Connect a supported mailbox
You grant limited access through the mailbox provider. The provider can usually revoke that access from its own security settings.
Mailbox signals in. Reviewed requests out.
spectre is designed to help you find service providers that may still hold personal data. It does not need your mailbox password, and it does not send an erasure request until you review it.
Three rules we design around.
No mailbox passwords.Connections use OAuth or provider-specific authorization. You authenticate with the provider, not with spectre.
Signals before content.The workflow starts with sender domains, subjects, headers, dates, receipts, notices, and subscription signals. Full message content should be minimized wherever possible.
Review before sending.spectre prepares a draft. You decide whether the provider, wording, and recipient are correct before anything is sent.
Find providers with data signals
spectre looks for signs that a service relationship existed: old order confirmations, privacy notices, subscriptions, login/security emails, marketing senders, and booking receipts.
Prepare a request draft
The draft explains that you are exercising GDPR Article 17 rights where applicable. It should be reviewed like any important legal-adjacent message.
Keep a useful record
For approved requests, spectre can keep status, recipient, subject, timestamp, and request history so you know what was sent and when.
Examples of mailbox signals
A receipt from a shop you used in 2017 can reveal a provider that may still hold name, address, payment reference, and purchase history.
An old hotel or flight confirmation can point to travel platforms that may still hold identity, itinerary, loyalty, or invoice data.
A cancelled newsletter or trial can still leave profile, email, consent, analytics, or marketing data with the provider.
| Fonts | No external Google Fonts are loaded. The site uses the browser/system font stack. |
|---|---|
| OAuth scripts | Google Identity Services and Google API scripts are used for supported Google mailbox authorization. Microsoft and Yahoo authorization endpoints are used only when those providers are selected. |
| Payments | Paid plans use Stripe checkout. Stripe processes payment data under its own terms and privacy documentation. |
| Application database | The current codebase integrates Appwrite for user profile data, plan status, usage counters, request history, and organisation queue data where configured. |
| AI-assisted steps | AI-assisted classification or drafting should use minimized mailbox signals. Output is assistance for review, not legal advice. |
| CASA Tier 2 | CASA Tier 2 is a real Google cloud application security review signal. It supports trust in OAuth/cloud-app handling, but it is not a substitute for GDPR legal compliance. |
Production infrastructure details such as hosting region, Appwrite region, subprocessors, and retention periods must match the live deployment and current Privacy Policy. If infrastructure changes, the legal pages should be updated before launch.