Compliance reviews

EmailConnect may conduct a compliance review when there are reasonable grounds to suspect a violation of our Acceptable Use Policy. This article explains what a compliance review involves, what data is accessed, the legal basis, and your rights.

What is a compliance review?

A compliance review is a limited, time-bound review of email metadata associated with a specific account. Reviews are only initiated when there are reasonable grounds to suspect activity that violates our Acceptable Use Policy, such as phishing, spam distribution, or malware delivery.

Compliance reviews are strictly limited to metadata. We do not read email body content during a compliance review.

What data is reviewed

During a compliance review, only the following metadata may be examined:

• Subject lines of processed emails
• Sender and recipient email addresses
• URLs found in emails
• Attachment filenames (not attachment contents)
• Timestamps and volume patterns

We do not read email body content. The review is limited to metadata that indicates patterns of use, not the substance of private communications.

Why we conduct compliance reviews

Compliance reviews serve a narrow purpose: protecting the platform and all its users.

• Preventing abuse — EmailConnect must not be used as infrastructure for phishing, spam, or malware distribution. We have a legal and ethical obligation to prevent our service from aiding illegal activities.
• Protecting the platform — Abuse by one account can damage the reputation of the service and affect the trust other users place in EmailConnect.
• Maintaining trust — Users rely on EmailConnect to operate a clean, trustworthy email processing service. Compliance reviews are one mechanism for upholding that standard.

Legal basis

Compliance reviews are conducted under the following GDPR provisions:

• Article 6(1)(f) — Legitimate interest. We have a legitimate interest in preventing platform abuse that would harm other users and the service itself.
• Article 5(1)(c) — Data minimisation. Reviews are restricted to metadata. Email body content is never accessed.
• Article 5(1)(e) — Storage limitation. Any data captured during a review is automatically deleted 7 days after the review concludes.

How reviews work

Every compliance review follows a defined process with built-in constraints:

1. Approval — Reviews must be approved by senior staff. They cannot be initiated unilaterally by any single employee.
2. Scope — Each review is limited to the specific account and timeframe under investigation. There are no broad or exploratory searches.
3. Time limit — Reviews have a maximum duration of 48 hours.
4. Audit trail — Every action taken during a review is logged. This includes who approved the review, what data was accessed, and when.

Your rights

Notification

You will be notified after any compliance review concerning your account has concluded, in accordance with GDPR Article 14. Notification may be delayed during an active investigation to preserve its integrity, as permitted under Article 14(5)(b).

Audit log access

You can request an excerpt of the audit log for any compliance review conducted on your account. The excerpt will show what metadata was accessed and when.

Right to object

You have the right to object to compliance reviews under GDPR Article 21. We will assess your objection against our legitimate interest in maintaining platform integrity.

Contact

For any questions about a compliance review or to exercise your rights:

• General questions: privacy@emailconnect.eu
• Formal GDPR requests: dpo@emailconnect.eu

How long data is kept

Data type	Retention period
Review captures (metadata accessed during review)	Auto-deleted 7 days after the review concludes
Audit logs	Retained for the duration of our legitimate interest period

You can request deletion of audit logs. Such requests are assessed against our legitimate interest in retaining records of compliance activity.

FAQ

Will I know if my account was reviewed?

Yes. You will be notified after the review concludes. In limited cases, notification may be delayed during an active investigation.

Can you read my emails?

No. Compliance reviews are limited to metadata. Email body content is never accessed during a review.

What happens if a violation is found?

The outcome depends on the nature and severity of the violation. Actions may range from a warning to account suspension, as described in our Acceptable Use Policy.

Can I request the audit log?

Yes. Contact privacy@emailconnect.eu to request an excerpt of the audit log for any review involving your account.