Privacy Policy / Politique de Confidentialité

Last updated: April 7, 2026 | Dernière mise à jour : 7 avril 2026

Company: ICRAFT SAS — 58 Rue de Monceau, 75008 Paris, France — RCS Paris 992 314 237

Contact: [email protected]

1. Introduction

BumbleBox ("we", "our", "us") is an AI-powered email management platform operated by ICRAFT SAS. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at bumblebox.ai.

BumbleBox connects to your email accounts via IMAP/SMTP protocols to classify, organize, and help manage your email. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable French data protection laws.

2. Information We Collect

2.1 Account Information

• Email address (used for authentication)
• Display name (from Google OAuth or manual entry)
• Profile photo (from Google OAuth, if available)

2.2 Email Account Credentials

• IMAP/SMTP server details, email address, and app-specific passwords for connected email accounts
• Google OAuth tokens (for Gmail connections)
• All credentials are encrypted with AES-256-GCM at rest

2.3 Email Metadata

• Sender, recipient, subject, date, folder information
• Email classification results (spam, newsletter, important, etc.)
• We do NOT permanently store email body content — it is processed in-memory for classification and discarded

2.4 Usage Data

• Actions taken in the app (classify, archive, delete, draft)
• Feature usage analytics (anonymized)
• Browser type, device, IP address (for security)

3. How We Use Your Information

• To provide the BumbleBox email management service
• To classify and organize your emails using AI
• To generate AI reply drafts (Pro/Business plans)
• To detect phishing and security threats
• To send transactional emails (welcome, password reset, billing)
• To improve our AI classification accuracy
• To comply with legal obligations

4. Legal Basis (GDPR)

• Consent: You consent to email processing when you connect your accounts
• Contract: Processing is necessary to provide the service you subscribed to
• Legitimate interest: Security monitoring, fraud prevention, service improvement

5. Data Sharing

We do NOT sell your data. We share data only with:

• Google (Gemini AI): Email content is sent to AI for classification — processed in-memory, not stored by Google for training
• Stripe: Payment processing (we never see or store your card details)
• Firebase/Google Cloud: Infrastructure hosting
• Sentry: Error tracking (anonymized, no email content)

6. Data Retention

• Account data: retained while your account is active
• Email metadata cache: retained for service functionality, deleted on account deletion
• Credentials: deleted immediately upon account disconnection or deletion
• Usage analytics: retained for 12 months (anonymized)

7. Your Rights (GDPR)

As an EU resident, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Objection: Object to data processing
• Restriction: Request limited processing

To exercise these rights, contact us at [email protected].

8. Data Security

• All credentials encrypted with AES-256-GCM
• HTTPS/TLS for all data in transit
• Firebase Security Rules enforce user-scoped data isolation
• No plaintext passwords stored anywhere
• Regular security audits

9. Cookies

We use essential cookies for authentication (Firebase Auth session) and localStorage for user preferences (theme, language). We do not use tracking cookies or third-party advertising cookies.

10. Children's Privacy

BumbleBox is not intended for users under 16 years of age. We do not knowingly collect data from children.

11. International Data Transfers

Your data may be processed on Google Cloud servers in the EU and US. Google Cloud complies with EU-US Data Privacy Framework. ICRAFT SAS is a French company subject to GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users via email or in-app notification of material changes. The "last updated" date at the top reflects the most recent revision.

13. Contact

For privacy-related inquiries:

• Email: [email protected]
• Company: ICRAFT SAS
• Address: 58 Rue de Monceau, 75008 Paris, France
• RCS: Paris 992 314 237