Privacy Policy
This Privacy Policy explains how Groupmail Ltd ("Groupmail", "we", "us"), a company established in Ireland, handles information in connection with the Groupmail 7 desktop application (the "app") and the website at groupmail7.com. It gives particular attention to the optional Gmail integration.
The short version
Groupmail 7 is a desktop application for macOS and Windows. Your contacts, your messages, and your sending-account credentials live on your own computer — not on our servers. We built the product around one promise: your agent, your data, your machine.
- We don't store your contacts or your email content on our servers.
- If you connect Gmail, your sign-in tokens are kept in your computer's secure credential store — never on our servers.
- Groupmail's Gmail access is send-only. The app cannot read, list, search, download, change, or delete your mail.
Google / Gmail data
The following applies only if you choose to connect a Gmail account as a sending account.
What we request
Groupmail 7 requests the minimum Gmail permissions needed to send your campaigns, and nothing more:
| Scope | What it allows | Why Groupmail needs it |
|---|---|---|
openid | Standard, secure sign-in | To complete the Google sign-in |
userinfo.email | See your Gmail address | To show which account is connected and set the message "From" |
gmail.send | Send email as you | To send the campaigns you compose, from your own address |
That is the entire list. Groupmail 7 requests no permission to read, list, search, download, label, modify, or delete your mail. We do not request gmail.readonly, gmail.modify, gmail.compose, gmail.metadata, or full-access (mail.google.com) scopes.
How we use it
Groupmail 7 uses the gmail.send permission only to send email messages you have approved and composed in the app, through your connected Gmail account. It uses your email address only to identify the connected mailbox and set the sender. Groupmail does not read your inbox, because it never has read access.
Where your Google tokens are stored
When you grant access, Google issues access and refresh tokens. Groupmail 7 stores these locally on your device, in your operating system's secure credential store — Keychain on macOS, DPAPI on Windows. These tokens are not stored on, or transmitted to, any Groupmail server. Token refresh happens directly between your device and Google.
Limited Use
Groupmail 7’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
- We use Google user data only to provide the sending feature you connected it for.
- We do not transfer Google user data except as needed to provide that user-facing send feature. In normal use your tokens never leave your device, so no transfer occurs.
- We do not use Google user data for advertising.
- We do not use Google user data to train, develop, or improve AI or machine-learning models.
- We do not sell Google user data.
- We do not allow humans to read your Google data, except with your explicit consent, where required for security or by law, or when the data is aggregated and anonymised.
Disconnecting and revoking access
You can disconnect Gmail at any time from within Groupmail 7. Disconnecting removes the stored tokens from your device and requests revocation of the token with Google. You can also revoke Groupmail's access directly at myaccount.google.com/permissions.
The same model applies if you connect a Microsoft mailbox: send-only access, tokens stored in your device's secure store, never on our servers.
Your data in the app
Contacts, groups, messages, send history, and settings are stored locally in a database that is encrypted at rest. The encryption key is held in your operating system's secure store and the app unlocks it transparently when you use it. We do not receive a copy of this data.
Information we hold
Separately from the app's local data, Groupmail Ltd operates groupmail7.com and a licensing service. To sell a licence and activate the app, we and our payment processor handle limited data such as your name, email address, licence key, and a machine-activation identifier. We do not receive your card number — that is handled by the payment processor. The Groupmail 7 application itself contains no analytics or telemetry and does not transmit your usage back to us. Your contacts, message content, and mailbox tokens are not part of this, and the licensing service is never in the send path.
How we share information
We do not sell your personal information, and we do not share your contacts or message content. We share limited data only with: service providers needed to run the business, such as our payment processor and website host; the sending provider you choose (your message and recipients necessarily go to Gmail, Microsoft, or your own SMTP/relay provider in order to be delivered); and where required by law.
Data retention
Data on your device remains until you delete it or uninstall the app. Google and Microsoft tokens are kept in your keychain until you disconnect or revoke them. Licence and support data is kept while your licence is active and for a reasonable period afterwards, then deleted or anonymised.
Security
Local data is encrypted at rest, and mailbox tokens and other secrets are kept in the operating-system secure store (Keychain on macOS, DPAPI on Windows), not in plain files. OAuth uses Authorization Code with PKCE. No system is perfectly secure, but the design keeps your data on your machine and under your control.
Your rights
Depending on where you live, you have rights over your personal data, including access, correction, deletion, restriction, portability, and objection. For data in the app, you control it directly: you can edit or delete contacts and content on your device, and deleting a contact performs a hard delete of that contact and its associated data. For data we hold (licence and support), contact us and we will respond as required by law. If you are in the EU or EEA, you also have the right to lodge a complaint with a supervisory authority; Groupmail Ltd is established in Ireland, where the supervisory authority is the Data Protection Commission (dataprotection.ie).
Children
Groupmail is not directed to children under 16, and we do not knowingly collect their personal data.
Changes to this policy
We may update this policy and will post the new version here with a new "Last updated" date. For material changes affecting connected accounts, we will give reasonable notice.
Contact
Groupmail Ltd, Ireland — questions about privacy: [email protected].