Logo

Privacy Policy

Last updated: June 13, 2026

This Privacy Policy explains how Zyleb ("we", "us", "our") collects, uses, and protects your personal data when you use our platform. We are committed to processing your data lawfully and transparently in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Who We Are

Zyleb is a team collaboration platform. If you have any questions about this policy or how we handle your data, please contact us at: [email protected].

2. What Data We Collect

We collect only the data necessary to provide the service:

  • Account information: your name and email address, obtained from Google when you sign in via Google OAuth.
  • Email data: when you connect a Gmail inbox, we access thread and message data in that inbox via the Gmail API solely to display and manage it within the platform. This data is temporarily cached on our servers for up to 60 minutes since it was last accessed to improve performance, after which it is automatically discarded. It is not written to permanent storage or shared with any third party.
  • Usage metadata: we store lightweight metadata about actions taken within the platform to support collaboration features. This metadata is linked to your account.
  • Session data: a server-side session is maintained to keep you logged in. See our Cookie Policy for details.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): processing your account information and email access is necessary to provide the service you have signed up for.
  • Legitimate interests (Art. 6(1)(f) GDPR): we process usage metadata to maintain audit logs, ensure security, and enable collaboration features. These interests are not overridden by your rights given the limited and non-intrusive nature of the data.

4. How We Use Your Data

  • To authenticate you and maintain your session.
  • To display email content of your Gmail inbox to authorised members of your organisation.
  • To record collaboration actions within the platform.
  • To maintain security and integrity of the platform.

We do not use your data for advertising, profiling, or any purpose unrelated to providing the platform. We do not sell your data to any third party.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Google LLC - for user authentication (Google OAuth) and Gmail API access. When you connect a Gmail account, Google's own Privacy Policy and Terms apply to their processing of your data. We access only the Gmail scopes you explicitly authorise and do not share your Gmail data with any other party. Google LLC is certified under the EU–US Data Privacy Framework. See Google's Privacy Policy.
  • Cloudflare, Inc. - we use Cloudflare for infrastructure, DDoS protection, and network security. Cloudflare may process your IP address and request metadata as part of this service. Cloudflare is certified under the EU–US Data Privacy Framework. See Cloudflare's Privacy Policy.

6. Data Transfers Outside the EEA

Both Google LLC and Cloudflare, Inc. are US-based companies. Data transfers to them are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses, providing adequate protection for your personal data.

7. Data Retention

  • Email content: retrieved from Google's servers and temporarily cached for up to 60 minutes since it was last accessed by any authorised organization member. This cache is held in server memory and is not written to permanent storage. It is automatically discarded after 60 minutes of inactivity.
  • Account data and metadata: retained for as long as your account is active. If your account is removed, associated metadata is deleted.
  • Session data: expires at the end of your session or after a standard inactivity period.

8. Your Rights

Under GDPR you have the following rights regarding your personal data:

  • Right of access - you may request a copy of the personal data we hold about you.
  • Right to rectification - you may ask us to correct inaccurate data.
  • Right to erasure - you may request deletion of your personal data where no legal obligation requires us to retain it.
  • Right to restriction - you may ask us to restrict processing in certain circumstances.
  • Right to data portability - you may request your data in a structured, machine-readable format.
  • Right to object - you may object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS), server-side session management, and access controls limiting which team members can view which inboxes.

10. Changes to This Policy

We may update this policy from time to time. Where changes are material, we will notify you via the platform. The date at the top of this page reflects the most recent revision.

Terms of Service Privacy Policy Cookie Policy