Privacy Policy
Last updated: May 28, 2026
This policy covers the Promy app and https://promy.bounlu.com. Data controller: Kerem Arslan, İstanbul, Türkiye. Contact: privacy@bounlu.com.
1. Data we collect
- Account info: email and name (if shared) from Apple Sign-In or Google. Stored in Supabase.
- Reminder content: titles, dates, notes, categories you create. Bound to your account via Row-Level Security.
- Email integration (opt-in): when you connect Gmail, Outlook, or IMAP, we read subjects and bodies within the scope you authorize.
- Push tokens: APNs/FCM tokens, used only to deliver notifications.
- Subscription status: handled via Adapty + App Store IAP. Payment details never reach us.
- Crash & performance: collected via Sentry. No personal data.
2. Data sharing with AI (Google Gemini)
Promy uses AI to create reminders. What is sent: the reminder text you type and — if you choose to connect an email account — the content of those emails. Who it is sent to: Google LLC's Gemini API (acting as our processor). Why: solely to generate your reminders.
This sharing happens only after you give explicit in-app consent; no text is sent to the AI before you consent, and you can revoke it anytime under Settings > AI data sharing. Google processes this data only to fulfill the request, does not use it to train AI models, and provides protection equivalent to ours (Gemini API Terms).
Email content is additionally processed as follows:
- A Cloudflare Workers cron scans connected accounts at regular intervals.
- Before any AI call, content is anonymized server-side: emails, phones, addresses, card numbers, and names are masked as tags ([EMAIL], [PHONE], [ADDRESS], [NAME]).
- The AI only sees anonymized text. Raw content is never stored.
- Extracted reminders (title + datetime) are saved; you get a notification.
Assistant conversations: the messages you send to Promy in chat and Promy's replies are stored, associated with your account, for service quality, debugging and support. Only our authorized team can access these records; they are not used for advertising, not shared with third parties, and not used to train AI models.
3. Gmail API — Google Limited Use compliance
Promy adheres to Google API Services User Data Policy:
- Gmail data is used only to provide user-facing features (email auto-reminders).
- Gmail data is not used for advertising.
- Gmail data is not read by humans — except with explicit user consent for support.
- Gmail data is not sold or transferred to third parties.
- Gmail data is not used to train ML models.
4. IMAP passwords
Custom IMAP passwords arrive over TLS, are immediately encrypted with AES-GCM, and stored as ciphertext in Cloudflare KV. Plaintext is never logged or persisted.
5. Where data lives
- Supabase (EU region): account, reminders, connected accounts, push tokens, assistant conversations.
- Cloudflare KV: encrypted OAuth tokens + IMAP ciphertext. 1-year TTL.
- Adapty: subscription status.
- Sentry: crash + performance data (no personal data).
- Google (Gemini API): anonymized requests, results returned synchronously.
6. Your rights (GDPR)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Contact privacy@bounlu.com. You can also delete your account from Settings → Delete Account.
7. Children
Promy is not directed at children under 13 and does not knowingly collect their data.
8. Changes
We may update this policy. Material changes are notified in-app. See the "last updated" date.
9. Contact
Kerem Arslan, İstanbul, Türkiye.
privacy@bounlu.com