Privacy Policy

Last updated: April 14, 2026

1. Introduction

Gall Agencja Interaktywna Arkadiusz Galler (NIP: 6312586148), located at ul. Przyszlosci 18/1, 44-119 Gliwice, Poland ("we", "us", "our"), is the data controller responsible for your personal data processed through the Spamurai application and website.

This Privacy Policy explains what data we collect, how we use it, your rights, and how to contact us. It applies to the Spamurai desktop application, the spamurai.pro website, and related services.

We are committed to protecting your privacy and handling your data transparently. If you have questions, contact us at contact@spamurai.pro.

2. What Data We Collect

Account Data

Email address, optional display name, and authentication method (Google OAuth or email OTP).

Device Data

Device identifier, device name, app version, and periodic heartbeat signals confirming device activity.

Email Data Processed via Spamurai AI

When using our hosted AI service: email subject, sender, and snippet are sent to our server for classification. If body classification is enabled, the full email body is also sent. This data transits through our server and the AI provider but is not stored.

Usage Data

Daily email processing counters, processing history, and AI token usage statistics.

Billing Data

Subscription records and payment provider references. We do not store credit card numbers — payment processing is handled entirely by Stripe.

Rules and Decisions

Your filtering rules, keep/trash decisions, and AI-generated rule suggestions.

Website Data

Contact form submissions (name, email, message). We do not currently use analytics cookies or tracking on our website.

3. What We Do NOT Collect

  • Email bodies are never stored on our servers (they transit for AI classification only)
  • Email attachments
  • CC/BCC recipients
  • Contact lists or address books
  • Calendar data
  • Location data
  • Clipboard content
  • Analytics cookies or tracking pixels (we currently use none)

4. How Data Is Processed by AI Provider

Spamurai AI (Server-Hosted)

Email metadata (and optionally body) is sent to our server and forwarded to Google Gemini for classification. This data is not persisted — it transits through the AI and the response is returned to your device.

BYOK — Bring Your Own Key (Google Gemini)

Your email data goes directly from your device to Google's API using your own API key. It never touches our servers. You are subject to Google's privacy policy.

Ollama (Local AI)

All AI processing runs entirely on your machine. No email data leaves your device. This is the most private option.

Sensitive Content Detection

Spamurai detects keywords related to medical, legal, banking, financial, password, and tax content. By default, email bodies flagged as sensitive are not sent to the AI provider, even if body classification is enabled. You can adjust this threshold in the app settings.

6. Data Retention

  • Account data is retained while your account is active.
  • OTP codes expire and are deleted after 10 minutes.
  • Email data sent for AI classification is not persisted on our servers.
  • On account deletion, all associated data is permanently removed (cascade delete).
  • Self-service account deletion is not yet available. To delete your account, email contact@spamurai.pro.

7. Third-Party Services

Google

OAuth authentication and Gmail API access. When using Spamurai AI or BYOK, email data is processed by Google Gemini. Google Privacy Policy.

Stripe

Payment processing for all currencies (PLN, USD, EUR). Stripe receives your payment information directly. Stripe Privacy Policy.

8. Your Rights

Under the GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure — Request deletion of your personal data.
  • Data Portability — Receive your data in a structured, machine-readable format.
  • Objection — Object to processing based on legitimate interest.
  • Restriction — Request limitation of processing in certain circumstances.

To exercise any of these rights, contact us at contact@spamurai.pro.

You also have the right to lodge a complaint with the Polish data protection authority: UODO (Urzad Ochrony Danych Osobowych), uodo.gov.pl.

9. International Data Transfers

We process data within the European Union where possible. When using Spamurai AI or BYOK with Google Gemini, email data may be transferred to Google servers in the United States. Google provides appropriate safeguards through Standard Contractual Clauses (SCCs) as approved by the European Commission.

When using Ollama (local AI), no data is transferred outside your device.

10. Security

We implement the following security measures:

  • JWT-based authentication with secure token handling
  • Encrypted credential storage using your operating system's native keychain
  • Webhook signature verification for payment events
  • CORS restrictions on API endpoints
  • Rate limiting on all public and authenticated endpoints
  • Cryptographically signed application updates

11. Children

Spamurai is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@spamurai.pro and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this page and, for significant changes, through in-app notifications or email. Continued use of Spamurai after changes constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

  • Company: Gall Agencja Interaktywna Arkadiusz Galler
  • NIP: 6312586148
  • Address: ul. Przyszlosci 18/1, 44-119 Gliwice, Poland
  • Email: contact@spamurai.pro