Last updated: December 2025

1. Introduction

Coder's Cantina e.U., a limited liability company registered in Vienna, Austria (hereafter "Company", "we", "us", or "our"), operates RAVN Mail, a desktop email client application with integrated AI-assisted features.

This Privacy Policy explains how we collect, use, process, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, and all other applicable data protection legislation.

Please read this policy carefully. By using RAVN Mail, you agree to the data handling practices described herein.

2. Data Controller and Contact Information

Data Controller: Coder's Cantina e.U.
Address: Wehlistraße 291/1/47, Vienna, Austria
Email: hello@ravnmail.com
Support: support@ravnmail.com
Data Protection Officer / Privacy Inquiries: DI Michael Wallner

3. Types of Personal Data We Process

3.1 Data You Provide

License and Subscription Data:

• Email address associated with your LemonSqueezy account
• Payment information (processed and stored by LemonSqueezy, not by us)
• License key and subscription status
• Subscription tier and billing period

Support and Communication:

• Any personal information you provide when contacting our support team
• Support tickets, emails, and communication logs
• Feedback and suggestions you submit

3.2 Data Automatically Collected

License Validation:

• License key validation events (timestamps, validation success/failure)
• IP address (during license validation requests to AWS)
• Device identifier or machine characteristics (for duplicate license detection)
• Subscription status and expiration date

Email Content (Local Processing Only):

• Your emails, attachments, and related metadata from configured accounts
• This data is stored locally on your device in RAVN Mail's local database
• This data is not transmitted to our servers except as described in Section 4

AI Feature Usage (When You Initiate AI Features):

• Timestamps of AI feature requests
• Type of AI feature used (gist generation, quick reply, writing assistant, etc.)
• Token consumption estimates for your monthly credit tracking
• Metadata about the request (message length, character count, feature type)
• Partial or full email content as necessary to fulfill your AI feature request (transmitted to OpenRouter)

Application Telemetry (Optional):

• We may collect anonymous usage statistics (feature usage frequency, error logs) to improve service reliability
• Such data is anonymized and cannot be traced back to you
• You can opt out of telemetry collection through application settings

4. Data Processing for AI-Assisted Features

4.1 How AI Features Work

When you initiate any AI-assisted feature (email gist generation, quick reply, writing assistant, subject generation, conversation summary, or natural language search), the following occurs:

1. Local Processing: The application prepares relevant email content on your device
2. Transmission to OpenRouter: The prepared content is transmitted to OpenRouter's infrastructure
3. Third-Party Processing: OpenRouter routes your request to appropriate language model providers
4. Response Generation: AI-generated content is returned to your application
5. Local Storage: The AI response is stored locally on your device (not on our servers)

4.2 What Data is Shared with OpenRouter

When you use AI features, we transmit the following to OpenRouter:

• Email subject lines
• Email body text
• Relevant message context (conversation history if applicable)
• Your request type (e.g., "generate summary" or "suggest reply")
• Any text you provide for AI features (e.g., partial drafts for the writing assistant)

4.3 OpenRouter's Data Handling

• OpenRouter may process, log, or store your data according to its own privacy policy and terms of service
• OpenRouter may use your data to train or improve language models (subject to your consent provided in OpenRouter's terms)
• The Company is not responsible for OpenRouter's data handling practices
• You are responsible for reviewing OpenRouter's privacy policy before using AI features

4.4 Your Control Over AI Data Transmission

• You control when AI features are used; data is only transmitted when you explicitly request an AI feature
• You may disable AI features in application settings, preventing any data transmission to OpenRouter
• You may opt not to use AI features and use RAVN Mail as a standard email client
• Deleting an email from your local database does not affect data already processed by OpenRouter

5. Legal Basis for Data Processing (GDPR)

We process your personal data based on the following legal bases:

5.1 Contract Performance

• Processing of subscription and license data is necessary to perform the services you have contracted for
• License validation against LemonSqueezy's records

5.2 Legitimate Interests

• Fraud detection and prevention (duplicate license detection)
• Service improvement and reliability analysis
• Security threat detection
• Understanding how our service is used

5.3 Compliance with Legal Obligations

• Maintaining records for tax and accounting purposes
• Responding to legal requests from Austrian or EU authorities

5.4 Your Explicit Consent

• Processing data for AI-assisted features (implied consent through feature initiation)
• Sending marketing communications (only with your prior opt-in consent)

6. Data Retention

6.1 Subscription and License Data

• During Active Subscription: Retained for the duration of your subscription
• After Cancellation: Retained for 7 years as required by Austrian tax and accounting law
• Support Records: Retained for 3 years or as required by applicable law

6.2 License Validation Logs

• Retained for 90 days for security and debugging purposes
• Older logs are automatically deleted unless legally required to be retained

6.3 Email Data (Local Database)

• Stored on your device until you delete it
• The Company does not store or retain copies of your email data
• Email data is not backed up by the Company

6.4 AI Feature Usage Records

• Request metadata and token consumption records retained for 12 months for billing and analytics
• After 12 months, data is aggregated and anonymized or deleted
• Actual email content transmitted to OpenRouter is not retained by the Company (retained by OpenRouter per their policy)

6.5 Support Communications

• Retained for 3 years for legal, contractual, and dispute resolution purposes

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access

You may request a copy of the personal data we hold about you. Submit requests to hello@ravnmail.com.

