Privacy Policy

This Privacy Policy explains how Qytos SAS ("Qytos", "we", "us", "our"), the company behind the Mailflair email security service, collects, uses, stores and protects your personal data when you use our website at www.qytos.eu and our application at app.mailflair.com (collectively, the "Service").

We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Luxembourg data protection law.

1. Data Controller

The data controller responsible for your personal data is:

For any data protection enquiries, you may contact us directly at the address above.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

• Name and email address (used to create and manage your account)
• Password (stored as a one-way hash — we never store your password in plain text)
• Billing information (processed securely by our payment provider — we do not store full card details)
• Account preferences and settings

2.2 Email Metadata

When you connect your email account to Mailflair, we process the following data from your emails for the purpose of threat analysis:

• Sender and recipient email addresses
• Email subject lines
• Email body text and HTML content
• Attachment metadata (filename, file type, size)
• Embedded links and URLs
• Email headers (including SPF, DKIM and DMARC authentication results)

2.3 Usage Data

• Log data (IP address, browser type, pages visited, timestamps)
• Feature usage analytics (which features you use, how often)
• Device information (operating system, browser version)

2.4 Communications

• Any emails or messages you send to us for support, sales or other enquiries

3. Purposes and Legal Basis for Processing

We process your personal data only where we have a valid legal basis under Article 6 GDPR:

Purpose	Legal Basis (Art. 6 GDPR)
Providing the Mailflair email security service	Art. 6(1)(b) — Performance of a contract
Account creation and management	Art. 6(1)(b) — Performance of a contract
Processing payments	Art. 6(1)(b) — Performance of a contract
Sending service notifications and alerts	Art. 6(1)(b) — Performance of a contract
Improving and developing the service	Art. 6(1)(f) — Legitimate interests
Security monitoring and fraud prevention	Art. 6(1)(f) — Legitimate interests
Sending marketing communications (where consented)	Art. 6(1)(a) — Consent
Compliance with legal obligations	Art. 6(1)(c) — Legal obligation

4. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

• Account data: Retained for the duration of your account, plus 90 days after account deletion to allow for dispute resolution.
• Email analysis results (risk scores, classifications): Retained for up to 12 months, or until you delete them.
• Usage logs: Retained for up to 12 months.
• Billing records: Retained for 7 years to comply with Luxembourg accounting law.

5. Data Storage and Security

All personal data is processed and stored exclusively within the European Union. We use infrastructure located in ISO 27001-certified EU data centres.

We implement the following security measures:

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• Access controls with role-based permissions
• Regular security audits and penetration testing
• Multi-factor authentication for all internal systems

Despite these measures, no internet transmission or storage system is 100% secure. If you suspect unauthorised access to your account, please contact us immediately at yves@qytos.eu.

6. Data Sharing

We do not sell, rent or trade your personal data to third parties. We may share data in the following limited circumstances:

6.1 Service Providers (Data Processors)

We use trusted third-party service providers who process data on our behalf, including:

• Cloud infrastructure providers (EU-based)
• Payment processors (subject to PCI DSS compliance)
• Email delivery services (for transactional notifications)
• Analytics tools (anonymised data only)

All processors are bound by Data Processing Agreements (DPAs) and may only process your data on our documented instructions.

6.2 Legal Requirements

We may disclose your data to law enforcement or regulatory authorities if required by applicable law, a court order, or to protect the rights and safety of our users or the public.

6.3 Business Transfers

In the event of a merger, acquisition or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your data becomes subject to a different privacy policy.

7. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact us at yves@qytos.eu. We will respond within 30 days.

• Right of access (Art. 15): You have the right to obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data, subject to certain legal exceptions.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
• Right to object (Art. 21): You have the right to object to processing based on our legitimate interests. You may also unsubscribe from marketing communications at any time.
• Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right not to be subject to automated decision-making (Art. 22): Mailflair uses automated processing to classify emails. This classification is informational; final decisions about email safety always remain with you. You can review and override any automated classification in your dashboard.

8. Cookies

Our website uses cookies and similar tracking technologies. We use:

• Strictly necessary cookies: Required for the website and application to function. These cannot be disabled.
• Analytical cookies: Used to understand how visitors use our website (anonymised). You may opt out via our cookie banner.
• Preference cookies: Used to remember your language and display preferences.

You can manage or disable cookies through your browser settings. Note that disabling cookies may affect the functionality of the service.

9. Children's Privacy

The Mailflair service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us at yves@qytos.eu and we will promptly delete it.

10. International Transfers

All personal data is processed and stored within the European Union. We do not transfer personal data to countries outside the EU/EEA. If this changes in the future, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) and will update this policy accordingly.

11. Supervisory Authority

As Qytos SAS is established in Luxembourg, the competent supervisory authority is:

You have the right to lodge a complaint with the CNPD if you believe we have processed your data unlawfully. You may also contact the data protection authority in your own country of residence.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. We will notify you of any significant changes by email and by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact

If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us: