Privacy Policy

Effective date: 26 August 2025

This Privacy Policy explains how Romus ("Romus," "we," "us," or "our") collects, uses, and protects personal information when you use:

  • • The Romus Chrome extension (the "Extension")
  • app.romus.ai (the "App"/dashboard)
  • romus.ai (the marketing website)

By using our Services, you agree to the practices described here.

1) Who we are (Controller)

Romus
Trade name: Kenninck Company
KvK: 91005752
Address: Castorstraat 19, Oudorp, Netherlands
Email: midaskenninck@gmail.com

We do not currently appoint a Data Protection Officer.

2) What we do

Romus analyzes your Gmail messages with AI (currently GPT-5-nano and GPT-5-mini, provider: OpenAI) to extract tasks (e.g., deadlines, priorities). The Extension reads email content in your browser and sends it securely to our server-side function for AI processing; we store the AI output (tasks and related metadata) but do not store raw email bodies server-side.

3) What we collect

We aim for data minimization. Depending on how you use Romus, we may process:

Account & identity

  • • Email address (from Google OAuth), basic Google profile (name, avatar)
  • • Authentication/session tokens (Google OAuth and Supabase)

Email-related

  • Processed in your browser: email content (subject + body) for the sole purpose of analysis
  • Sent to our Edge Function for analysis: email text (transient in transit)
  • Stored server-side: no raw bodies; we store email ID, extracted sender (from AI), timestamp, and the AI output (task objects, categories, confidence, etc.)
  • Not stored: attachments or their contents

Usage & events

  • • Which emails were analyzed (IDs), tasks created/edited/completed, feature usage necessary to run the service

Payments (Stripe)

  • • Customer ID, email, subscription status/plan, invoices and tax details as required by law (we do not store full card numbers)

Technical

  • • IP address and basic device/network metadata as part of standard HTTPS requests and our hosting logs

What we do not collect

  • • We do not run ads or trackers across the web
  • • We do not store raw email bodies server-side
  • • We do not sell personal information

4) How we collect data

  • Chrome Extension (content scripts + InboxSDK) read Gmail content locally in your browser.
  • • Email text is sent over HTTPS to our Supabase Edge Function for AI analysis and is not stored server-side as raw text.
  • • We store the AI output (task data) and limited email metadata (ID, extracted sender, time).
  • • The Extension may cache tasks, auth/session state, and preferences in chrome.storage.local (no raw email text cached).
  • • Real-time sync uses Supabase Realtime/WebSockets and carries task updates (not raw email text).

5) Why we use your data (Purposes) & legal bases (GDPR/UK GDPR)

Provide and operate the Services (create tasks from emails, display and sync them)

Legal basis: Contract necessity

Authentication, account, and subscription management

Legal basis: Contract necessity

Security, fraud prevention, abuse detection, debugging, and reliability

Legal basis: Legitimate interests

Billing, tax, and compliance

Legal basis: Legal obligation

Optional communications about policy changes or critical service updates

Legal basis: Legitimate interests / Legal obligation (for material changes)

We do not rely on consent for cookies/analytics at this time (we are not running analytics on the marketing site yet).

6) AI processing

  • Models: GPT-5-nano and GPT-5-mini (provider: OpenAI). Models may change; this policy will reflect current providers.
  • Training: We do not permit model providers to use your data for training.
  • Human review: We do not conduct human review of your email content. If you contact support and share examples, we will only view what you provide, with your consent.
  • Automated decisions: AI results are assistive (task extraction). No decisions with legal or similarly significant effects are made.

7) Third-party services (processors/hosts)

We use trusted providers to run Romus:

  • Supabase (database, authentication, Edge Functions, Realtime)
  • OpenAI (AI inference provider)
  • Stripe (payments, subscriptions, invoicing, taxes)
  • Vercel (hosting for the App and Marketing site)

We only share the minimum data necessary with these providers to operate the Services. We do not sell personal data.

8) Chrome extension permissions (MV3)

We request only what's necessary:

PermissionWhy we need itData involvedYour control
storagePersist local session state, tasks cache, and user preferencesAuth/session tokens, task data, settingsClear cache anytime in the Extension; sign out to clear sessions
scriptingInject the Romus panel and run content scripts in GmailRuns in your browser to read email text for analysisDisable or uninstall the Extension
identityGoogle OAuth sign-inOAuth flow & tokensSign out via the App/Extension
Host: https://mail.google.com/*Access Gmail interface to analyze messages and show UIEmail text read locally for analysisDisable in Chrome site access or uninstall
Host: https://*.supabase.co/*Connect securely to backend APIs and realtimeTask data, auth/sessionN/A (required for service)

We do not use the Gmail API; we access Gmail content via content scripts/In-browser SDK.