7.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data. We will update records within 30 days where practical.

7.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data, subject to legal retention obligations. We will delete data within 30 days except where required to retain it.

7.4 Right to Restrict Processing

You may request that we limit how we process your data pending resolution of a dispute or verification of accuracy.

7.5 Right to Data Portability

You may request your personal data in a machine-readable format (e.g., CSV) for transfer to another service provider.

7.6 Right to Object

You may object to processing of your personal data for legitimate interests, including for marketing purposes.

7.7 Right to Lodge a Complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde) if you believe your rights have been violated.

Austrian Data Protection Authority:

• Website: https://www.dsb.gv.at/
• Email: dsb@dsb.gv.at

7.8 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: hello@ravnmail.com
• Support: support@ravnmail.com

We will respond to requests within 30 days (or as required by law). You may be required to verify your identity for security purposes.

8. Data Sharing and Transfers

8.1 Third-Party Service Providers

We share personal data with the following third parties:

LemonSqueezy (Payment Processing)

• Shared Data: Email address, subscription tier, billing information
• Purpose: Subscription management and payment processing
• Data Protection: LemonSqueezy maintains GDPR-compliant privacy practices
• Privacy Policy: https://www.lemonsqueezy.com/privacy

Amazon Web Services (AWS) (License Validation Infrastructure)

• Shared Data: License keys, IP addresses, validation timestamps
• Purpose: License validation backend infrastructure (redundantly hosted)
• Data Protection: AWS maintains GDPR-compliant data processing agreements
• Data Processing: AWS processes data in AWS regions in Europe (data residency in EU)

OpenRouter (AI Feature Processing)

• Shared Data: Email content when you explicitly initiate AI features
• Purpose: AI-assisted feature generation
• Data Protection: Subject to OpenRouter's privacy policy
• Privacy Policy: https://openrouter.ai/privacy
• Important: OpenRouter may retain or use your data for model training unless you opt out in their settings

Email Service Providers (Gmail, Office365, Outlook, IMAP hosts)

• Shared Data: Credentials to access your email accounts (stored locally on your device)
• Purpose: Email synchronization (data flows directly from your email provider to your local database)
• Data Protection: Email providers' security and privacy practices govern email data

8.2 Data Transfers Outside the EU

All of our primary infrastructure (licensing backend) is hosted within the European Union (AWS EU regions) and complies with GDPR.

Exception: When you use AI features, your email content is transmitted to OpenRouter, which may process data using infrastructure outside the EU. OpenRouter is responsible for ensuring adequate safeguards (Standard Contractual Clauses or other GDPR-compliant mechanisms). By using AI features, you consent to such international data transfers.

8.3 Legal Requests and Authorities

We may disclose your personal data if required by Austrian or EU law, including:

• Requests from law enforcement agencies
• Court orders or legal proceedings
• Protection of public safety or national security
• Prevention or detection of criminal activity

We will notify you of such requests unless legally prohibited from doing so.

9. Security Measures

9.1 Technical and Organizational Safeguards

We implement industry-standard security measures to protect your personal data:

• Encryption in Transit: License validation requests use HTTPS/TLS encryption
• Encryption at Rest: Sensitive subscription data stored on AWS is encrypted
• Access Controls: Only authorized personnel can access personal data
• Regular Security Audits: We conduct periodic security reviews
• Data Minimization: We collect only the data necessary to provide services

9.2 Email Data Security

Your email data stored locally on your device is protected by:

• Your operating system's file permissions
• Encryption of the local database where applicable (depending on your device configuration)
• Note: The security of your local email database depends on your device's security, including password protection and physical security

9.3 Limitations

No data transmission over the internet is 100% secure. While we implement strong security measures, we cannot guarantee absolute security. You acknowledge that:

• Data transmitted to OpenRouter for AI features may be intercepted or compromised despite our efforts
• Your device's local database may be accessed if your device is compromised
• Email credentials stored locally are subject to device-level security

9.4 Breach Notification

In the event of a confirmed data breach affecting your personal data, we will:

• Notify affected individuals within 72 hours (as required by GDPR)
• Provide information about the nature of the breach
• Describe measures taken to mitigate harm
• Notify the Austrian Data Protection Authority where required

10. Children and Minors

RAVN Mail is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will:

• Immediately delete such data
• Not retain any information about the child

Parents or guardians who believe a child has provided personal data should contact us immediately at hello@ravnmail.com.

