GDPR Compliance
Last updated: February 19, 2026
Privacy by Design
SpamBear is built with a local-first architecture. Your email data is stored in your browser's IndexedDB and never transmitted to our servers unless you explicitly enable Cloud Sync in Settings > Privacy & Data. This approach minimizes data collection by design.
Lawful Basis for Processing
| Activity | Lawful Basis |
|---|---|
| Gmail OAuth & email metadata access | Consent (you grant access via Google) |
| Local data storage (IndexedDB) | Legitimate interest (service functionality) |
| Cloud sync (sender addresses & decisions) | Consent (opt-in toggle in Settings) |
| Payment processing (Stripe) | Contract (payment for Pro subscription) |
| Basic analytics (no PII) | Legitimate interest (service improvement) |
Your Rights
Under GDPR, you have the right to:
- Access — Use Export My Data in Settings to download a copy of all your data as JSON
- Rectification — Correct inaccurate personal data by contacting us
- Erasure — Use Delete Account in Settings to permanently delete all data (local and cloud), or use Clear Local Data for local-only deletion
- Portability — Use Export My Data in Settings to download your data in a machine-readable JSON format
- Objection — Object to processing based on legitimate interest by contacting us
- Withdraw Consent — Disable Cloud Sync in Settings at any time, or disconnect your Gmail account
Data Transfers
SpamBear communicates with Google's Gmail API (subject to Google's data processing terms). When Cloud Sync is enabled, sender addresses and decisions are stored in Supabase cloud infrastructure (hosted in the US). We do not independently transfer personal data outside the EU/EEA without appropriate safeguards.
Data Retention
Local data is retained until you clear it or delete your account. Cloud data (if Cloud Sync is enabled) is retained while your account is active and is permanently deleted when you use the Delete Account feature.
Exercising Your Rights
Most rights can be exercised directly in the app via Settings > Privacy & Data. For any additional GDPR-related requests, please contact us at support@spambear.com. We will respond within 30 days.