Privacy Policy
Last updated: July 7, 2026
Parla2Mail turns spoken words into finished emails inside Gmail. This Policy explains, in plain terms backed by the technical details GDPR requires, what we collect, why, where it goes, and how you stay in control. It covers the Parla2Mail Chrome extension, the web platform at parla2mail.com, and the backend services behind both.
1. The short version
- We are a small, one-person Polish business. There is no ad business, no data broker relationship, and no sale of your data — ever.
- Your voice is transcribed by your browser's built-in speech recognition. We never receive or store raw audio.
- To draft a reply, the extension reads the text of the email thread you currently have open in Gmail, sends it together with your transcribed instruction to a third-party AI provider for generation, and discards the content once the draft is returned. We do not keep a copy of your email content or your dictated text.
- We store operational records about each generation (basic technical measurements and your rating) — never the text itself — and they are retained only as long as necessary.
- Website analytics only run after you say yes in the cookie banner.
- You can export or delete everything tied to your account from the dashboard, any time.
2. Who is responsible for your data
2.1 The controller
Parla2Mail is operated by:
Piotr Kucharski, trading as "Piotr Kucharski Bioinformatyka" (jednoosobowa dzialalnosc gospodarcza — a Polish sole proprietorship)
ul. Meksykańska 3 lok. 14, 03-948 Warszawa, Poland
NIP: 1133118497 | REGON: 527213825
For all matters covered by this Policy, Piotr Kucharski is the sole Data Controller under Article 4(7) GDPR. There is no other operator, past or present, involved in running the Service.
Piotr Kucharski, trading as "Piotr Kucharski Bioinformatyka" (jednoosobowa dzialalnosc gospodarcza — a Polish sole proprietorship)
ul. Meksykańska 3 lok. 14, 03-948 Warszawa, Poland
NIP: 1133118497 | REGON: 527213825
For all matters covered by this Policy, Piotr Kucharski is the sole Data Controller under Article 4(7) GDPR. There is no other operator, past or present, involved in running the Service.
2.2 How to reach us
Email admin@voicetomail.eu for anything privacy-related: questions about this Policy, exercising your rights, or reporting a concern. We are a small team, but every message reaches the person who can act on it.
2.3 Roles under GDPR
For your account data (profile, preferences, billing, generation metadata) we act as Controller. For the transient content of the email thread and voice instruction you submit for a single generation, we act as Processor on your behalf — you decide what to dictate and send; we exist to carry it to the AI model and back.
3. What we collect, and why
We collect only what each feature needs to work. Nothing here is used for advertising, and nothing is sold.
3.1 Voice input
When you dictate, the extension uses your browser's built-in speech recognition capability. Depending on your browser, the audio may be transcribed locally or sent by your browser to its own speech-recognition service — entirely between your browser and its vendor. Our servers never receive, see, or store raw audio. Only the resulting transcript is used, and only for the single generation you triggered.
3.2 The Gmail thread you're working on
To draft a contextually relevant reply, the extension reads the subject line, sender, and visible body text of the email thread open in your active Gmail tab, directly from the page (via a content script running only on mail.google.com). We do not use a separate Gmail API grant to bulk-read your mailbox — the extension only ever sees the thread you have open, exactly like the text is already visible to you on screen. This text is sent to our backend and forwarded to the AI model for the single generation you requested, then discarded — we do not persist the thread content.
3.3 Your account
Signing in uses a third-party identity provider with Google Sign-In (identity only — no Gmail data-access scope is requested at sign-in). We receive and store your Google user ID, email address, display name, and profile picture URL, to authenticate you, enforce your plan's quota, and let you use the Service across devices.
3.4 Preferences and custom instructions
Settings such as language, tone, and auto-generate toggles, plus any free-text "custom instructions" you write (up to 500 characters) to steer how the AI drafts for you, are stored against your account in our database and included in every generation prompt. If you put your name, title, or company in your custom instructions, that becomes part of your stored preferences — treat this field the way you'd treat a signature block.
3.5 Generation records (metadata only)
Every time you generate an email, we write a technical record about that generation, tied to your pseudonymous user ID, capturing basic operational measurements (such as timing, length indicators, and your like/dislike rating if you give one). We deliberately do not store the input text, the email context, or the generated email itself in this record — only the measurements. These records exist to keep the service reliable, improve quality over time, and calculate cost — not to read what you wrote.
3.6 Feedback and the ratings program
If you rate a generation (like/dislike), we store that rating and a running count of how many ratings you've given. Ratings may earn you bonus generation credits under a program that can be adjusted from time to time. This is entirely optional and only ever affects your own quota balance.
3.7 Billing and purchases
Subscription status, plan tier, and one-time "Generation Pack" purchases are recorded against your account. We store the package purchased, credits granted, amount, and status — never your card number or CVC, which only our payment processor ever sees. If a purchase fails to process cleanly, the event is logged for manual review and automatically discarded after a short period.