9) Data retention

  • AI outputs (tasks & related metadata): kept until account deletion. If the account is inactive for 12 months, we email a 30-day notice before deletion.
  • Usage/event logs (no raw email bodies): 90 days.
  • Auth/session tokens: for the life of the session/token TTL.
  • Local extension cache: user-controlled "Clear Cache," plus automatic rotation after 30 days.
  • Billing/Stripe records: retained for 7 years (NL statutory).
  • Raw email bodies: never stored server-side.

We do not maintain separate backups beyond what our infrastructure providers may do for resilience.

10) International data transfers

Our primary data region for Supabase is EU (Central—Frankfurt). Some providers (e.g., AI processing or payments) may process data in other countries (e.g., US/EEA/UK). Where personal data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and implement appropriate safeguards.

11) Your rights (GDPR/UK GDPR)

Subject to law, you can:

  • Access your data
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data (portability)
  • Object to or restrict certain processing

How to exercise:

  • • Use in-product controls (export/delete in the App; clear cache in the Extension), and/or
  • • Email us at midaskenninck@gmail.com.
    We will respond within 30 days and may verify your identity via your account email.

You also have the right to lodge a complaint with your local supervisory authority.

12) California residents (CCPA/CPRA)

We describe, for the last 12 months:

  • Categories collected: identifiers (email), account data, commercial information (subscription status), internet activity (service usage), and inferences limited to AI task outputs; sensitive contents may be present in emails you choose to analyze but are not stored server-side as raw text.
  • Sources: you (via Google OAuth/Extension), and your Gmail content you choose to analyze.
  • Business purposes: to provide the Services, security, debugging, compliance, payment.
  • Disclosures: to processors (Supabase, OpenAI, Stripe, hosting).
  • Sale/Share: We do not sell or share personal information for cross-context behavioral advertising.
  • Sensitive Personal Information: not used for inferring characteristics beyond providing the core service.

Your rights: know, access, delete, correct, opt-out of sale/share (not applicable), limit use of sensitive PI (we limit by design). You may use an authorized agent. Contact: midaskenninck@gmail.com.

13) Security

We use administrative, technical, and organizational measures including:

  • TLS/HTTPS in transit
  • Encryption at rest provided by our database/hosting providers
  • OAuth 2.0 authentication
  • Token-based access control and least-privilege principles
  • Environment-based secret management for server functions

No system is perfectly secure. If we become aware of a data incident affecting your personal data, we will notify you and relevant authorities as required, typically within 72 hours for GDPR-qualifying incidents.

14) Children

Romus is not intended for individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided data, contact us to delete it.

15) Your controls

In the App (app.romus.ai), you can:

  • • Access/export your task data (CSV/JSON where available)
  • • Delete your account and associated data
  • • Manage subscription and billing

In the Extension, you can:

  • • Clear local cache
  • • Disable automatic analysis by uninstalling/disabling the Extension

You can also email midaskenninck@gmail.com for Data Subject Requests.

16) Taxes & VAT

We are VAT-registered in the Netherlands. Stripe processes payments and invoices; we retain invoicing/tax data as required by law.

17) What we explicitly do not do

  • No sale of personal data
  • No ads / no cross-site tracking
  • No human review of your email content (except if you voluntarily share it with support)
  • No use of your data to train third-party models
  • No reading of non-Gmail pages
  • No scraping of contacts for outreach

18) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email and/or in-product notice. Continued use after the effective date means you accept the updated Policy. We keep version history.

19) Contact

Questions or requests about privacy?

Romusmidaskenninck@gmail.com
Castorstraat 19, Oudorp, Netherlands

Short Chrome Web Store disclosure (summary)

Romus reads your Gmail in your browser to extract tasks using AI. We do not store raw email bodies server-side. We store AI-generated task data and limited metadata to provide the service. We do not sell data or use it for ads. Permissions are limited to storage, scripting, identity, and host access for Gmail and our backend.

← Back to Home