11. Cookies and Tracking Technologies

RAVN Mail is a desktop application, not a web service, and does not use cookies or web-based tracking technologies. However:

• Website (if applicable): If you visit our website (https://www.ravnmail.com), we may use cookies for essential functionality (e.g., session management). See our website's cookie policy for details.
• License Validation: License validation does not use cookies; it uses secure API requests with authentication tokens

12. Third-Party Links and Services

RAVN Mail may contain links to third-party websites or services, including:

• OpenRouter (https://openrouter.ai)
• LemonSqueezy (https://www.lemonsqueezy.com)
• Your email service providers (Gmail, Office365, Outlook, etc.)

We are not responsible for the privacy practices of third-party websites or services. We recommend reviewing their privacy policies before providing personal data.

13. Data Retention Summary

Subscription/License Data: 7 years
Tax/accounting compliance

License Validation Logs: 90 days
Security & debugging

AI Feature Usage Records: 12 months
Billing & analytics

Support Communications: 3 years
Legal/dispute resolution

Email Data (Local): Until deletion by user
Application functionality

Telemetry (Anonymized): 12 months
Service improvement

14. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be:

• Posted on our website
• Updated in the application (where practical)
• Notified via email for material changes (where feasible)
• Effective immediately upon posting

Continued use of RAVN Mail following changes constitutes acceptance of the updated policy. If you do not accept changes, please cease using the service.

15. Data Protection Impact Assessment (DPIA)

For processing involving AI features and international data transfers, we have conducted a Data Protection Impact Assessment (DPIA). The DPIA identified:

• Risk: Transmission of email content to third-party AI providers (OpenRouter) and potential model training use
• Mitigation: Clear disclosure to users, explicit user consent through feature initiation, user control over feature usage
• Risk: Data transfers outside EU
• Mitigation: Reliance on OpenRouter's GDPR-compliant data processing agreements (Standard Contractual Clauses)

Upon request, we can provide a summary of our DPIA to data subjects.

16. Data Processing Agreement (DPA)

If you are an organization using RAVN Mail (rather than an individual), we can enter into a Data Processing Agreement (DPA) as required by GDPR Article 28. Please contact us at hello@ravnmail.com to discuss DPA terms.

17. International Privacy Considerations

17.1 EU/EEA Users

This policy complies fully with GDPR and Austrian data protection law.

17.2 Non-EU Users

If you are outside the EU/EEA, you acknowledge that:

• Your data may be processed and stored in the EU by our servers
• Your data may be transmitted to OpenRouter, which may process data outside the EU
• You consent to such international transfers by using RAVN Mail

18. Frequently Asked Questions

Q: Does the Company store my emails?
A: No. Your emails are stored only in your local device database and in your email service provider's servers. The Company does not maintain copies of your email data.

Q: Is my email data sent to your servers?
A: No, except for the portions you explicitly choose to send to OpenRouter when using AI features. Email synchronization flows directly between your email provider and your local database.

Q: Can the Company access my emails?
A: No. We have no access to your local email database or your email provider accounts. We only have access to license validation data.

Q: What happens to my data after I cancel my subscription?
A: Your email data remains on your device. Subscription data is retained for 7 years as required by law. You can request deletion of non-legally-required data at any time.

Q: Can I request my data?
A: Yes. You have a GDPR right of access. Contact hello@ravnmail.com to request a copy of all personal data we hold about you.

Q: How do I delete my data?
A: Submit a deletion request to hello@ravnmail.com. We will delete non-legally-required data within 30 days. Legal retention obligations may limit what can be deleted.

19. Contact and Complaints

19.1 Questions About This Privacy Policy

Contact us at:

• Email: hello@ravnmail.com
• Support: support@ravnmail.com
• Website: https://www.ravnmail.com

19.2 Data Protection Complaints

If you believe your rights have been violated, you can lodge a complaint with:

Austrian Data Protection Authority:

• Website: https://www.dsb.gv.at/
• Email: dsb@dsb.gv.at
• Phone: +43 1 52145-0

You have the right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy.

19.3 Dispute Resolution

We will respond to all privacy inquiries and complaints within 30 days. If you are not satisfied with our response, you may escalate to the Austrian Data Protection Authority.

20. Effective Date and Version

Effective Date: December 2025
Last Updated: December 2025
Version: 1.0

This Privacy Policy is effective immediately upon your use of RAVN Mail. Earlier versions are available upon request.

By using RAVN Mail, you acknowledge that you have read this Privacy Policy, understand it, and agree to its terms.