3.8 Website usage
If you consent to analytics cookies, we use a product analytics provider to see which pages and buttons get used, so we can fix what's broken and prioritize what matters. Events are tied to your pseudonymous user ID, not your name or email — this is pseudonymized, not anonymous, personal data, and we treat it accordingly (see Section 5). We do not track what you type or generate — only that an action happened.
3.9 Advertising attribution (opt-in only)
If you consent to marketing cookies, we use a minimal advertising attribution service to understand which ad campaigns bring people to the site, and we set a small number of first-party cookies to remember how you arrived, valid for a limited period. These are JS-readable, not shared automatically with our backend — their values are only sent to our API inside specific requests (e.g. when you sign up), never silently. If you decline marketing consent, none of this runs.
3.10 Contact form
If you write to us through the website's contact form, we store your name, email, and message to respond to you. Your IP address is also captured but immediately anonymized before storage, so it cannot identify your exact device — retained for basic abuse prevention.
3.11 Local device storage
Your language and theme preferences, and your cookie-consent choice, are stored in your browser on your own device. Our servers only see any of it if you explicitly sync a preference to your account.
4. Where your data goes: AI processing
4.1 Our AI provider
Every generation is processed by a third-party AI provider under a business API arrangement — not through a locally hosted model. From time to time we may evaluate or switch AI providers to improve quality, reliability, or cost. If we change provider in a way that materially affects processing of your data, we will update this section and, where required, notify you.
4.2 What we send, and what happens to it
We send your transcribed instruction and, where relevant, the visible email-thread text, to the AI provider to generate a draft. The provider processes this as an API customer request, not as consumer product data — under the applicable API terms, this content is not used to train the provider's underlying models. We do not retain a copy of what was sent once the draft is streamed back to you; only the metadata described in Section 3.5 persists.
4.3 Automated prompt and model selection
We use internal optimization mechanisms to automatically pick which prompt template and which model variant to use for a given generation, based on aggregate satisfaction data across all users — never your individual profile. You always see the result and can regenerate, edit, or discard it; nothing is sent on your behalf without your review. This does not amount to automated decision-making with legal or similarly significant effects on you under Article 22 GDPR, since it only shapes a draft you fully control before use.
4.4 Our commitment on Gmail-adjacent data
Even though our current Gmail integration reads the open thread from the page rather than through a separate Gmail API grant, we hold ourselves to the same restrictions Google requires of apps with sensitive Gmail scopes: we only use this data to power features you can see and asked for (drafting, replying, summarizing); we never use it for advertising, and we never use it to build behavioral or creditworthiness profiles; we do not transfer it to third parties beyond what's needed to generate your draft (i.e. our AI provider); and no Parla2Mail employee or contractor reads your email content, except with your specific, affirmative request (e.g. a support ticket), for security investigation, or where the law requires it.
5. Legal bases for processing (GDPR Article 6)
| What | Basis | Why |
|---|---|---|
| Voice input, Gmail thread reading, sending your instruction to the AI provider | Consent (Art. 6(1)(a)) | You actively trigger each generation; microphone access and the sign-in flow both require your explicit action. |
| Account, preferences, custom instructions, billing | Contractual necessity (Art. 6(1)(b)) | Can't run the Service you signed up for without them. |
| Generation metadata, analytics (once consented), fraud/abuse prevention, contact-form IP handling | Legitimate interest (Art. 6(1)(f)) | Keeping the Service reliable, secure, and improvable, balanced against minimal, pseudonymized or anonymized collection. |
| Invoices and payment records | Legal obligation (Art. 6(1)(c)) | Polish tax law requires us to keep them. |
6. Who else touches your data
We rely on a small number of vetted third-party processors to run the Service — never more than a feature genuinely needs. These processors fall into a limited set of categories: hosting and database infrastructure, authentication, AI generation, payment processing, transactional email, product analytics (only after consent), and advertising attribution (only after consent).
Some of these processors are established outside the European Economic Area, or operate on globally distributed infrastructure. In every such case we rely on appropriate transfer safeguards recognized under Chapter V of the GDPR — such as the European Commission's Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework.
An up-to-date list of the specific processors we currently use, together with the categories of data they handle and the transfer safeguard in place, is available on request from admin@voicetomail.eu. We do not add new categories of processor without updating this Policy.
Some of these processors are established outside the European Economic Area, or operate on globally distributed infrastructure. In every such case we rely on appropriate transfer safeguards recognized under Chapter V of the GDPR — such as the European Commission's Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework.
An up-to-date list of the specific processors we currently use, together with the categories of data they handle and the transfer safeguard in place, is available on request from admin@voicetomail.eu. We do not add new categories of processor without updating this Policy.
7. How long we keep things
We keep personal data only for as long as we need it to run the Service, comply with our legal obligations, and defend our legitimate interests. In practice this means:
- Raw voice audio: never stored — processed only in your browser.
