Utyls

Privacy Policy

Privacy Policy

Last updated: March 14, 2026

1. Controller and scope

This Privacy Policy explains how Utyls AI Ltd. processes personal data when you use the Utyls website, connect an Outlook account, or contact us.

You can reach us about privacy matters at support@utyls.com.

This page covers website visitors, connected users, and personal data that appears in mailbox content processed by the service. It does not replace Microsoft’s own privacy documentation for Outlook, Microsoft 365, or Microsoft Graph.

2. Our GDPR role

For website operation, account administration, support, security, and service configuration data, Utyls acts as the controller.

For mailbox content processed on behalf of a connected user or organization, Utyls typically acts as a processor or service provider. In those cases, the connected user or organization remains responsible for the underlying mailbox content and business use of the service.

3. Data we process and where it comes from

We process the minimum data needed to operate Utyls. That can include:

  • Account and identity data, such as your email address and display name. This comes from you and from Microsoft after you connect Outlook.
  • Authentication and connection data, such as OAuth tokens, subscription IDs, delta sync state, onboarding progress, and essential session cookies.
  • Mailbox data, such as message subject lines, message body text, sender details, Outlook categories, deadlines inferred from message content, and up to a limited amount of recent sent-message context used to help match reply tone.
  • Support and correspondence data, if you email us directly.
  • Technical and security data, such as service logs and request metadata generated by our infrastructure providers for security, debugging, or availability purposes.
  • Billing and subscription data, such as Stripe customer IDs, subscription IDs, checkout session details, billing status, and transaction metadata required to manage paid plans.
  • Product analytics data, such as page views, button clicks, and onboarding funnel events collected through PostHog to understand product usage and improve the service.

Mailbox data may include personal data about your correspondents, recipients, or other individuals whose information appears in the emails you connect to the service.

4. Purposes and legal bases

  • To authenticate your account, maintain your Outlook connection, create Outlook categories, and keep webhook subscriptions active. Legal basis: GDPR Article 6(1)(b).
  • To categorize emails, detect deadlines, and generate reply drafts. Legal basis: GDPR Article 6(1)(b) where we provide the service you requested.
  • To protect the service against abuse, secure the application, investigate incidents, and keep the product available. Legal basis: GDPR Article 6(1)(f), our legitimate interests in security, fraud prevention, and service reliability.
  • To respond to support requests or legal requests. Legal basis: GDPR Article 6(1)(b), 6(1)(c), or 6(1)(f), depending on the request.
  • To process payments, manage subscriptions, and handle billing operations. Legal basis: GDPR Article 6(1)(b).
  • To measure product usage, analyze onboarding conversion, and improve the service. Legal basis: GDPR Article 6(1)(f), our legitimate interests in product analytics and service improvement.

We do not use advertising cookies or behavior-based marketing trackers on the Utyls website.

5. Outlook and Microsoft access

If you connect Outlook, Utyls uses Microsoft Graph permissions granted by you to read the mailbox data needed for the product, create Outlook categories, and create draft replies in your Outlook account.

Utyls does not automatically send emails on your behalf. Draft replies are created in your Outlook drafts for your review.

Microsoft remains a separate provider for authentication, Outlook, and Microsoft Graph, and Microsoft’s own privacy terms continue to apply to those services.

6. AI processing

Utyls sends the parts of an email needed for categorization and drafting to Requesty EU.

Utyls is configured to use Requesty’s EU setup only. AI processing for the product is routed through Requesty EU and is intended to stay within that EU-configured setup.

Utyls does not use your email content to train its own models, and email content is processed only to provide categorization and drafting features for your account.

7. Hosting, storage, and processors

The Utyls application is hosted on Cloudflare. Our primary application database is Cloudflare D1.

  • Cloudflare provides website delivery, worker execution, and D1 database infrastructure.
  • Requesty EU provides EU-routed AI inference for categorization and draft generation.
  • Microsoft provides Outlook, Microsoft Graph, and authentication for connected accounts.
  • Stripe provides payment processing, checkout, and subscription billing infrastructure.
  • PostHog provides product analytics for website usage and onboarding funnel measurement.

We do not sell personal data. We share data only to the extent needed to run Utyls or comply with law.

8. International transfers

Utyls is intended to operate with EU-only configuration for Cloudflare hosting and database services and with Requesty EU for AI processing.

If this changes, or if any provider requires processing outside the EEA, we will update this policy and rely on an appropriate transfer mechanism such as an adequacy decision or the European Commission’s standard contractual clauses.

9. Retention and deletion

Utyls is designed not to keep a long-term copy of email bodies or attachments in its own database as part of normal operation after processing is complete.

  • Essential OAuth cookies such as oauth_state and oauth_stage are short-lived and used only for the connection flow.
  • The session cookie iqinbox_session may persist for up to 7 days unless you disconnect sooner.
  • If you open a referral link or share one during your trial, the cookie utyls_referral may persist for up to 14 days so Utyls can attribute a first-time signup to the correct inviter.
  • Account connection state, tokens, webhook state, delta-sync state, and onboarding progress are retained while your mailbox remains connected and are removed when you disconnect, subject to normal backup, recovery, and infrastructure retention cycles.
  • Draft emails and Outlook categories created by Utyls are stored in your own Outlook account because that is where the service creates them.

10. Cookies and similar technologies

Utyls uses only essential cookies required for login state, the Outlook connection flow, referral attribution during the trial invite program, and basic signed-in operation.

We also use PostHog to measure product usage and onboarding events. PostHog may use cookies or similar technologies for analytics. We do not use advertising cookies.

11. Security

We use reasonable technical and organizational measures to protect data in transit and to limit access to the service state we store. No internet service can guarantee perfect security, and you should review connected-mailbox access and revoke it if you no longer want to use the service.

12. Your rights

Depending on your location and the role in which we process your data, you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate personal data;
  • request deletion of your personal data;
  • request restriction of processing;
  • object to processing based on legitimate interests;
  • request data portability where applicable;
  • withdraw consent, where processing is based on consent; and
  • lodge a complaint with a supervisory authority.

If Utyls processes mailbox content on behalf of your employer or organization, you may need to direct some requests to that organization as the primary controller of the underlying mailbox content.

13. Whether you must provide data

You are not required by law to connect Outlook to Utyls. However, if you do not provide the account, mailbox, and connection data needed for the service, Utyls cannot categorize emails, create drafts, or maintain an active connection.

14. Automated assistance

Utyls uses automated systems to classify emails, highlight deadlines, and suggest reply drafts. Utyls is not intended to make solely automated decisions that produce legal effects or similarly significant effects on individuals. You remain responsible for reviewing drafts, labels, and mailbox actions.

15. Children

Utyls is not intended for children. If you believe personal data was provided to Utyls by a child in violation of applicable law, contact us and we will investigate.

16. Changes to this policy

We may update this Privacy Policy when the product, infrastructure, vendor stack, or legal requirements change. If we make material changes, we will update the date at the top of this page.