Speudio Privacy Policy
Version 1.1 Last updated: 6 July 2026
Language. This policy is written in English, which is the authoritative version. Swedish and
Greek translations are provided for convenience; if there is any difference between them, the
English version prevails. This policy is governed by Swedish law, and any disputes are subject to
the jurisdiction of the Swedish courts.
1. Who we are
Speudio (speudio.com) is operated by SK Creations, a sole proprietorship (Swedish enskild firma) registered in Sweden.
- Registered address: Hagvägen 41, 194 40 Upplands Väsby, Sweden
- Contact for all privacy matters: info@speudio.com
Because SK Creations is a sole proprietorship, its registration number is the owner's personal identity number and is therefore not published on this page. It is available on request via info@speudio.com, and is provided to business customers in the signature block of an executed Data Processing Agreement.
SK Creations has not appointed a Data Protection Officer, because none of the conditions in Article 37 GDPR that require one apply to our processing. The contact for every question, request, or concern about personal data is info@speudio.com.
For the data described in Section 3 under "account and security data", SK Creations is the data controller within the meaning of the GDPR.
2. Scope of this policy — two roles, one important distinction
Speudio is a service for businesses and private users. It connects to a mailbox you choose, with read-only access, imports your emails and attachments, builds contact profiles from them, and provides AI assistants that work over that data. Speudio never modifies, deletes, or sends mail from your mailbox.
That design means we process personal data in two distinct roles. This policy describes the first role in full; the second is governed by our Data Processing Agreement and appears in this policy only where needed to keep the distinction clear (for example, in the tables in Sections 3 and 7):
- Your account data — we are the controller. Information about you as our customer: your login details, plan, preferences, usage records, and security logs. This policy describes that processing.
- The content you import — you are the controller, and we are your processor. Your mailbox contains personal data about your contacts and customers (their emails, names, attachments, and the contact profiles and AI-derived data we build from them). Under the GDPR, you decide why and how that data is used; Speudio processes it only on your instructions, as your processor. That relationship is governed by our Data Processing Agreement (DPA) under Article 28 GDPR, not by this policy. If you are one of our customer's contacts and have questions about how a Speudio customer handles your data, the customer — as controller — is your first point of contact.
Where this policy says "imported content", it means everything Speudio derives from your mailbox: emails and their metadata, attachments (including images), CRM contact profiles, and AI-derived data such as captions, embeddings, summaries, and suggested questions.
3. What we collect, why, and on what legal basis
| Category of data | What it includes | Purpose | Legal basis |
|---|---|---|---|
| Account data | Login email address, name, password (stored only as a bcrypt hash), language preference, plan (Free/Solo/Pro/Business) | Creating and operating your account; signing you in; providing the service in your language and plan | Contract — Art 6(1)(b) GDPR: processing necessary to provide the service you signed up for |
| Usage records | A ledger of your use of metered features (e.g. AI usage against your plan's limits) | Applying plan limits; operating the service fairly within each plan | Contract — Art 6(1)(b) GDPR |
| Security and technical logs | IP address, session information, security-relevant events | Keeping your account and the service secure; detecting and preventing abuse; diagnosing problems; improving the reliability of the service | Legitimate interests — Art 6(1)(f) GDPR (see Section 4) |
| Mailbox connection credentials | The credentials or OAuth tokens needed for read-only access to the mailbox you connect | Importing your mail as you instructed | Contract — Art 6(1)(b) GDPR |
| Imported content | Emails and metadata, attachments (incl. images), derived contact profiles, AI-derived data (captions, embeddings, summaries, suggested questions) | Providing the inbox-to-CRM and AI-assistant features you use | Processed on your instructions as your processor under the DPA (Art 28 GDPR) — you are the controller of this data (see Section 2) |
All of the data above comes from you: either you create your account yourself at speudio.com, or we create one for you on request (you then receive a set-password invitation link), and the rest comes from your own use of the service. We do not collect personal data about you from third-party sources.
We do not run consent-based processing today: we send no marketing emails, and we use no advertising or behavioural tracking (see also Section 5 and our Cookie Notice). We never sell personal data, and we never send marketing email to your contacts.
We do not intentionally process special categories of personal data (Art 9 GDPR). Such data may appear incidentally inside a mailbox you import — for example, inside the text of an email someone sent you — but that sits in the imported-content layer, where you are the controller and the data stays under your control.
