Legal information
Flexmail – Generative AI Policy
AI features in the Flexmail application — Policy & Legal framework
This document describes Flexmail's policy for the use of generative AI features and the AI Assistant in the Flexmail application and website. The policy has been drawn up in accordance with the GDPR and the EU AI Act (Regulation (EU) 2024/1689).
AI-generated output may only be used for its intended purpose, namely to compose content for your email campaigns or to request support information. Any other use is contrary to these guidelines and may result in termination of access.
For any use that violates applicable law or the intellectual property rights of third parties, you as a user or company remain fully responsible and liable for any loss suffered by Flexmail as a result.
You are responsible for ensuring that all content you enter into the AI features — including texts, instructions, and summaries — is appropriate and complies with these terms and conditions.
AI-generated output may contain inaccuracies or other unsuitable elements. Flexmail does not guarantee that the AI models or their output are free from errors or distortions. Always check the generated output carefully before adding it to a campaign or using it as a basis for decisions.
Additional AI features may be added in the future.
Anthropic does not process this customer content for the purpose of training AI models. This is contractually stipulated in Anthropic's commercial terms and conditions: processing is strictly limited to the execution of the API request.
Please note: Avoid including special categories of personal data or other sensitive personal information in the AI interface. Content entered will be shared with Anthropic for the purpose of providing the service. Anthropic's privacy policy applies: https://www.anthropic.com/legal/privacy
The AI Assistant is only available after authentication. Access is restricted to logged-in Flexmail users. In addition, this policy is explicitly presented and actively approved before the first AI interaction (see section 9). The information obligation (Art. 13 GDPR) is thereby covered on two levels: through the existing contractual relationship and through the documented, explicit approval.
For complex or sensitive questions, the conversation can be forwarded to a human employee via an automated integration with HelpScout (human handoff).
The legal bases for processing by the AI Assistant are:
Compliance with retention periods is guaranteed via automated processes that require no manual intervention.
Flexmail reserves the right to change, suspend, discontinue, or further restrict the AI features and the AI Assistant at any time. The availability of certain features may vary depending on the subscription.
The AI Assistant does not use Anthropic services. The applicable terms and conditions for the AI Assistant are exclusively those of Flexmail.
Flexmail records each approval as follows, in accordance with the accountability obligation of Art. 5(2) GDPR:
In the event of a material change to this policy — meaning changes that affect the nature of the processing, the legal basis, or the rights of the user — the user will be actively notified and a new explicit approval will be requested before further use of the AI features. Editorial or clarifying changes without impact on the processing do not require new approval, but will be communicated via the version history at the bottom of this document.
Once accepted, the applicable terms and conditions can always be found under the legal documents in the Flexmail application. Disputes will be settled in accordance with the general terms and conditions applicable to our services.
For the AI Assistant, data is processed exclusively within the internal infrastructure. No data is shared with external AI providers.
When using AI-generated text, Anthropic's privacy policy applies to the data you or your company enter into the editor features, as it is transferred directly to the Anthropic platform.
This document describes Flexmail's policy for the use of generative AI features and the AI Assistant in the Flexmail application and website. The policy has been drawn up in accordance with the GDPR and the EU AI Act (Regulation (EU) 2024/1689).
1. Use and application of AI features
Flexmail offers a number of features that use generative AI: AI translation, AI text enhancement, AI spell check, AI subject line & preheader generator, and the AI Assistant. These features help you draft, refine, and translate email campaigns, and provide automated support via the website.AI-generated output may only be used for its intended purpose, namely to compose content for your email campaigns or to request support information. Any other use is contrary to these guidelines and may result in termination of access.
For any use that violates applicable law or the intellectual property rights of third parties, you as a user or company remain fully responsible and liable for any loss suffered by Flexmail as a result.
You are responsible for ensuring that all content you enter into the AI features — including texts, instructions, and summaries — is appropriate and complies with these terms and conditions.
AI-generated output may contain inaccuracies or other unsuitable elements. Flexmail does not guarantee that the AI models or their output are free from errors or distortions. Always check the generated output carefully before adding it to a campaign or using it as a basis for decisions.
Additional AI features may be added in the future.
