy?

We're here to help. Contact our privacy team anytime.

Contact Privacy Team