Privacy Policy — Maylee

Version : 7 mai 2026 / In force as of May 7, 2026

Édité par / Published by BRIDGERS SAS — RCS Paris B 882 679 749 — 149 avenue du Maine, 75014 Paris

Contact unique / Single contact : contact@maylee.app (Niels Cohen, Président de Bridgers SAS)

BRIDGERS places great importance on the protection of personal data. This Policy describes how BRIDGERS collects, uses, retains, shares and protects personal data of Users of the Maylee service, in accordance with Regulation (EU) 2016/679 (“GDPR”), the ePrivacy Directive and French law n° 78-17 of January 6, 1978 (the “French Data Protection Act”).

1. Data controller and contact

Data Controller: BRIDGERS (SAS), 149 avenue du Maine, 75014 Paris, France

Privacy referent: Mr. Niels Cohen, President of BRIDGERS SAS — contact@maylee.app

BRIDGERS has not appointed a Data Protection Officer (DPO) within the meaning of Article 37 GDPR, its activity not falling within the cases of mandatory designation as of the effective date of this Policy. The single contact for any data-protection question is contact@maylee.app.

2. Data collected

2.1. Data provided by the User

• Identity: first and last name, preferred language.

• Account: email address, hashed-and-salted password, profile picture where applicable.

• Billing: company name, address, VAT number, payment data (processed by the PSP — Stripe).

• Preferences: application settings, signatures, automation rules.

2.2. Data from connected email accounts

When the User connects a third-party email account, Maylee accesses: email headers and bodies, attachments, contacts, folders, labels, statuses, related calendar events. This data is processed in transit and, in some cases, cached in encrypted form for offline operation, search and AI features.

2.3. Technical data

• IP addresses, device IDs, device type, browser, operating system.

• Access logs, timestamps, application events, error traces.

• Diagnostic and audience-measurement data (anonymised or pseudonymised).

2.4. Data collected indirectly (Article 14 GDPR)

When the User uses the Service, Maylee incidentally processes personal data of third parties (senders/recipients of emails, contacts). Such processing is performed by Maylee as the User's processor, the User acting as Data Controller towards those third parties and being responsible for informing them under Articles 13 and 14 GDPR. Maylee uses such data only to provide the Service.

2.5. Special categories (Article 9 GDPR)

Maylee does not solicit or intentionally process special categories of data. The User undertakes not to transmit them to Maylee without ensuring compliance with applicable rules and bears sole responsibility for any such data.

3. Purposes and legal bases

• Provide the Service and perform the contract (Art. 6.1.b GDPR): authentication, synchronisation, sorting, search, AI, support.

• Billing and accounting (Art. 6.1.c GDPR): invoices, accounting, fraud prevention.

• Security (Art. 6.1.f GDPR — legitimate interest): intrusion prevention, abuse detection, log retention.

• Service improvement (Art. 6.1.f GDPR): aggregated usage statistics — without using email content.

• Communication and marketing (Art. 6.1.f GDPR or 6.1.a if consent required).

• Legal obligations (Art. 6.1.c GDPR): judicial requisitions, statutory archiving.

4. Automated decisions and profiling

Maylee does not perform any automated individual decision producing legal effects or significantly affecting the User within the meaning of Article 22 GDPR. AI features are assistive; any decision is the User's.

5. Use of AI features

When an AI feature is enabled, the necessary content is transmitted to AI models, executed locally or by third-party sub-processors (in particular OpenAI, Anthropic, Google Cloud Vertex AI, Mistral AI) under an Article 28 GDPR sub-processing agreement.

Maylee does not consent to any data processing for AI model training. AI sub-processors are contractually committed not to use data to train their models. Users may disable AI features in the settings.

6. Retention

• Account data: account duration + 12 months after deletion (reactivation, security logs).

• Cached email data: duration of use; deletion (locally and server-side) within 30 days following disconnection or termination.

• Billing data: 10 years (Art. L.123-22 et seq. of the French Commercial Code).

• Technical logs: 12 months maximum.

• Marketing data: until withdrawal of consent or inactivity > 3 years.

• Data for legal defence: applicable limitation period.

7. Recipients and sub-processors

BRIDGERS uses sub-processors, in particular:

• Hosting and infrastructure: Amazon Web Services (EU).

• Payment: Stripe Payments Europe Ltd (Ireland).

• Transactional email: Postmark / SendGrid.

• Support and CRM: Intercom, HubSpot.

• AI tools: OpenAI, Anthropic, Google Cloud Vertex AI, Mistral AI.

• Audience measurement: Plausible Analytics.

• Logs and observability: Datadog, Sentry.

Up-to-date list at maylee.app/legal/subprocessors. BRIDGERS enters into Article 28 GDPR-compliant agreements. Customers under the DPA may object to a new sub-processor on reasonable grounds.

8. Transfers outside the EU

Some sub-processors may be located outside the EU/EEA. Such transfers are governed by: (i) an adequacy decision, (ii) the SCCs approved by the European Commission (Module 2 Controller-Processor or 3 Processor-Processor), or (iii) the EU-US Data Privacy Framework. A copy of the safeguards is available on request at contact@maylee.app.

9. Security

BRIDGERS implements reasonable technical and organisational measures: TLS 1.3 in transit, AES-256 at rest, environment segregation, RBAC, MFA, logging, annual independent penetration tests, encrypted backups, business-continuity plan, staff training, contractual confidentiality undertakings.

No IT system can guarantee absolute security. BRIDGERS cannot be held liable for the consequences of a security breach resulting from a sophisticated hacking act, a not-yet-discovered vulnerability (zero-day), an act of a third-party sub-processor, or a User failure (compromised password, infected device, session sharing).

In case of personal data breach likely to result in a risk to the rights and freedoms of natural persons, BRIDGERS will notify the CNIL within 72 hours and, where applicable, inform the concerned individuals without undue delay.

10. Data subject rights

In accordance with Articles 12 to 22 GDPR, the User has the following rights:

• Right of access, rectification, erasure, restriction.

• Right to data portability.

• Right to object, in particular to marketing.

• Right to withdraw consent at any time.

• Right to set instructions on the fate of data after death.

Rights are exercised at contact@maylee.app. Proof of identity may be requested. BRIDGERS responds within one (1) month, extendable by two (2) months for complex requests.

The User may also lodge a complaint with the CNIL, 3 place de Fontenoy, 75007 Paris — www.cnil.fr.

11. Direct marketing

BRIDGERS may send marketing communications relating to the Service or similar features, in compliance with the GDPR and the LCEN. The User may object at any time via the unsubscribe link in each message or by emailing contact@maylee.app.

12. Cookies and trackers

See the Cookie Policy at maylee.app/legal/cookies.

13. Minors

The Service is not intended for individuals under 16. BRIDGERS does not knowingly collect personal data from minors without parental consent.

14. Transfers in case of reorganisation

In case of merger, acquisition, demerger, restructuring, or full or partial transfer of business, personal data may be transferred to the acquirer, subject to compliance with the principles of this Policy. Users will be informed of such operations and of their rights.

15. Changes

This Policy may be updated. Substantial changes are notified at least 30 days in advance.

16. Contact

Single point of contact: contact@maylee.app (Mr. Niels Cohen, President of BRIDGERS SAS, as privacy referent).