mailbud.app

Data Processing Agreement

How we process your mailbox content as your data processor under the GDPR.

Last updated: 29 May 2026

This Data Processing Agreement (DPA) forms part of the agreement between you (the “Controller”) and Nahayat.io (the “Processor”) for the mailbud service. It applies to personal data contained in the email we process on your behalf.

1. Subject and roles

You are the controller of the personal data in your mailbox. We act as your processor when we read and file that email on your instructions — that is, the categories you configure in mailbud.

2. Nature and purpose of processing

We process the subject, sender and body of your incoming email solely to classify each message and file it into the Outlook folder that matches your categories. We do not use your email for any other purpose, and we do not use it to train shared or public AI models.

3. Categories of data and data subjects

The data may include any personal data contained in your email and relates to the data subjects who correspond with you. You control which mailbox is connected.

4. Security measures

  • Microsoft access tokens encrypted at rest with AES-256-GCM.
  • Access via Microsoft's official Graph API and OAuth — no passwords stored.
  • Processing on EU infrastructure.
  • Strict access controls and tenant isolation between accounts.
  • mailbud has no ability to send, reply to, or forward your mail.

5. Sub-processors

You authorise us to engage sub-processors for the service, including Microsoft (mailbox access), our EU hosting provider, the AI provider performing classification, and our billing provider. We remain responsible for their compliance and will inform you of material changes to the list.

6. International transfers

Processing of mailbox content takes place within the EU. Where any sub- processor processes data outside the EEA, appropriate safeguards such as Standard Contractual Clauses apply.

7. Assistance and breach notification

We assist you in responding to data subject requests and will notify you without undue delay after becoming aware of a personal data breach affecting your data.

8. Return and deletion

Email content is processed transiently and not retained beyond what is needed to file it. On termination or account deletion, we delete your account data and revoke stored access tokens.

9. Contact

For any data protection matter, contact us at hello@mailbud.app.