Privacy Policy
Last updated: 22 March 2026
In this policy, “user”, “you”, and “your” refer to any individual who registers for or uses FlagMail. “We”, “us”, and “our” refer to 8Cores Pte. Ltd.
1. Our “Process, Don't Store” Architecture
When you connect your Gmail account, FlagMail reads incoming emails to classify them using AI. Here is exactly what happens:
What We DO Store
What We NEVER Store
2. How Classification Works
1. New email arrives in your Gmail
2. Our AI reads the email content in memory only
3. AI generates: category + PII-free summary
4. Original email content is immediately discarded
5. Only category + summary are saved to database
6. Alert sent to your Telegram with the summary
At no point is the original email content, sender address, or subject line written to disk, database, or log file. The AI processes everything in memory and outputs only a classification result.
AI summary accuracy:While our AI is instructed to generate PII-free summaries, AI systems are probabilistic and may occasionally include identifiable details (e.g. a name or organisation mentioned in an email). If you notice PII in a summary, you can delete it immediately in Settings > Privacy. We continuously improve our prompts to minimise this risk.
3. Sender Identification
For features like “Mute Sender” and “VIP Sender”, we store a SHA-256 hashof the sender's email address. This is a one-way mathematical function — it cannot be reversed to reveal the original email address. When a new email arrives, we hash the sender and compare it against your rules. We never store or log the original sender address.
4. Legal Basis for Processing
We process your data on the following legal grounds:
- Contract performance — Processing your emails is necessary to deliver the classification and alert service you signed up for (PDPA, GDPR Art. 6(1)(b)).
- Consent — You explicitly grant FlagMail read-only access to your Gmail via the Google OAuth consent flow. You may withdraw consent at any time by disconnecting your Gmail account in Settings.
- Legitimate interest — We process minimal technical data (e.g. hashed sender identifiers, message IDs) to operate, secure, and improve the service (GDPR Art. 6(1)(f)).
5. Data Retention
Processed email metadata (category, summary, hash) is automatically deleted after your chosen retention period (default: 30 days). You can set this to 7, 14, 30, 60, or 90 days in Settings > Privacy. You can also delete all data instantly at any time.
6. Third-Party Services
- Google Gmail API— Read-only access to classify incoming emails. We never send, delete, or modify your emails. FlagMail's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, FlagMail only uses Gmail data to provide and improve the email classification service. We do not use Gmail data for serving advertisements, and we do not allow humans to read your email data except where necessary for security purposes, to comply with applicable law, or with your affirmative consent.
- Google Gemini AI— Processes email content for classification. Google's API terms state that data sent via the API is not used to train their models.
- Telegram Bot API— Delivers alert messages to your Telegram. Once an alert is delivered, its content is subject to Telegram's privacy policy and is outside FlagMail's control. We cannot delete messages already delivered to Telegram on your behalf.
- Stripe — Processes payments. We never see or store your credit card number. Stripe is PCI DSS Level 1 certified.
- Cloudflare — Provides CDN, DDoS protection, and DNS services. Cloudflare processes your IP address and request metadata to route and protect traffic to FlagMail. See Cloudflare's Privacy Policy.
7. International Data Transfers
FlagMail is operated from Singapore. Your data may be processed by third-party services located outside Singapore, including:
- Google (Gmail API, Gemini AI) — United States
- Stripe (payment processing) — United States
- Telegram (alert delivery) — various jurisdictions
- Cloudflare (CDN, DNS, DDoS protection) — global network
These providers maintain their own data protection commitments. For EU/UK users, transfers are covered by the providers' Standard Contractual Clauses (SCCs) or equivalent safeguards. By using FlagMail, you acknowledge that your data may be processed in these jurisdictions.
8. Your Rights
Regardless of where you are located, you have the following rights:
- Right to access— View all data we hold about you in Settings > Privacy
- Right to export — Download all your data as JSON with one click
- Right to delete — Delete all email data or your entire account instantly
- Right to disconnect — Revoke Gmail access anytime; we delete all associated data
- Right to modify retention — Choose how long we keep your data (7–90 days)
We comply with PDPA (Singapore), and are designed to meet GDPR (EU/UK) and CCPA (California) requirements by minimising data collection to only what is essential.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know — You may request details about the categories and specific pieces of personal information we collect.
- Right to delete — You may request deletion of your personal information (available instantly via Settings).
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.
- No sale of personal information — FlagMail does not sell, share, or rent your personal information to third parties for monetary or other valuable consideration.
9. Security
- All data encrypted in transit (TLS 1.3)
- OAuth tokens encrypted at rest (AES-256)
- Sender identifiers stored as irreversible SHA-256 hashes
- No email content ever written to disk or logs
- Automatic data purging based on retention settings
- Regular security reviews and dependency updates
10. Data Breach Notification
In the unlikely event of a data breach that affects your personal data, we will:
- Notify the Personal Data Protection Commission (PDPC) of Singapore within 3 calendar days of becoming aware of a notifiable breach, as required by the PDPA.
- Notify affected users without undue delay via the email address associated with their account.
- For EU/UK users, notify the relevant supervisory authority within 72 hours where required by the GDPR.
11. Cookies & Tracking
FlagMail uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that track you across websites. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR or ePrivacy regulations.
12. Children's Privacy
FlagMail is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will promptly delete their account and all associated data.
13. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification. Continued use of FlagMail after changes constitutes acceptance of the updated policy.
14. Contact & Data Protection
FlagMail is operated by 8Cores Pte. Ltd. (UEN: 202611392E).
Data Protection Officer: The Director of 8Cores Pte. Ltd. serves as the designated Data Protection Officer under the Personal Data Protection Act (PDPA).
For any privacy-related enquiries, data access requests, or complaints, contact our Data Protection Officer:
Email: [email protected]
Enterprise customers requiring a Data Processing Agreement (DPA) may contact us at [email protected].