GDPR Compliance
Last updated: February 18, 2026
Privacy by Design
SpamBear is built with a local-first architecture. Your email data is stored in your browser's IndexedDB and never transmitted to our servers unless you explicitly opt into Pro cloud sync features. This approach minimizes data collection by design.
Lawful Basis for Processing
| Activity | Lawful Basis |
|---|---|
| Gmail OAuth & email metadata access | Consent (you grant access via Google) |
| Local data storage (IndexedDB) | Legitimate interest (service functionality) |
| Pro cloud sync | Consent (opt-in) |
| Payment processing (Stripe) | Contract (payment for Pro subscription) |
| Basic analytics | Legitimate interest (service improvement) |
Your Rights
Under GDPR, you have the right to:
- Access — Request a copy of any personal data we hold
- Rectification — Correct inaccurate personal data
- Erasure — Delete your data (locally via browser settings, or request cloud deletion for Pro users)
- Portability — Export your data in a standard format
- Objection — Object to processing based on legitimate interest
Data Transfers
SpamBear communicates with Google's Gmail API (subject to Google's data processing terms) and, for Pro users, with Supabase cloud infrastructure. We do not independently transfer personal data outside the EU/EEA without appropriate safeguards.
Data Retention
Local data is retained until you clear it. Pro cloud data is retained while your subscription is active and deleted upon request or account closure.
Exercising Your Rights
For any GDPR-related requests, please contact us at support@spambear.com. We will respond within 30 days.