Plain-English Privacy.

This is the short, true version. If we're ever required to write a longer formal version for a specific jurisdiction, we'll publish it alongside this one — never replace it with corporate fog.

What we collect

When you sign in, we receive your name and email from your OAuth provider (Google or Microsoft). When you connect a mailbox, we receive an access token that lets Automail read and send mail on your behalf, plus a refresh token to renew it. Tokens are encrypted at rest with AES-256-GCM.

For each mailbox you connect, we sync the most recent 90 days of inbox mail and a configurable window (default 1 year) of sent mail. The sent-mail copy powers voice training — see How it works.

What we do with it

We classify your inbound mail, draft replies in your voice, and present everything to you for approval. Drafts and classification metadata live in our Postgres database alongside your mail. Embeddings of your sent mail live in pgvector for retrieval at draft time.

We send portions of your mail content to LLM providers (OpenAI by default, Anthropic optionally) when classifying and drafting. The providers' API terms prohibit using API data to train their models. We don't send your mail anywhere else.

What we don't do

• We don't sell your data. There's no advertising business.
• We don't auto-send mail without your approval, unless you explicitly enable auto-send for a low-risk persona.
• We don't analyze your mail for any purpose other than running this product for you.
• We don't claim HIPAA, SOC 2, or GDPR certification. If those apply to you, talk to us before connecting your mail.

How long we keep it

Inbox messages and drafts stay until you disconnect the account or the retention sweep prunes them (configurable; default off). Embeddings of sent mail stay until you disconnect or run a "delete my voice index" action from settings. Audit-log entries are kept for at least 1 year for our own debugging and for your safety review.

Deleting your data

You can disconnect any account from Accounts; that revokes our tokens and cascades a delete of every row scoped to that account. To delete your entire user, write to us — we'll do it within 7 days and confirm.

Sharing

Single-tenant by default — your mail isn't shared with anyone except the LLM provider used to draft your replies. If you join an organization with multiple members, mail stays scoped to the connected account; members in your org can see organization-level audit summaries but not raw mail or drafts they don't own.

Changes

If we change this policy, we'll bump the effective date at the top and email everyone with a connected account.

Contact

Reach the operator at the same address you use for support. Sensitive disclosures (data subject requests, security reports) go to the same address with the subject prefixed [Privacy].