GDPR
Your data, your call.
Last updated May 10, 2026
Under the GDPR you have a set of rights that we honor — for everyone, everywhere, regardless of where you live. Most of them are one click away in Settings.
Right of access
Get a copy of all data we hold about you.
Right to data portability
Export everything as a portable JSON archive.
Right to erasure
Delete your account and all associated data.
Right to restriction
Pause processing while a dispute is resolved.
Right to object
Object to processing based on legitimate interest.
Right to rectification
Correct inaccurate personal data.
How to exercise your rights
1. In-app (fastest)
Go to Settings → Data & privacy. You'll find one-click buttons for export and delete, plus retention controls.
2. By email
Email cardimattos@gmail.com from the address on file. We respond within 30 days (extendable to 90 for complex requests, with notice).
3. By post
Cardim IT AB, Attn: Privacy, Göteborg, Sweden.
What happens when you delete
- Within 60 seconds: account access revoked, OAuth tokens to your inboxes revoked.
- Within 24 hours: all email content, summaries, embeddings, and attachments hard-deleted from primary storage.
- Within 30 days: backups expire and are unrecoverable.
- Retained: billing records (7 years, Swedish accounting law), audit-log hashes (12 months) — neither contains email content.
Right to lodge a complaint
You can complain to your local supervisory authority. Our lead authority is the Swedish Authority for Privacy Protection (IMY): imy.se.
Verification
For sensitive requests we may ask you to verify your identity (typically by clicking a confirmation link sent to your account email). We will not ask for ID documents unless legally required.