- Email thread text and transcribed instruction sent for a generation: not persisted — discarded once the draft is returned.
- Generation metadata, purchase records, and other operational records: retained only for a limited period appropriate to their purpose, then automatically deleted.
- Failed-purchase review queue: retained for a short period for manual review, then automatically deleted.
- Feedback ratings and bonus balance: kept for the life of the Account, deleted on account deletion.
- Website analytics events: retained by our analytics provider for a limited period.
- Account profile, preferences, custom instructions: kept for the life of the Account, deleted on account deletion.
- Contact-form submissions: retained only as long as necessary to handle your enquiry and any follow-up.
- Tax invoices: kept for the statutory retention period required by Polish tax law (currently up to 5 years from the end of the tax year in question, extended where the underlying transaction requires it); these are held outside the main app database and blocked from general access.
8. Security
8.1 In transit and at rest
All traffic to and from the Service runs over TLS. Data and backups are encrypted at rest with our hosting provider.
8.2 Access control
Authentication uses token-based sessions provided by our identity provider. Production access is limited to the operator; there is no support staff with standing access to your data beyond what's needed to respond to a request you've made.
8.3 If something goes wrong
In the event of a data breach affecting your personal data, we will notify the Polish supervisory authority (UODO) within 72 hours where feasible, and notify affected users without undue delay where the breach poses a high risk to your rights and freedoms.
9. Your rights
9.1 Access and portability (Art. 15, 20)
The dashboard's "Export My Data" button gives you a machine-readable file with your account metadata, preferences, custom instructions, generation-history metadata, feedback statistics, and purchase records. Subscription/invoice history isn't in that automatic export (it lives with our payment processor) — email admin@voicetomail.eu and we'll add it within 30 days.
9.2 Erasure (Art. 17)
The dashboard's "Delete Account" button immediately deletes: your profile and usage history, your generation and purchase records, your contact-form submissions, your authentication account, and cancels any active Subscription. Within the same 30-day window we also remove your campaign-notification records, delete or anonymize your customer record held by our payment processor (invoices are kept per tax law, see Section 7), and delete your analytics identity. Gmail messages themselves live in your Google account, not ours — deleting Parla2Mail doesn't touch them.
9.3 Rectification (Art. 16)
Update your display name and preferences directly in the extension popup or the web dashboard.
9.4 Restriction and objection (Art. 18, 21)
Turn off auto-generate or specific features in your settings, or withdraw analytics/marketing consent any time via the cookie settings link in the footer. You can object to processing based on our legitimate interest (Section 5); we'll stop unless we have compelling grounds that override your interest.
9.5 Revoking Google access
Sign-in access can be revoked any time at https://myaccount.google.com/permissions. This stops future sign-ins; it does not by itself cancel a paid subscription — cancel that separately from the dashboard.
9.6 Complaints
You can lodge a complaint with the Polish data protection authority:
Prezes Urzedu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl
Prezes Urzedu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl
9.7 California residents (CCPA/CPRA)
We do not sell personal information and do not share it for cross-context behavioral advertising. You may request to know or delete your categories of personal information (identifiers, commercial/purchase history, internet activity, and Gmail content processed strictly for the features you use) using the same export/delete tools above, or by emailing us. We will not discriminate against you for exercising these rights.
9.8 Response time
We aim to act on any rights request within 30 days, as GDPR requires. We may ask you to verify your identity first for requests made outside the authenticated dashboard.
10. Cookies and similar technologies
Essential (always on, no consent needed): your sign-in session, and your cookie-consent choice itself, stored in your browser.
Analytics (only after you opt in): cookies and local storage entries set by our product analytics provider for the website usage described in Section 3.8.
Marketing/attribution (only after you opt in): the advertising attribution service and the first-party attribution cookies described in Section 3.9.
Manage your choice at any time via the "Cookie Settings" link in the site footer. The Chrome extension separately uses local device storage for your settings — that's governed by your extension permissions, not a tracking cookie.
Analytics (only after you opt in): cookies and local storage entries set by our product analytics provider for the website usage described in Section 3.8.
Marketing/attribution (only after you opt in): the advertising attribution service and the first-party attribution cookies described in Section 3.9.
Manage your choice at any time via the "Cookie Settings" link in the site footer. The Chrome extension separately uses local device storage for your settings — that's governed by your extension permissions, not a tracking cookie.
11. Children
Parla2Mail is a professional productivity tool, not directed at children under 16. We do not knowingly collect data from anyone under that age; if we learn that we have, we will delete the account and associated data promptly.
12. Changes to this Policy
We'll update the "Last updated" date for any change. If a change meaningfully expands what we collect or how we use it (a new AI provider, a new sub-processor, a longer retention period), we'll notify you by email or an in-product notice before it takes effect, and prompt you to re-consent where the change touches consent-based processing.
13. Contact
Questions, requests, or complaints about this Policy: admin@voicetomail.eu. We read every message ourselves.