Privacy Policy
Effective date: June 23, 2026 · Last updated: June 23, 2026
1. Data Controller
The data controller responsible for your personal data is:
Farluner Apps
ul. Dominikańska 21B
02-738 Warsaw, Poland
Privacy contact: farluner.privacy@gmail.com
This Privacy Policy applies to GmailHamster.com — a web application that compresses Gmail attachments to help users reclaim Google storage space.
2. Data We Collect
We collect the minimum data necessary to operate the service. We access your Gmail account only through Google's official OAuth 2.0 API.
2.1 Account Data
| Data | Source | Purpose |
|---|---|---|
| Gmail email address | Google OAuth | Account identification, subscription management |
| OAuth access token | Google OAuth | Authorising Gmail API calls during your session |
| OAuth refresh token | Google OAuth | Maintaining your login session between visits |
2.2 Gmail Data (processed temporarily)
| Data | Why we access it | Do we store it? |
|---|---|---|
| Email attachment files (images, videos, PDFs) | Downloaded to our servers for compression, then uploaded back to Gmail | Temporarily — deleted immediately after processing (max 24 h) |
| Email metadata (message ID, thread ID, labels, headers) | Required to recreate the email in-place with the compressed attachment | No — used in memory during the operation only |
| List of emails with attachments | Displayed to you so you can select which emails to process | No — fetched on demand, never persisted |
3. How We Use Your Data
- Compression service — downloading your selected attachments, compressing them using our own APIs, and replacing the original attachment in Gmail.
- Account management — associating your email address with your subscription plan and usage quota.
- Authentication — storing your OAuth tokens to keep you logged in and to authorise Gmail API calls on your behalf.
- Service communications — responding to support requests you initiate.
We do not use your data for advertising, profiling, or any purpose beyond operating the service described above.
4. Data Retention
| Data type | Retention period |
|---|---|
| Attachment files (images, videos, PDFs) | Deleted immediately after processing completes — maximum 24 hours for automated cleanup; typically under 5 minutes |
| Email metadata used during processing | Held in memory only; never written to disk or database |
| Gmail email address | Retained while your account is active; deleted within 30 days of account deletion |
| OAuth refresh token | Retained until you revoke access or delete your account; encrypted at rest |
| Compression history (file size, date, savings) | Retained while your account is active; deleted on account deletion request |
5. Third-Party Processors & International Data Transfers
We share your data only with the processors listed below, strictly to operate the service. All processors are bound by data processing agreements.
Location: United States (transfer outside EU/EEA)
Data shared: OAuth tokens, Gmail API calls
Transfer basis: Standard Contractual Clauses (SCCs) adopted by the European Commission; Google also participates in the EU-U.S. Data Privacy Framework.
Privacy policy: policies.google.com/privacy
Operator: Farluner Apps (our own service)
Location: United States — DigitalOcean Spaces, NYC3 datacenter (New York, USA). Video attachment files are temporarily uploaded here for compression.
Transfer basis: Your explicit consent given when you authorise the application and initiate a compression job. DigitalOcean LLC also operates under Standard Contractual Clauses with EU customers.
Retention: Files deleted immediately after compression result is returned — maximum 24 hours.
Operator: Farluner Apps (our own service)
Location: European Union
Data shared: Image and PDF attachment files — temporarily, for compression only
Retention: Files deleted immediately after compression — maximum 24 hours.
6. Legal Basis for Processing (GDPR Article 6)
- Consent (Art. 6(1)(a)) — When you authorise GmailHamster.com via Google OAuth, you explicitly grant us permission to access and process your Gmail attachments. You may withdraw this consent at any time by revoking access (see Trust & Safety page).
- Contract performance (Art. 6(1)(b)) — Processing your email address and managing your account is necessary to provide the paid service you subscribed to.
- Legitimate interests (Art. 6(1)(f)) — Maintaining application security logs (without Gmail content) to detect abuse and protect users.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate data |
| Erasure (Art. 17) | Request deletion of your account and all associated data ("right to be forgotten") |
| Restriction (Art. 18) | Request that we limit how we process your data |
| Portability (Art. 20) | Request your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7(3)) | Revoke your OAuth authorisation at any time without affecting prior processing |
To exercise any of these rights, email us at farluner.privacy@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl.
8. Cookies & Session Data
GmailHamster.com uses a single server-side session cookie to keep you logged in. We do not use advertising, analytics, or tracking cookies.
| Cookie / Storage | Purpose | Duration |
|---|---|---|
session (HttpOnly, Secure, SameSite=Lax) |
Maintains your authenticated session after Google OAuth login | Until logout or browser close |
| Firebase Authentication token | Stored server-side (Firebase Firestore) — your OAuth refresh token, encrypted | Until you revoke access or delete your account |
9. Data Security
- All data transmission is encrypted using HTTPS/TLS.
- OAuth refresh tokens are stored encrypted at rest in Firebase Firestore.
- Attachment files are processed in isolated environments and never shared between users.
- No Farluner employee can view your email attachments — processing is fully automated.
- In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
For a detailed explanation of our security practices, see our Trust & Safety page.
10. Changes to This Policy
We may update this Privacy Policy when our practices change or when required by law. If we make material changes, we will notify you by email (to the address associated with your account) at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.
11. Contact
For any privacy-related questions or to exercise your GDPR rights:
Farluner Apps
ul. Dominikańska 21B, 02-738 Warsaw, Poland
Email: farluner.privacy@gmail.com
We aim to respond to all privacy requests within 30 days.