UK GDPR Article 35 · Document version 1.0 · Last updated: 11 May 2026
Users sign in with Google and consent to read-only Gmail access (gmail.readonly). Azindoo imports up to 100 messages from the last 30 days into a US-hosted PostgreSQL database and runs 21 AI modules (commitments, emotional temperature, decision drift, trust graph, regulatory exposure, data-protection alerts, etc.) on each email. Outputs are visible only to the account holder. Users may export, delete email data, or delete their entire account at any time from Settings.
| Question | Answer |
|---|---|
| Lawful basis | Art. 6(1)(b) for the user; Art. 6(1)(f) for third-party email content (see LIA). |
| Limited use compliance | Yes. Azindoo follows Google’s Limited Use requirements: no ads, no sale, no human reading except for support with explicit consent, no use for model training. |
| Data minimisation | 30-day window, 100-message cap, read-only scope, no attachments stored. Bodies are stored as cleaned plain text only — HTML, tracking pixels, quoted reply chains, email signatures, and content beyond 8 KB are stripped before storage. Bcc recipients and Gmail labels are not stored. |
| Less-intrusive alternatives considered | Local-only processing (rejected: prevents the unified-memory feature), on-device inference (rejected: model size, mobile use cases), summarisation without storage (rejected: defeats decision-drift and memory features). |
| Risk | Likelihood | Impact | Net risk | Mitigation |
|---|---|---|---|---|
| Database compromise exposing email bodies | Low | High | Medium | Server-side queries only, AWS RDS encryption at rest, application-layer encryption on OAuth tokens, planned column-level encryption on Email.body, principle-of-least-privilege on DB credentials. |
| Compromise of refresh tokens leading to ongoing inbox access | Low | High | Medium | AES-256-GCM application-layer encryption with key in env-secret store (now live). Re-auth available from Settings. Tokens revoked on account deletion. |
| Third-party correspondents’ data processed without their knowledge | High | Medium | Medium | LIA documented; Art. 14(5)(b) disproportionate-effort reasoning recorded; objection route at [email protected]; outputs visible only to the account holder, no profiling shared. |
| Special-category data incidentally present in emails | Medium | High | High | No targeted extraction of special categories; user can delete data; no human review without consent; we will not enable any feature that uses special-category data as a primary input. |
| International transfer (UK→US) without adequate safeguards | Medium | High | High | UK IDTA / EU SCCs being signed with Abacus.AI; TRA in progress; option (c) is migration to UK/EU AWS region. Transparent disclosure in Privacy Policy §13. |
| AI hallucination producing false commitments / accusations | Medium | Medium | Medium | All AI outputs labelled as advisory; the source email is always shown; users can mark items as wrong; no automated action taken on the user’s behalf. |
| Children’s data exposure | Low | Medium | Low | Service is 16+ per Terms; age confirmation at signup; deletion on notification of under-age use. |
| Vendor exit / lock-in | Medium | Low | Low | JSON export available to every user; standard Postgres schema; documented migration plan. |
Internal: founder & engineering lead. External: external UK data-protection solicitor (engagement scheduled). Users: surveyed via in-app feedback when material changes occur; 14-day pre-notice for any new sub-processor.
After mitigation, residual risk for items (4) and (5) above is rated Medium. Item (5) will be reduced to Low on completion of the SCCs / TRA or regional migration. No residual risk is rated High after mitigation, so Art. 36 prior consultation with the ICO is not required at this time. The DPIA will be re-run whenever a new AI module is shipped or when the EU/UK user base exceeds 1,000 monthly active users.
Director sign-off recorded internally on 11 May 2026. Next review: 11 November 2026 or earlier on material change.