Privacy Policy
1. Who We Are
SphereMail is a product of SecureSphereLabs, operated by Godson Chittilapilly. We are a cybersecurity technology company building practitioner-grade security tooling. For privacy matters, contact us at privacy@securespherelabs.com.
2. What Data We Collect
2.1 Account Data
- Name and email address — provided at registration or via Google OAuth
- Password hash — bcrypt-hashed; we never store plaintext passwords
- Authentication provider — Google OAuth token metadata (no Google password is ever received by us)
- Account plan and role — community or Analyst Pro
- Created and last login timestamps
2.2 Usage and Quota Data
- Daily and monthly scan counts (web and forward-to-scan channels)
- AI token consumption counters (aggregate totals only; no prompt content is stored)
- Billing status and subscription identifiers (Razorpay or Stripe subscription IDs)
2.3 Technical Data
- IP address (for rate limiting and abuse prevention; not stored beyond the current request except in server logs)
- Browser session cookie (for authentication state; see Cookie Policy)
- Server access logs (standard Apache/Nginx logs; retained up to 30 days)
2.4 Email Content — What We DO NOT Store
2.5 Extracted Security Observables (Limited)
During analysis, observable security indicators are extracted from email content:
| Observable Type | Stored? | Purpose |
|---|---|---|
| IP addresses | Sent to AbuseIPDB; not retained by us | Threat intelligence enrichment |
| Domain names | Sent to VirusTotal; not retained by us | Reputation lookup |
| File hashes (SHA-256, MD5) | Sent to VirusTotal; not retained by us | Malware detection |
| URLs | Sent to VirusTotal; not retained by us | Phishing URL check |
| Verdict + risk score | Stored in your browser (localStorage only) | Your personal scan history |
Scan history is stored exclusively in your browser's localStorage under the key spheremail_scan_history. It is never transmitted to our servers. You can clear it at any time from within the platform.
3. How We Use Your Data
- To authenticate you and maintain your session
- To enforce scan quotas and plan limits
- To process subscription billing via Razorpay (India) or Stripe (international)
- To send transactional emails (OTP verification, subscription receipts, plan notifications)
- To detect and prevent abuse of the platform
- To improve service reliability (aggregate, anonymised performance metrics only)
4. Third-Party Services We Use
| Provider | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| SphereAI™ | AI-powered threat analysis (internal engine) | Email headers and body text — processed transiently for analysis only; see AI Transparency Statement | AI Transparency |
| VirusTotal | URL, domain, file hash reputation | URLs, domains, IP addresses, file hashes — never email body | virustotal.com |
| AbuseIPDB | IP reputation check | IP addresses only — never email content | abuseipdb.com |
| Google OAuth | Social sign-in | Your Google profile (name, email, avatar) — via OAuth consent | Google Privacy |
| Razorpay | Payment processing (India) | Name, email, payment method — no email content | razorpay.com |
| Stripe | Payment processing (international) | Name, email, payment method — no email content | stripe.com |
5. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Email message content (body, subject, attachments) | Zero — never stored |
| Scan history / analysis results | Browser localStorage only — under your control |
| Account data (name, email, plan) | Until account deletion + 30 days grace |
| Quota and usage counters | 90 days rolling window |
| AI token usage logs | 90 days (aggregate only) |
| Server access logs | 30 days |
| Payment records | 7 years (legal/tax requirement) |
6. Your Rights (GDPR)
If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your account and associated data ("right to be forgotten")
- Right to restriction — request that we restrict processing of your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent
To exercise any of these rights, email privacy@securespherelabs.com. We will respond within 30 days.
7. Legal Basis for Processing (GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account registration and authentication | Contractual necessity (Art. 6(1)(b)) |
| Service delivery (email analysis) | Contractual necessity (Art. 6(1)(b)) |
| Quota enforcement | Contractual necessity (Art. 6(1)(b)) |
| Billing and payments | Contractual necessity + legal obligation (Art. 6(1)(b),(c)) |
| Abuse prevention and rate limiting | Legitimate interests (Art. 6(1)(f)) |
| Transactional emails | Contractual necessity (Art. 6(1)(b)) |
| Marketing emails (if any) | Consent (Art. 6(1)(a)) — you may opt out at any time |
8. International Data Transfers
SphereMail is hosted on servers in India (Hostinger VPS). When we use third-party services (VirusTotal, AbuseIPDB) and our internal AI processing infrastructure, data may be transferred to and processed in the United States and other countries. We ensure that such transfers are conducted under appropriate safeguards, including standard contractual clauses where applicable.
9. Children's Privacy
SphereMail is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify registered users of material changes via email. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
privacy@securespherelabs.com
These documents were last updated on May 26, 2026. For questions, contact legal@securespherelabs.com. · Back to SphereMail
SphereMail