Data Processing Addendum
Last updated: June 10, 2026
1. Introduction
This Data Processing Addendum ("DPA") supplements the Terms of Service between Redbeard Innovation Kft., registered at Vöröskereszt utca 14. 1. emelet 5, 1033 Budapest, Hungary ("Processor", "we", "llmail") and the customer identified in the account ("Controller", "Customer", "you"). It applies to the extent we process Personal Data on your behalf as part of the Service. Capitalised terms not defined here have the meaning given in the GDPR.
2. Subject matter and duration
The subject matter is the ingestion, storage, transformation, and delivery of email and related metadata from mailboxes you connect to the Service, and the relay of outbound email through SMTP servers you nominate. Processing lasts for the term of your subscription plus any retention period described in section 7.
3. Nature and purpose
We process Personal Data to:
- poll the mailboxes you connect over IMAP and ingest new mail arriving after the inbox is connected;
- parse and transform inbound mail into structured JSON;
- deliver that JSON to webhook URLs you configure and/or make it available through the polling REST API;
- relay outbound mail you submit through the API via the SMTP server you nominate;
- operate, secure, and monitor the Service.
We do not run language models or other AI inference over the content of your mail, and we do not use your mail content to train models.
4. Categories of data subjects
- Your users and agents who interact with the connected mailboxes.
- Third parties who send email to, or receive email from, those mailboxes.
- Authors and recipients identifiable in message headers and bodies.
5. Types of Personal Data
- Email addresses, display names, and other identifiers found in message headers (From, To, Cc, Bcc, Reply-To, etc.).
- Subject lines, plain-text and HTML bodies, and full header sets of inbound messages.
- Attachment filenames and content.
- Message metadata such as timestamps and threading identifiers.
- The IMAP/SMTP credentials you supply for your connected mailboxes (passwords encrypted at rest).
Special categories of data are not requested. If you choose to route email containing special-category data through the Service, you remain responsible for ensuring you have the legal basis to do so.
6. Roles and instructions
For Personal Data described above, Customer is the Controller and llmail is the Processor. We process Personal Data only on documented instructions from Customer. Customer's instructions consist of these Terms, this DPA, the configuration Customer enters in the dashboard (connected mailboxes, webhook URL, plan tier, billing details), and the API calls Customer makes against the Service. We will inform Customer if we believe an instruction infringes applicable data-protection law.
7. Retention and deletion
We retain Personal Data for as long as needed to provide the Service and as described in our Privacy Policy. We are honest about the current state of automated retention:
- Removing a connected mailbox from the dashboard deletes the mailbox configuration but does not by itself purge historical email content stored from prior polls.
- There is no scheduled job that automatically deletes ingested email or attachments based on age.
- On Customer's written request to legal@llmail.dev we will delete or return all Personal Data we process on Customer's behalf, subject to backup retention windows (currently 14 daily, 8 weekly, and 12 monthly database and attachment snapshots) and any legal hold.
8. Confidentiality
We ensure that personnel authorised to process Personal Data are bound by an obligation of confidentiality, whether by contract or by law.
9. Security measures
We implement appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Current measures include those described in section 10 of our Privacy Policy (HTTPS in transit, HSTS, Fernet encryption at rest for mailbox passwords, Django password hashing, HMAC-signed outbound webhooks, role-based access, secure session and CSRF cookies). We review these measures from time to time and may update them, provided that the level of protection is not materially reduced.
10. Sub-processors
Customer provides general authorisation for us to engage the sub-processors listed below. We remain responsible for the acts and omissions of our sub-processors as if they were our own.
| Sub-processor | Purpose | Location |
|---|---|---|
| [Cloud hosting / infrastructure provider] | Application, database, queue, and attachment storage hosting. | [TBD] |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Subscription billing, invoicing, payment processing. | EU / US |
| [Transactional email provider] | Account email (verification, password reset, billing notices). | [TBD] |
| Functional Software, Inc. (Sentry), if enabled | Error monitoring; default PII is disabled. | US |
We will give Customer reasonable advance notice of any intended changes to the list of sub-processors by updating this page. Customer may object on reasonable, data-protection-related grounds by emailing legal@llmail.dev. If we cannot accommodate the objection, Customer may terminate the affected portion of the Service.
11. International transfers
Where Personal Data is transferred outside the EEA, the UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (or the UK Addendum / Swiss equivalent, as applicable), incorporated into this DPA by reference, supplemented with additional safeguards where required.
12. Data-subject requests
Taking into account the nature of the processing, we will assist Customer through appropriate technical and organisational measures, so far as possible, to fulfil Customer's obligation to respond to data subjects exercising their rights. Where we receive a data-subject request directed at data Customer controls, we will forward the request to Customer rather than respond to it directly.
13. Personal Data breach
We will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, with the information then available to us, and we will provide further details as they become available.
14. Audits
On reasonable prior written notice, and no more than once per year unless required by a supervisory authority or after a Personal Data breach, we will make available information necessary to demonstrate compliance with this DPA. Where Customer reasonably requires further evidence, we may satisfy this obligation by providing summaries of relevant audits, certifications, or controls rather than granting open-door access to our systems, except where applicable law requires otherwise.
15. Liability
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms.
16. Conflict and term
In case of conflict between this DPA and the Terms, this DPA prevails for matters relating to the processing of Personal Data. This DPA takes effect when Customer accepts the Terms and remains in force for as long as we process Personal Data on Customer's behalf.
17. Contact
DPA questions and notices: legal@llmail.dev.