🔔Promy

Privacy Policy

Last updated: May 16, 2026

This policy covers the Promy app and https://promy.bounlu.com. Data controller: Kerem Arslan, İstanbul, Türkiye. Contact: privacy@bounlu.com.

1. Data we collect

  • Account info: email and name (if shared) from Apple Sign-In or Google. Stored in Supabase.
  • Reminder content: titles, dates, notes, categories you create. Bound to your account via Row-Level Security.
  • Email integration (opt-in): when you connect Gmail, Outlook, or IMAP, we read subjects and bodies within the scope you authorize.
  • Push tokens: APNs/FCM tokens, used only to deliver notifications.
  • Subscription status: handled via Adapty + App Store IAP. Payment details never reach us.
  • Crash & performance: collected via Sentry. No personal data.

2. How email content is processed

  1. A Cloudflare Workers cron scans connected accounts every 6 hours.
  2. Before any AI call, content is anonymized server-side: emails, phones, addresses, card numbers, and names are masked as tags ([EMAIL], [PHONE], [ADDRESS], [NAME]).
  3. The AI only sees anonymized text. Raw content is never stored.
  4. Extracted reminders (title + datetime) are saved; you get a notification.

3. Gmail API — Google Limited Use compliance

Promy adheres to Google API Services User Data Policy:

  • Gmail data is used only to provide user-facing features (email auto-reminders).
  • Gmail data is not used for advertising.
  • Gmail data is not read by humans — except with explicit user consent for support.
  • Gmail data is not sold or transferred to third parties.
  • Gmail data is not used to train ML models.

4. IMAP passwords

Custom IMAP passwords arrive over TLS, are immediately encrypted with AES-GCM, and stored as ciphertext in Cloudflare KV. Plaintext is never logged or persisted.

5. Where data lives

  • Supabase (EU region): account, reminders, connected accounts, push tokens.
  • Cloudflare KV: encrypted OAuth tokens + IMAP ciphertext. 1-year TTL.
  • Adapty: subscription status.
  • Sentry: crash + performance data (no personal data).
  • OpenRouter / Google Gemini: anonymized requests, results returned synchronously.

6. Your rights (GDPR)

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Contact privacy@bounlu.com. You can also delete your account from Settings → Delete Account.

7. Children

Promy is not directed at children under 13 and does not knowingly collect their data.

8. Changes

We may update this policy. Material changes are notified in-app. See the "last updated" date.

9. Contact

Kerem Arslan, İstanbul, Türkiye.
privacy@bounlu.com