Compliance & Privacy

Privacy Policy

Last updated 2026-05-30

We respect your privacy. This policy describes how we handle data in Corporate Mail Ops.

Data we collect

We collect only what is necessary to run the service: account data, login sessions, and email-related data for Gmail accounts when connected via OAuth (within the consented scopes only).

Use and retention

Data is used for account, email, and ticket management within the organization only. We do not sell your data nor share it with third parties for marketing.

Data Protection & Security

Security procedures are in place to protect the confidentiality of your data and any Google user data the application accesses. Specifically, we implement the following controls:

  • Encryption in transit: All communication between your browser and our servers, and between our servers and Google's APIs, is secured using HTTPS / TLS 1.2+ to prevent eavesdropping and tampering.
  • Encryption at rest: OAuth tokens (Access & Refresh), SMTP credentials, and two-factor secrets are stored encrypted using AES-256-CBC via Laravel's Encrypter, with the APP_KEY held outside the database. User passwords are hashed with bcrypt.
  • Access controls: Access to sensitive data is restricted by Role-Based Access Control (RBAC). Every sensitive operation is recorded in an Audit Log for accountability.
  • Multi-Factor Authentication: The system supports Email-OTP two-factor authentication for administrative accounts as an additional layer of protection.
  • Data minimization: We request only the minimum required Google API scopes and do not store message content beyond operational use. OAuth data is deleted as soon as the user disconnects their account.
  • Infrastructure: Servers are protected by firewalls, encrypted backups are taken regularly, and security patches are applied promptly.
  • Limited employee access: Google user data is accessed only by authorized personnel who need it to perform their duties, and only within the scope of operational tasks.

Google OAuth & Limited Use

When connecting Gmail we use Google OAuth. We request only the disclosed permissions (read and send email). Our use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements:

  • Google user data is never used for advertising or marketing.
  • Google user data is never sold to any third party.
  • No human reads the data unless we have your explicit consent, for security and legal compliance, or to develop the core feature.
  • Google user data is not transferred to any third party except as necessary to provide or improve the service (e.g., cloud hosting) or for legal reasons.

Your rights

You may at any time request to view, correct, or delete your data, or to disconnect your Google account. To exercise these rights, contact your system administrator.

Contact

For privacy inquiries or access/deletion requests, contact us at: info@al-zajel.com

Back to home