M
Medley

Privacy Policy

Last updated: November 2, 2025

Introduction

Swamplane BV ("we", "our", or "us") operates Medley, an AI-powered email assistant service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

We are committed to protecting your privacy and ensuring transparency in our data handling practices. This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Company Information

Company Name: Swamplane BV

Registration Number: BE 1026.696.696

Address: Charlotte Despardstraat 22, 9000 Gent, Belgium

Data Controller: Swamplane BV

1. Information We Collect

1.1 Information You Provide

  • Telegram Account Information: Your Telegram username and user ID when you interact with our bot
  • Gmail Account Authorization: OAuth2 tokens that allow us to access your Gmail account on your behalf
  • Communication Data: Messages and commands you send to our Telegram bot

1.2 Information Automatically Collected

  • Email Content: Subject lines, sender information, recipients, timestamps, and body content of emails in your Gmail account
  • Email Metadata: Labels, thread IDs, message IDs, and other Gmail metadata
  • Service Usage Data: Logs of interactions with our service, including timestamps and command history
  • Technical Data: IP addresses, browser types, and device information when accessing our web interface
2. How We Use Your Information

We use your information for the following purposes:

  • Service Provision: To monitor your Gmail inbox and provide AI-powered email analysis and notifications through Telegram
  • AI Processing: To analyze email content using EU-hosted Mistral AI to classify importance, extract key information, and generate summaries
  • Notification Delivery: To send relevant notifications about important emails through Telegram
  • Service Improvement: To improve our AI models, classification accuracy, and overall service quality
  • Security: To detect and prevent fraud, abuse, and security incidents
  • Legal Compliance: To comply with legal obligations and enforce our terms of service
3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

  • Consent: You explicitly authorize access to your Gmail account and agree to our processing of your email data
  • Contract Performance: Processing is necessary to provide the Medley service you've requested
  • Legitimate Interests: We have legitimate interests in improving our service and ensuring security, balanced against your privacy rights
4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share your data with the following categories of service providers:

  • AI Processing: Mistral AI (EU-hosted) for email analysis and classification
  • Communication Platforms: Telegram for delivering notifications to you
  • Cloud Infrastructure: Hosting providers for our application and database services
  • Background Processing: Trigger.dev for managing background tasks and workflows

4.2 Data Transfers

We primarily use EU-based service providers. When data is transferred outside the EU, we ensure adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for certain countries
  • Other appropriate safeguards as required by GDPR

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

5. Data Retention
  • Email Content: Processed in real-time and retained only for the duration necessary to complete analysis (typically seconds to minutes). Email content is not stored long-term.
  • Analysis Results: Classification results and summaries may be retained temporarily to improve service quality and for up to 30 days for operational purposes.
  • Account Information: Telegram user IDs and Gmail authorization tokens are retained while you use the service and for up to 90 days after account deletion.
  • Logs: Service logs are retained for up to 12 months for security and troubleshooting purposes.

When you disconnect your Gmail account or delete your Medley account, we immediately revoke access tokens and begin the deletion process for your personal data within 30 days.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: Data in transit is encrypted using TLS/SSL. Data at rest is encrypted using industry-standard encryption.
  • Access Controls: Strict access controls limit who can access your data internally.
  • OAuth2 Security: We use OAuth2 for Gmail authorization, ensuring we never have access to your Gmail password.
  • EU-Hosted AI: Email analysis is performed by Mistral AI, hosted in the European Union.
  • Regular Security Audits: We conduct regular security assessments and updates.
  • Minimal Data Storage: We minimize data retention and store only what is necessary for service operation.
7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
  • Right to Restrict Processing: Request limitation of how we process your data.
  • Right to Data Portability: Receive your data in a structured, commonly used format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw your consent at any time by revoking Gmail access or disconnecting from our service.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, please contact us using the contact information provided below. We will respond to your request within 30 days.

8. Google API Services User Data Policy

Medley's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request the minimum Gmail permissions necessary to provide our service
  • Gmail data is used solely to provide and improve the Medley service
  • We do not use Gmail data for serving advertisements
  • Gmail data is not shared with third parties except as necessary to provide the service (e.g., AI processing)
  • Gmail data is not used to create user profiles for any purpose other than providing our service
  • You can revoke our access to your Gmail account at any time through your Google Account settings
9. Cookies and Tracking Technologies

Our website uses minimal cookies and tracking technologies:

  • Essential Cookies: Required for authentication and session management
  • No Analytics Cookies: We do not currently use analytics or advertising cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of our service.

10. Children's Privacy

Medley is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child under 16, please contact us immediately so we can delete the information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Updating the "Last updated" date at the top of this policy
  • Sending a notification through Telegram if you are an active user
  • Posting a prominent notice on our website

Your continued use of Medley after changes to this policy constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Swamplane BV

Charlotte Despardstraat 22
9000 Gent
Belgium

Company Registration: BE 1026.696.696

For data protection inquiries, you may also contact the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données

Website: www.gegevensbeschermingsautoriteit.be

13. Data Protection Officer

For privacy-related inquiries, you can contact our Data Protection Officer:

Email: anthony.meirlaen@gmail.com

We will respond to all privacy-related requests within the timeframes required by applicable law.