2. Transparency about AI use
In accordance with Regulation (EU) 2024/1689 (the AI Act), Flexmail hereby informs you as follows:| Aspect | Explanation |
|---|---|
| AI provider | Anthropic, PBC — model: Claude. Flexmail acts as deployer within the meaning of the AI Act. |
| AI Assistant | Internal AI model on internal infrastructure. |
| Risk category | Not a high-risk application (Annex III AI Act). No automated decision-making with legal consequences for third parties. |
| Spell check | Operates on the basis of local infrastructure. No data is sent to Anthropic. |
| Human oversight (Art. 14) | As a user, you remain in control at all times. Suggestions can be accepted, modified, or rejected. Human oversight is an essential part of the intended workflow. Flexmail applies this principle as best practice; Art. 14 applies strictly to high-risk systems only. |
| Transparency Assistant (Art. 50) | Users are informed that they are communicating with an automated system. The AI Assistant never presents itself as a human employee. |
3. Data processing, division of roles, and purpose limitation
The processing of data in the context of the AI features takes place at distinct levels, each with its own legal basis and purpose limitation.3.1 Level 1 — Processing via Anthropic (AI features in the editor)
When using AI translation, AI text enhancement, and the generation of subject line and preheader suggestions, the texts you enter (email content) are transferred to the Anthropic platform solely for the purpose of generating the requested AI output. In this context, Flexmail acts as the processor within the meaning of the GDPR, on your behalf as the controller.Anthropic does not process this customer content for the purpose of training AI models. This is contractually stipulated in Anthropic's commercial terms and conditions: processing is strictly limited to the execution of the API request.
Please note: Avoid including special categories of personal data or other sensitive personal information in the AI interface. Content entered will be shared with Anthropic for the purpose of providing the service. Anthropic's privacy policy applies: https://www.anthropic.com/legal/privacy
3.2 Level 2 — AI Assistant (processing within Flexmail)
The AI Assistant processes data exclusively within the Flexmail infrastructure. No data is transferred to external AI providers. Flexmail acts as the controller within the meaning of Art. 4(7) GDPR for all processing in the context of the AI Assistant.The AI Assistant is only available after authentication. Access is restricted to logged-in Flexmail users. In addition, this policy is explicitly presented and actively approved before the first AI interaction (see section 9). The information obligation (Art. 13 GDPR) is thereby covered on two levels: through the existing contractual relationship and through the documented, explicit approval.
For complex or sensitive questions, the conversation can be forwarded to a human employee via an automated integration with HelpScout (human handoff).
The legal bases for processing by the AI Assistant are:
- Performance of a contract (Art. 6(1)(b) GDPR): for the processing necessary to provide the service to registered Flexmail users.
- Legitimate interest (Art. 6(1)(f) GDPR): for providing automated customer support and improving the knowledge base on the basis of anonymised metric data.
3.3 Level 3 — Flexmail as controller (analytical purposes)
Separate from the processing by Anthropic and the AI Assistant, Flexmail, as an independent controller, may collect and process usage data and derived data for the following purposes (collectively, the "Analytical Purposes"):- (a) Security of the service and prevention of abuse;
- (b) Management of reliability, capacity, and performance;
- (c) Product analysis and feature development;
- (d) Research and development, including machine learning on anonymised or derived datasets;
- (e) Aggregated benchmarking and reporting.
4. Technical architecture and data flow of the AI Assistant
The table below describes the complete technical data flow of the AI Assistant, from opening the widget to the automatic data clean-up.| Step | Description | Infrastructure | Data processing |
|---|---|---|---|
| 1. Load widget | The AI Assistant is loaded on the Flexmail site. In the event of technical failure, the system automatically switches to HelpScout (see below). | Flexmail | No personal data processed. |
| 2. Send message | Session IDs are pseudonymised via an irreversible algorithm. The raw ID never leaves the user's device and cannot be traced back to an individual person. | Flexmail | Pseudonymised session ID. Raw ID never stored. |
| 3. AI response | The message is processed on internal infrastructure via the internal AI model. No data leaves the internal environment. | Flexmail | Fully within Flexmail. No external processing. |
| 4. Human handoff | When forwarded to an employee, a ticket is created in the ticketing system. Identifying data is immediately pseudonymised. | Flexmail / HelpScout | Identifying data immediately pseudonymised. |
| 5. Metrics logging | Conversation metadata (ratings, topics, knowledge gaps) is recorded for quality monitoring via automated workflows. | Flexmail | Aggregated metadata, no conversation content. |
| 6. Dashboard | Aggregated metric data is accessible via a secure dashboard, exclusively for authorised Flexmail employees. | Flexmail | Authorised Flexmail employees only. |
| 7. Automatic clean-up | Identifying data is redacted after 30 days. Full conversations are automatically deleted after 60 days. Knowledge gap queries are deleted after 60 days. | Flexmail | Privacy by design: automated data deletion. |
4.1 Pseudonymisation and hashing of the session ID
Session IDs are pseudonymised via an irreversible algorithm before being stored. The raw ID never leaves the user's device. This ensures that:- the original session ID is never retained in any system;
- the pseudonymised ID cannot be traced back to an individual user;
- the system complies with the principle of privacy by design (Art. 25 GDPR).
