GDPR Compliance

Warmy is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This page explains how we apply GDPR principles and how you can exercise your rights as a data subject. For general information about how we handle personal data, please also read our Privacy Policy.

Data Controller

Warmy is the data controller for personal data collected through the warmy.io website and Service. For data protection inquiries, contact us at privacy@warmy.io. We do not currently have a statutory requirement to appoint a Data Protection Officer, but our privacy team handles all GDPR-related requests.

Legal bases for processing

We process your personal data on the following legal bases:

• •Contract performance (Art. 6(1)(b)): processing your account data, inbox credentials, and warmup activity is necessary to provide the Service you have subscribed to.
• •Legitimate interests (Art. 6(1)(f)): aggregate, anonymised usage analytics to understand how users interact with the product and to improve it. We have conducted a Legitimate Interests Assessment and concluded that this processing does not override your interests or fundamental rights.
• •Legal obligation (Art. 6(1)(c)): retaining billing records for tax and accounting purposes as required by law.
• •Consent (Art. 6(1)(a)): where we send optional marketing communications, we obtain explicit consent and provide an easy opt-out in every email.

Your rights as a data subject

Under GDPR, you have the following rights. To exercise any of them, email privacy@warmy.io with your request. We will respond within 30 days and may need to verify your identity before processing the request.

International data transfers

We store personal data on Supabase infrastructure in the European Union (Frankfurt, Germany). We do not transfer personal data to countries outside the EEA except where necessary for specific sub-processors (e.g., Stripe for payment processing, which operates under Standard Contractual Clauses). A full list of sub-processors is available on request.

Data Processing Agreement (DPA)

If you require a Data Processing Agreement for your organisation's compliance obligations, please email privacy@warmy.io and we will provide our standard DPA. Enterprise customers on annual plans may negotiate custom DPA terms.

Data retention

We retain personal data only as long as necessary for the purposes described in this document. Account data is retained for the life of your account and deleted within 30 days of account closure. Encrypted inbox credentials are deleted immediately upon inbox disconnection. Anonymised analytics data may be retained indefinitely.

Right to lodge a complaint

If you believe we have processed your personal data in a way that violates GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority via the European Data Protection Board. We would, however, appreciate the opportunity to address your concerns directly before you escalate to a regulator.

Contact

For any GDPR-related requests or questions, contact us at privacy@warmy.io. We aim to respond within 3 business days and will always respond within the legally required 30-day window.