Privacy Policy

1. Controller

The data controller responsible for the processing of your personal data is the operator of Ping (hello@pingmail.app). You may contact us at any time for privacy-related questions.

2. What We Collect

Ping collects the minimum data needed to provide the service:

• Your email address and password hash (for account creation via Supabase Auth)
• Gmail OAuth access and refresh tokens (to read and send email on your behalf)
• Email metadata and content synced from Gmail (subject, sender, body, timestamps, labels)
• App preferences (theme, email signature, ritual streak counter)
• Unsubscribe log entries (sender address, subject line)

3. Legal Basis for Processing (GDPR)

• Contract performance (Art. 6(1)(b) GDPR) — processing your account data, Gmail tokens, and email content is necessary to deliver the service you signed up for.
• Legitimate interest (Art. 6(1)(f) GDPR) — security logging and abuse prevention to protect the integrity of the service.

4. How We Use Your Data

• To sync, display, and send your emails
• To power Ping Mode (inbox zero workflow)
• We do not sell your data to third parties
• We do not use your emails for advertising or profiling
• We do not train AI models on your personal data

5. Data Storage & Processors

Your data is processed by the following sub-processors under data processing agreements:

• Supabase — database (PostgreSQL) and authentication. Data is stored in the EU (Frankfurt, AWS eu-central-1). Gmail OAuth tokens are encrypted at rest. Row-Level Security ensures your data is only accessible to your account.
• Vercel — application hosting and serverless functions (EU region where available). Vercel processes request data transiently; it is not persisted beyond log retention periods.
• Google Gmail API — to sync and send your email. Your tokens are used exclusively to access your own Gmail account.

6. Cookies & Session Storage

Ping uses HTTP-only session cookies managed by Supabase Auth to keep you logged in. No third-party tracking or advertising cookies are used. Local Storage is used only for UI preferences (theme, compact view) — no personal data is stored there.

7. Data Retention

Your data is retained for as long as your account is active. When you delete your account, all personal data (emails, tokens, preferences, drafts) is permanently deleted within 24 hours. Gmail OAuth tokens are also revoked with Google at deletion time.

8. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

• Access (Art. 15) — request a copy of the data we hold about you
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — delete your account and all data via Settings → Delete Account
• Restriction (Art. 18) — request we limit processing of your data
• Portability (Art. 20) — receive your data in a machine-readable format
• Objection (Art. 21) — object to processing based on legitimate interest

To exercise any of these rights, email hello@pingmail.app. We will respond within 30 days.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. In Germany, the competent authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), or the supervisory authority in your EU member state.

10. Changes

We may update this policy. We will notify you via email for material changes. Continued use of Ping after changes constitutes acceptance.