Privacy Policy

The data controller is Seneko d.o.o., established in Slovenia, registration number 2296365000.

For any privacy-related question or to exercise your rights, contact us at legal@buzzrelay.ai.

Account data: name, email address, hashed password, account preferences, role inside your organisation.

Authentication data: OAuth tokens (Microsoft Graph, Google) — encrypted at rest, stored only as long as you keep the integration connected.

Email content: when you connect your inbox, BuzzRelay reads emails and metadata (sender, recipient, subject, body, timestamps, folders, labels) to provide triage, summaries, drafts and follow-ups.

AI provider credentials (BYOS): if you bring your own OpenAI subscription, we store the API key encrypted at rest in a customer-isolated key vault, and use it solely to call your provider on your behalf.

Usage and diagnostic data: device and browser info, IP address, pages visited, feature usage, error logs and performance metrics.

Billing data: name, billing address, VAT number where applicable, and payment-method metadata. Card numbers are processed and stored only by our payment processor (Stripe).

Communications: messages you send to support, content of newsletter subscriptions.

• Providing the Service (account, email triage, drafting, integrations) — Art. 6(1)(b): performance of a contract.
• Billing, accounting, statutory record-keeping — Art. 6(1)(c): legal obligation.
• Security, fraud prevention, abuse detection — Art. 6(1)(f): legitimate interest.
• Product analytics and service improvement (aggregated, no email content) — Art. 6(1)(f): legitimate interest.
• Marketing emails and newsletters — Art. 6(1)(a): your consent.

We do not use your email content to train AI models. Your data is only used to provide the Service to you.

We share personal data only with sub-processors necessary to provide the Service, under written agreements compliant with Article 28 GDPR.

• Cloud hosting & infrastructure (EU region by default).
• Microsoft (Microsoft Graph API) — to read and act on emails you have authorised us to access.
• OpenAI (BYOS) or other LLM providers chosen by the customer — to process the prompts derived from your emails. Under BYOS, this is the customer's own subscription.
• Stripe — payment processing.
• Transactional email provider — for system emails (verification, password reset, billing receipts) and newsletters.
• Error-tracking and observability provider — for diagnostic logs.

Some sub-processors are located outside the European Economic Area (notably the United States). Where a transfer takes place, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary measures as appropriate.

EU customers can request that data is stored in the EU region; this is the default for all new accounts.

• Account data: kept while your account is active, then deleted within 30 days of account closure (with up to 90 days in encrypted backups).
• Email triage cache (summaries, classifications): up to 7 days.
• Tone profile: structured features only, kept until you delete it from Settings → Data.
• Drafts: kept until sent or discarded.
• Logs and diagnostic data: 30 days for application logs, 90 days for security-relevant logs.
• Billing records: 10 years, as required by Slovenian tax law.

• Right of access (Art. 15) — get a copy of your personal data.
• Right to rectification (Art. 16) — correct inaccurate data.
• Right to erasure (Art. 17) — request deletion of your data.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (.mbox or .json).
• Right to object (Art. 21).
• Right to withdraw consent at any time, where processing is based on consent (Art. 7(3)).
• Right not to be subject to a decision based solely on automated processing (Art. 22). BuzzRelay drafts are reviewed by you before they are sent; we do not perform fully automated decisions with legal effects.

To exercise any of these rights, write to legal@buzzrelay.ai. We respond within one month and may extend this by two further months for complex requests.

You also have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec, https://www.ip-rs.si/).

Encryption in transit (TLS 1.2+) for all connections.

Encryption at rest (AES-256) for stored data, including OAuth tokens and BYOS API keys.

Customer-isolated key vaults for sensitive credentials.

Access to production systems is limited to a small number of authorised personnel under documented procedures, with audit logging.

We monitor for unauthorised access and have procedures in place to notify the Information Commissioner and affected users in the event of a personal data breach, in accordance with Articles 33 and 34 GDPR.

We use a small number of strictly necessary cookies. See the separate Cookie Policy for details.

BuzzRelay is not intended for children under 16. We do not knowingly process personal data of children. If you believe we have collected such data, please contact us so we can delete it.

We may update this Policy from time to time. Material changes are communicated to active customers via email or in-app notice at least fourteen (14) days before they take effect.

Seneko d.o.o., registration number 2296365000, Slovenia.

Email: legal@buzzrelay.ai.