4. Our legitimate interests
Where we rely on legitimate interests (Art 6(1)(f) GDPR), the interests are:
- Security and anti-abuse. Keeping accounts, the service, and the data within it safe requires retaining limited technical records — IP addresses, session data, and security events — for a short period (see Section 7). Without them, we could not detect intrusions, investigate incidents, or stop abuse.
- Service improvement. Understanding how the service performs technically (errors, reliability) so we can fix and improve it.
We have weighed these interests against your rights and freedoms. The data involved is limited and technical, it is kept for a short period, it is not used to profile you or for marketing, and the processing is what a customer of a security-conscious service would reasonably expect. You can object to this processing at any time (see Section 8).
5. Recipients and sub-processors
We share personal data only with the following parties — and otherwise with no one, except where disclosure is required by law or by a binding order of a court or authority (see the end of this section). We use no analytics, advertising, or tracking vendors of any kind.
| Recipient | Role | Purpose | Location |
|---|---|---|---|
| one.com (Group.One) | Hosting provider / sub-processor | Hosting the service (servers, database, file storage) in ISO 27001-certified data centres within Europe; sending transactional email (password resets, invite links) via send.one.com | EU |
| OpenAI | AI provider / sub-processor | Our main AI provider: chat assistants, image captions, embeddings, and web-search sub-calls. Content you ask the AI to work with is sent to the OpenAI API for processing | USA — see Section 6 |
| Cohere | Search-relevance provider / sub-processor | When the AI searches your imported content, the search text and short excerpts of the candidate emails and documents are sent to Cohere's reranking API, which orders the results by relevance | USA/Canada — see Section 6 |
| Cloudflare | Backup-storage provider / sub-processor | Nightly off-site backups. Every backup is encrypted on our own server before upload, so Cloudflare stores only unreadable ciphertext, in an EU-jurisdiction storage bucket | EU bucket (US-headquartered provider) — see Section 6 |
| Your mail provider (Google, Microsoft, or other) | Your own provider — not our sub-processor | The data source: you connect your existing mailbox to Speudio with read-only access. Your relationship with your mail provider is governed by their terms, not ours | Depends on your provider |
Three honest notes on this list:
- OpenAI data handling. By default, data sent to the OpenAI API is not used to train OpenAI's models and is retained by OpenAI for at most around 30 days for abuse monitoring. Transfers to OpenAI take place under OpenAI's Data Processing Addendum (executed between SK Creations and OpenAI Ireland Ltd on 12 June 2026), which incorporates the EU Standard Contractual Clauses.
- Cohere data handling. Only the minimum needed for ranking is sent: the search text and short excerpts of the candidate documents — never your whole mailbox. Data we send to the Cohere API is not used to train Cohere's models (we have disabled this in Cohere's data controls) and is retained by Cohere for at most around 30 days for abuse monitoring.
- Backups. Nightly off-site backups are now operational (announced as planned in version 1.0). They are encrypted end-to-end: each backup is sealed on our own server with a key that only we hold, so Cloudflare can never read its contents. Section 7 describes how long backups are kept.
We may also disclose personal data where required by law or by a binding order of a court or authority.
6. International transfers
Almost all processing happens within the EU: hosting, storage, and transactional email run in ISO 27001-certified data centres within Europe (one.com / Group.One).
The first exception is OpenAI (USA), our AI provider. When you use an AI feature, the relevant content is transmitted to the OpenAI API in the United States. That transfer is safeguarded under OpenAI's Data Processing Addendum incorporating the EU Standard Contractual Clauses (Art 46(2)(c) GDPR) — executed with OpenAI Ireland Ltd on 12 June 2026 — and OpenAI does not use API data for model training by default. You can ask us for more information about these safeguards, or for a copy of the relevant clauses, at info@speudio.com.
The second exception is Cohere (USA/Canada), our search-relevance provider: when the AI searches your imported content, the search text and short excerpts of candidate documents are transmitted to the Cohere API to be ordered by relevance. That transfer is safeguarded under Cohere's data-processing terms incorporating the EU Standard Contractual Clauses (Art 46(2)(c) GDPR); Cohere retains API data for at most around 30 days and does not use it to train its models (disabled via Cohere's data controls).
Cloudflare (US-headquartered) is a special case rather than a third exception: it stores our nightly backups in an EU-jurisdiction bucket, and every backup is encrypted on our own server before upload with a key Cloudflare never sees — so the contents remain unreadable to the provider regardless of geography.
Beyond these, we transfer personal data to no other recipient outside the EU. (One practical note: if the mailbox you choose to connect is hosted outside the EU, that is part of your own relationship with your mail provider — the provider is the data source you bring to Speudio, not a recipient we send data to; see Section 5.)
