Privacy Policy
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
MAILRIVA
Schliemannstr. 41
10437 Berlin
Germany
support(at)mailriva.com
2. Overview of data processing
Mailriva is a locally executed desktop application. The core functions (email migration, backup, archiving) run entirely on the user's computer. Access credentials are processed locally as a matter of principle and are not transmitted to the Provider's servers, unless this is expressly required for a function requested by the user.
This Privacy Policy relates to data processing in connection with the website mailriva.com, its associated services (e.g. payment processing, license management, contact), and the processing of personal data in connection with the use of the app.
3. Data processing in the app
3.1 Local processing of access credentials.
The desktop app processes email account credentials (e.g. IMAP username, password, app passwords, and OAuth-based connection data or access tokens) locally on the user's computer as a matter of principle. Such data is not transmitted to the Provider's servers. The app uses this data exclusively to establish the connection to an email account requested by the user and to perform the function initiated by the user.
3.2 Local processing of email content.
Email content, folder or label structures, metadata, and attachments are processed directly between the user's local device and the servers of the email providers connected by the user. This applies in particular to migration, backup, and archiving. The Provider has no access to email content, attachments, or mailbox structures, unless the user actively transmits such information in the context of a support request or error analysis.
3.3 Processing of connected email accounts.
Mailriva processes data from connected email accounts exclusively to provide the function requested by the user. This includes in particular connecting to a source or destination mailbox, reading messages and folder information, copying or transferring emails, writing to a destination mailbox, and creating or using destination folders, destination structures, or labels, insofar as this is necessary for the function initiated by the user.
3.4 No use for advertising, profiling, or training purposes.
Data from connected email accounts is not used for advertising, profiling, data mining, credit checks, automated marketing purposes, or the training of general AI/ML models. There is no analysis of email content for purposes other than the functions requested by the user and visible within the app.
3.5 OAuth connections and accounts from Google, Microsoft, and other providers.
Where users connect accounts via OAuth or comparable authorisation procedures (e.g. Google or Microsoft), Mailriva uses the authorisation data obtained exclusively to connect the respective account within the app and to perform the function expressly requested by the user, such as migration, backup, or archiving. The authorisation data obtained is not sold, not used for advertising, and not transmitted to the Provider's servers insofar as this is not required for the function requested by the user.
3.6 Special notice regarding Google data.
Where Mailriva receives information from Google APIs or in connection with a Google OAuth connection, such information is used exclusively to provide the functions visible within the app and expressly requested by the user, such as connecting a Gmail account, backup, migration, or archiving. Google user data is not used for advertising, profiling, data mining, or the training of general AI/ML models. Information from Google APIs and Google OAuth connection data is stored only locally on the user's device and only for as long as necessary for the connection and the function requested by the user. Information from Google APIs is not shared with third parties, except where required to comply with legal obligations or where the user initiates such sharing. Employees of the Provider do not access Google user data unless the user actively submits corresponding information in the context of a support request. The use and transfer of information received by Mailriva from Google APIs complies with the Google API Services User Data Policy, including the Limited Use Requirements.
3.7 Special notice regarding Microsoft data.
Where Mailriva receives information from Microsoft APIs or in connection with a Microsoft OAuth connection, such information is used exclusively to provide the functions visible within the app and expressly requested by the user, such as connecting a Microsoft account, backup, migration, or archiving. Microsoft user data is not used for advertising, profiling, data mining, or the training of general AI/ML models. Information from Microsoft APIs and Microsoft OAuth connection data is stored only locally on the user's device and only for as long as necessary for the connection and the function requested by the user. Information from Microsoft APIs is not shared with third parties, except where required to comply with legal obligations or where the user initiates such sharing. Employees of the Provider do not access Microsoft user data unless the user actively submits corresponding information in the context of a support request.
3.8 Safeguards for sensitive data.
To protect sensitive data, Mailriva employs technical and organisational measures. These include in particular local processing of access credentials and email content on the user's device, encrypted connections to the servers of the respective email providers (e.g. TLS/SSL), no server-side caching of email content by the Provider, restriction of server-side processed data to information necessary for licensing, payment processing, support, and website operation, and restriction of access to personal data to cases where this is required for operation, support, or legal obligations.
3.9 Local storage and removal of connection data.
Where connection data, access credentials, or tokens are stored locally, this is done only to the extent and for the duration necessary for the use of the app or the function requested by the user. Users can remove such data by deleting the account in the app or by removing local app data.
3.10 License verification.
To validate a purchased pass, the app transmits the user's email address to the Provider's server. The legal basis is Art. 6(1)(b) GDPR (performance of contract).
4. Data processing on the website
4.1 Hosting (Vercel).
The website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When visiting the website, server logs are automatically created, which include, among other things, the IP address, time of access, requested path, and browser used. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and efficient website operation). The use of Vercel is based on Standard Contractual Clauses (SCCs) for data transfers to the USA.
4.2 Cookies.
The website uses only technically necessary cookies (e.g. session cookies for portal authentication). No tracking or advertising cookies are used. The legal basis is Art. 6(1)(f) GDPR and Section 25(2) TDDDG (technically necessary cookies).
4.3 No web analytics.
As of the date of this Privacy Policy, no web analytics services (e.g. Google Analytics, Matomo) are in use. Should such a service be introduced in the future, this policy will be updated accordingly.
5. Payment processing (Stripe)
We use Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA, for payment processing. During the payment process, payment data entered by the customer (e.g. credit card number, name, billing address) is transmitted directly to Stripe and processed there.
The Provider does not receive complete payment data from Stripe (e.g. no credit card numbers), but only a confirmation of successful payment along with reference data (transaction ID, email address, purchase amount).
The legal basis is Art. 6(1)(b) GDPR (performance of contract). The use of Stripe is based on Standard Contractual Clauses (SCCs). The Stripe Privacy Policy applies additionally.
6. Email delivery (Resend)
We use Resend, Inc. for sending transactional emails (e.g. magic links for portal login, purchase confirmations). The recipient's email address is transmitted to Resend for email delivery.
The legal basis is Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery).
7. Legal bases for processing
We process personal data on the following legal bases:
8. Recipients and third-party services
9. Retention periods
Personal data is only stored for as long as necessary for the respective processing purposes or as required by statutory retention periods:
10. Your rights as a data subject
Under the GDPR, you have the following rights regarding your personal data:
11. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).
The supervisory authority responsible for the Provider is:
12. Privacy-friendly architecture
Mailriva has been designed with the principles of data minimisation (Art. 5(1)(c) GDPR) and data protection by design (Art. 25 GDPR):
13. Cookies and storage technologies
The website uses only technically necessary cookies. These serve to provide basic functionality (e.g. authentication in the customer portal). No cookies for marketing or tracking purposes are used.
Technically necessary cookies do not require consent under Section 25(2) TDDDG. The legal basis for the associated data processing is Art. 6(1)(f) GDPR (legitimate interest).
14. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in the legal situation or changes to the service or data processing. The current version is always available at mailriva.com/en/privacy.
15. Contact
For questions about data protection or to exercise your data subject rights, please contact:
support(at)mailriva.com