4.2 Retention periods and automatic data deletion
The AI Assistant implements automatic data deletion in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):| Data category | Treatment | Retention period |
|---|---|---|
| Identifying data | Immediately pseudonymised upon human handoff. Permanently deleted after 30 days via an automated process. | 30 days |
| Full conversations | Automatically deleted after the retention period via an automated process that requires no manual intervention. | 60 days |
| Knowledge gap queries | Automatically deleted after the retention period. | 60 days |
| Pseudonymised session ID | Not traceable to a natural person; deleted together with conversation data. | 60 days |
| Metric data (ratings, topics) | Aggregated, without conversation content. | N/A |
Compliance with retention periods is guaranteed via automated processes that require no manual intervention.
4.3 Access security
All data access within the AI Assistant infrastructure is secured via authentication and authorisation mechanisms in accordance with Art. 32 GDPR. The analytics dashboard is only accessible to authorised Flexmail employees via a secure login procedure with automatically expiring sessions.5. Liability and responsibility
Flexmail and all Flexmail-affiliated companies are not liable for any direct or indirect loss, incidental or consequential damage resulting from the use of the AI features or the AI Assistant.Flexmail reserves the right to change, suspend, discontinue, or further restrict the AI features and the AI Assistant at any time. The availability of certain features may vary depending on the subscription.
6. Security and incident management
6.1 Technical security measures
The following technical measures have been implemented in accordance with Art. 32 GDPR:- Pseudonymisation of session IDs via an irreversible algorithm; the raw ID never leaves the user's device;
- Secure authentication and authorisation for all access to data and the analytics dashboard;
- Automatic fallback to the ticketing system in the event of technical failure of the AI Assistant;
- Immediate pseudonymisation of identifying data upon human handoff;
- Automated data deletion after the applicable retention periods, without manual intervention;
- All processing by the AI Assistant within the Flexmail infrastructure, without transfer to external parties.
6.2 Data breach procedure
In the event of a suspected data breach involving data processed by the AI features or the AI Assistant, Flexmail follows the standard incident procedure in accordance with Art. 33–34 GDPR:- Notification to the Data Protection Authority (DPA) within 72 hours if the breach poses a risk to data subjects;
- Notification to affected users if the breach poses a high risk to their rights and freedoms;
- Documentation of the incident in the Flexmail incident register.
7. Rights of data subjects
Users of the AI features and the AI Assistant may exercise the following rights in accordance with the GDPR:- Right of access (Art. 15 GDPR): insight into which data are being processed.
- Right to erasure (Art. 17 GDPR): request for deletion of conversation data, to the extent that it has not already been automatically deleted.
- Right to restriction of processing (Art. 18 GDPR).
- Right to object (Art. 21 GDPR): objection to processing on the basis of legitimate interest.
8. AI clause (Anthropic)
When using AI translation and AI text enhancement, you accept Anthropic's commercial terms and conditions in addition to these terms and conditions: https://www.anthropic.com/legal/commercial-termsThe AI Assistant does not use Anthropic services. The applicable terms and conditions for the AI Assistant are exclusively those of Flexmail.
9. Acceptance
Before the first AI interaction — both with the AI features in the editor and with the AI Assistant — this policy is explicitly presented to the user. Access to the AI features is only possible after an active confirmation (opt-in) by the user. Passive acknowledgement or implicit acceptance through use is not sufficient.Flexmail records each approval as follows, in accordance with the accountability obligation of Art. 5(2) GDPR:
- Timestamp of approval (date and time);
- Version number of the approved policy;
- Identity of the user (linked to the Flexmail account).
In the event of a material change to this policy — meaning changes that affect the nature of the processing, the legal basis, or the rights of the user — the user will be actively notified and a new explicit approval will be requested before further use of the AI features. Editorial or clarifying changes without impact on the processing do not require new approval, but will be communicated via the version history at the bottom of this document.
Once accepted, the applicable terms and conditions can always be found under the legal documents in the Flexmail application. Disputes will be settled in accordance with the general terms and conditions applicable to our services.
10. Privacy and cookies
You must refrain from including private or personal information in the AI interface of the editor features. All information you enter will be shared with Anthropic via the AI model.For the AI Assistant, data is processed exclusively within the internal infrastructure. No data is shared with external AI providers.
When using AI-generated text, Anthropic's privacy policy applies to the data you or your company enter into the editor features, as it is transferred directly to the Anthropic platform.