7. How long we keep data
| Data | Retention |
|---|---|
| Your account and everything in it | Kept while your account exists. Account deletion is self-service (Settings → Privacy → Delete account) and executes immediately on confirmation: a hard delete of your account and all associated data, including attachment files, completed at most within 24 hours. |
| Imported content (Free plan) | The Free plan keeps a rolling window of your 2,000 most recent emails; older imported emails are removed as new ones arrive. |
| Imported content (paid plans) | Full history is retained while the account exists. |
| Security and server logs | Up to 90 days. |
| Answers you flag for AI improvement | If you tap the flag on an AI answer and confirm, that question and answer are stored so the assistant can be improved. Processing is fully automated — no human reads the content; it is never used to train third-party models; legal basis is your consent (Art. 6(1)(a)), withdrawable at any time by contacting us. Deleted automatically within 30 days. |
Backups. Encrypted off-site backup snapshots are kept on a rotating schedule (7 daily, 4 weekly, 12 monthly and 3 yearly snapshots). When you delete data — or your whole account — it is removed from the live service immediately, as described above, and then ages out of the encrypted backups as those snapshots rotate. Backups exist solely for disaster recovery: they are never used to "un-delete" data, and their contents can only be read with a decryption key that only we hold.
8. Your rights
Under Articles 15–22 GDPR you have the rights below. Wherever a self-service path exists in the app, it is listed — you can exercise the right yourself, instantly, without asking us. For everything else, email info@speudio.com; we respond within one month (Art 12(3) GDPR).
| Right | How to exercise it |
|---|---|
| Access (Art 15) | Self-service: Settings → Privacy → Export my data gives you a full export of your data in JSON format, any time. |
| Rectification (Art 16) | Self-service: your account profile is editable in the app, and every contact-profile field is editable in-app at any time. |
| Erasure (Art 17) | Self-service: Settings → Privacy → Delete account — immediate hard delete (see Section 7). |
| Restriction of processing (Art 18) | Email info@speudio.com. |
| Data portability (Art 20) | Self-service: the same Export my data function provides your data in a structured, machine-readable JSON format. |
| Objection (Art 21) | Email info@speudio.com — in particular, you may object to the legitimate-interests processing described in Section 4. |
| Rights related to automated decision-making (Art 22) | Not applicable — see Section 11. We make no such decisions. |
Exercising these rights is free of charge. If you are a contact of one of our customers (i.e. your data was imported by a Speudio user from their mailbox), please direct your request to that customer, who is the controller of that data — we will assist them as their processor under the DPA.
9. Complaints
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. Our supervisory authority is the Swedish Authority for Privacy Protection:
IMY — Integritetsskyddsmyndigheten, www.imy.se
You may also complain to the supervisory authority of the EU member state where you live or work. We would, of course, appreciate the chance to address your concern first at info@speudio.com — but you are never required to contact us before going to the authority.
10. Is providing your data required?
There is no statutory obligation to provide us with personal data. Contractually, however, the account data in Section 3 (login email, password, and similar) is necessary to create and operate your account — without it, we simply cannot provide the service. Connecting a mailbox is your choice; the service only becomes useful once you do, but which mailbox you connect, and what it contains, is entirely up to you.
11. No automated decision-making
We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art 22 GDPR). Speudio's AI features only assist you — they summarise, caption, suggest, and answer questions over your own data; every decision remains yours.
12. How we protect your data
- EU hosting in ISO 27001-certified data centres (one.com / Group.One).
- Encrypted transport (TLS) for all connections to the service.
- Passwords stored only as bcrypt hashes — never in plain text.
- Per-user tenancy isolation enforced server-side: your data is partitioned from every other customer's at the application layer on every request.
- Read-only mailbox access: Speudio's IMAP/OAuth scope can read your mail but can never modify, delete, or send it.
- Recovery codes for secure account recovery.
- No human reading of your email content: AI features process your content programmatically; our staff do not read your imported emails. We do not train AI models on customer data.
13. Children
Speudio is not directed at children. You must be at least 18 years old (or the age of majority where you live) to create an account, and we do not knowingly process children's personal data as a controller.
14. Changes to this policy
This policy is versioned (see the version number and "last updated" date at the top). We update it whenever the facts change — for example, when a sub-processor is added or removed (Section 5), or when retention or data categories change. Material changes will be notified to you in-app or by email before they take effect. Earlier versions are available on request.
SK Creations (sole proprietorship registered in Sweden) Hagvägen 41, 194 40 Upplands Väsby, Sweden info@speudio.com

