Privacy Policy

Effective date: 2026-04-23 Last updated: 2026-04-23

Languages. This document is published in English and Spanish; both versions are equally authoritative. Translations into other languages are provided for convenience and do not modify your legal rights or obligations. Mandatory consumer-protection law of your country of residence applies regardless of the language version.

This Privacy Policy explains how Overspiral S.L. ("Overspiral", "we", "us") processes personal data in connection with the Overfolder service (https://www.overfolder.com, https://cloud.overfolder.com, and the @OverfolderBot Telegram bot — the "Service").

1. Data controller

• Controller: Overspiral S.L.
• Tax ID (NIF): B27633486
• Registered office: C/ Fuenterrabía 9, 28014 Madrid, Spain
• Email: privacy@overfolder.com
• Security contact: security@overfolder.com

For account, billing, workspace, and Service telemetry data described below, Overspiral is the controller. When Overfolder connects on your behalf to third-party services (Google Workspace, Gmail, etc.), Overspiral acts as a data processor for the personal data contained in those third-party sources, and you remain the controller over that data.

2. Data we collect

Account data

Email, display name, Telegram user ID (and handle, if available), and authentication identifiers from any OAuth provider you sign in with (Google, GitHub, etc.).

Conversation and workspace data

The messages you send to the Overfolder bot (text, voice notes, images), the replies we generate, the files your AI creates, and any scripts or notes stored in your persistent workspace. This content lives inside your per-user Firecracker microVM.

Billing data

For paid plans: company name, billing address, VAT ID, and payment metadata. Card data is handled directly by our payment processor (Stripe) and never touches our servers.

Service telemetry

Logs of Service operation: timestamps, IP addresses, user-agent strings, request paths, error traces, and aggregated usage counters. Used to operate, secure, and debug the Service.

Connected-service data (when you connect Google Workspace, etc.)

When you authorise Overfolder to act on your behalf through a third-party service, we hold the OAuth tokens for that service and we make calls through them at your AI's request. The content of those requests and responses is processed transiently to produce the reply you asked for and to keep an audit record, and is not retained beyond what is necessary for those purposes, except where you explicitly enable longer retention.

Granularity

You can revoke any connected-service delegation at any time from the web dashboard at cloud.overfolder.com.

3. Google API Services — Limited Use

When you connect Google Workspace, Google Docs, Google Drive, or Gmail to Overfolder, Overfolder's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We use Google user data only to provide and improve the user-facing features of Overfolder that you have explicitly authorised (reading, summarising, drafting, and managing items in the Google service on your behalf through the AI assistant).
• We do not use Google user data to develop, improve, or train generalised AI/ML models.
• We do not sell, rent, or transfer Google user data to third parties for advertising, ad personalisation, or any other unrelated purpose.
• We do not allow humans to read Google user data unless: (a) we have your explicit consent for the specific messages or files; (b) it is necessary for security purposes (such as investigating abuse or a bug); (c) we are required to do so to comply with applicable law; or (d) the data is aggregated and used for internal operations in a form where individual users cannot be identified.

We currently request OAuth scopes only for Google Workspace, Google Docs, Google Drive, and Gmail, and only to the extent needed for the connector you enable.

4. Purposes and legal bases (GDPR Art. 6)

5. Sub-processors and third parties

We use a small set of vendors to operate the Service. Current sub-processors:

• Vercel Inc. — landing-page and edge hosting (US/EU).
• Google LLC (Google Cloud) — application, microVM, and database hosting (EU region).
• Telegram FZ-LLC — messaging transport (the Telegram platform itself, when you use the bot).
• Stripe Payments Europe Ltd. — payment processing (IE / US).
• Anthropic, PBC / OpenAI, L.L.C. / OpenRouter, Inc. — AI inference providers (US). Which provider handles your request depends on your configuration and the routing we choose.
• Google LLC (Google Workspace APIs) — when you connect Google Workspace, Docs, Drive, or Gmail as data sources (US).

We do not currently use a third-party transactional email provider; system emails are sent directly from our own infrastructure. If we add one we will list it here in advance.

We may update this list. Material changes to sub-processors will be reflected here and announced to active customers in advance where reasonably possible.

6. International transfers

Some sub-processors above are located in the United States or transfer data to the US. Where this is the case, transfers are protected by the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We apply additional technical safeguards (encryption in transit and at rest, scope minimisation) to limit transferred data to what is strictly necessary.

7. Retention

• Account data: while your account is active, plus up to 12 months for re-activation; longer if required by law (e.g. invoicing records, 6 years in Spain).
• Billing records: as required by Spanish tax law (currently 6 years).
• Conversation history and workspace files: kept while your account is active and accessible to you; deleted on account deletion (and in any case purgeable on request).
• Operational logs: 30 to 90 days, then aggregated or deleted.
• OAuth tokens for connected services: until you disconnect the service or delete your account.
• Connected-service request/response content: transient — not retained beyond the call, except for audit records (request metadata only) which are kept for the period you configure.

8. Your rights

Wherever you live, you can email privacy@overfolder.com to:

• access the personal data we hold about you;
• correct or update it;
• delete it (subject to the legal-retention exceptions above);
• export it in a machine-readable format;
• object to or restrict certain processing;
• withdraw any consent you have given;
• disconnect any third-party service you have authorised.

If you are in the EEA / UK, you also have the right to lodge a complaint with your supervisory authority. In Spain that is the Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es.

9. Children

The Service is not directed to children under 14 (the threshold under Spanish law). We do not knowingly collect personal data from children under that age. If you believe a child has provided us personal data, contact us and we will delete it.

10. Cookies and similar technologies

The marketing site (www.overfolder.com) uses only strictly necessary local storage (language preference and analytics opt-out) and no tracking cookies. The application (cloud.overfolder.com) uses cookies that are strictly necessary to keep you signed in. We use Vercel Analytics in aggregate, anonymised form to measure traffic to the marketing site; it does not set identifying cookies. We do not currently use third-party advertising or cross-site tracking cookies. If this changes, we will publish a separate Cookie Policy and request consent where required.

11. Changes to this Policy

We will revise this Policy as the Service evolves. Material changes will be notified to active users via the Telegram bot and/or email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

12. Contact

Questions, requests, or complaints: privacy@overfolder.com. For security disclosures: security@overfolder.com.