Privacy Policy
Last updated: March 2, 2026
This Privacy Policy explains how personal data is processed when using spr.marazfamily.eu , a webmail application for reading, sending, moving, and organizing email via Google OAuth, Microsoft OAuth, or direct IMAP login.
1. Data Controller
Controller: spr.marazfamily.eu service operator
Contact email: kornelko2@gmail.com
2. Categories of Personal Data
- Account identifiers (email address, provider type).
- Authentication/session data (OAuth access and refresh tokens, JWT session token).
- Email data required for service operation (message metadata and content where needed).
- Technical and security data (IP address, request logs, timestamps, error data).
- User-generated data in the app (labels, mailbox organization metadata).
3. Purposes and Legal Bases (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Account login and session management | Performance of a contract (Art. 6(1)(b)) |
| Mailbox access, message display, sending, moving, search and sync | Performance of a contract (Art. 6(1)(b)) |
| Service security, abuse prevention, incident handling | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations (if applicable) | Legal obligation (Art. 6(1)(c)) |
4. Data Recipients and Processors
To operate the service, personal data may be processed by infrastructure/providers including:
- Cloudflare Pages (frontend hosting/CDN).
- Google Cloud Run (backend runtime).
- MongoDB (data storage and cache).
- Google APIs / Google OAuth (when signing in with Google).
- Microsoft Graph / Microsoft OAuth (when signing in with Microsoft).
5. International Data Transfers
Depending on selected providers and hosting regions, data may be processed outside your country. Where required, transfers rely on applicable safeguards (such as adequacy decisions or standard contractual clauses) provided by the relevant processor.
6. Data Retention
- Session/JWT data: retained for active session lifetime and normal token expiry windows.
- OAuth tokens: retained only as needed to maintain authenticated access.
- Email cache and mailbox metadata: retained while needed for service performance or until deleted/replaced by sync operations.
- Security logs: retained for a limited period necessary for security and troubleshooting.
7. Data Subject Rights
Under GDPR, you may have the right to:
- Access your personal data.
- Request rectification or erasure.
- Request restriction of processing.
- Object to processing based on legitimate interests.
- Data portability (where applicable).
- Withdraw consent where processing is based on consent.
8. Complaints
You may lodge a complaint with your local data protection supervisory authority if you believe your personal data has been processed unlawfully.
9. Security
Reasonable technical and organizational measures are used to protect personal data, including transport security (HTTPS), authentication controls, and operational safeguards.
10. Third-Party OAuth Notice
If you use Google or Microsoft sign-in, additional processing is governed by those providers' own terms and privacy policies.
11. Children
This service is not intended for children under the age required by applicable law.
12. Changes to This Policy
This policy may be updated from time to time. Material changes will be reflected by updating the "Last updated" date on this page.
13. Contact
Contact: kornelko2@gmail.com