Privacy Policy

Last updated: April 24, 2026

AI Mail Agent ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our service at ai-email-agent.com.

1. Information We Collect

We collect the following information when you use our service:

• Google Account data: Email address, name, and OAuth tokens to access Gmail and Google Calendar on your behalf.
• Microsoft Account data: Email address, name, and OAuth tokens to access Outlook and Outlook Calendar.
• Email content: Email subjects, bodies, and metadata stored to provide AI reply generation and inbox management.
• Calendar events: Meeting information to detect scheduling requests and sync your calendar.
• Usage data: Number of AI replies generated, account activity logs for billing and abuse prevention.

2. How We Use Your Information

• To read, display, and organize your emails within the app
• To generate AI-powered email replies using your email content
• To detect meeting requests and add them to your calendar
• To send email replies on your behalf when you explicitly approve
• To enforce subscription plan limits and prevent abuse

We do not use your email content to train AI models. We do not sell, rent, or share your personal data with third parties for advertising purposes.

3. Google API Scopes

We request the following Google API scopes:

• gmail.readonly — to read your emails and display them in the app
• gmail.send — to send replies on your behalf after your explicit approval
• gmail.modify — to mark emails as read and move messages to trash when you delete them
• calendar — to read and add meeting events to your Google Calendar

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. We only request scopes that are strictly necessary for the app's core functionality.

4. Sensitive Data Protection Mechanisms

4.1 Encryption

• In transit: All data transmitted between your browser, our servers, and third-party APIs (Google, Microsoft, Anthropic) is encrypted using TLS 1.2 or higher (HTTPS). Unencrypted HTTP connections are rejected.
• At rest: All data stored in our database (Supabase, EU region) is encrypted at rest using AES-256 encryption. OAuth tokens (access tokens and refresh tokens) are stored in encrypted columns with additional row-level security policies.

4.2 Access Controls

• Row-Level Security (RLS): Our database enforces row-level security on every table. Each user can only access their own data — it is technically impossible for one user to read another user's emails or tokens.
• Authentication: Access to your data requires a valid JWT (JSON Web Token) issued by Supabase Auth. Tokens expire and are automatically rotated.
• OAuth tokens: Google and Microsoft OAuth tokens are stored server-side only and are never exposed to the browser or third parties. Refresh tokens are used exclusively to obtain fresh access tokens for Gmail/Calendar API calls.
• Edge Functions: API calls to Google, Microsoft, and Anthropic are made exclusively from server-side Edge Functions (Supabase Deno runtime) — not from the user's browser. This prevents token exposure.

4.3 Minimal Data Exposure

• Email content sent to Anthropic Claude API for AI reply generation is processed in real-time and is not stored or used for model training by Anthropic (see Anthropic Privacy Policy).
• We fetch only the most recent emails (up to 100 inbox + 20 sent) per sync — we do not download your entire email history.
• Email content is stored only for active accounts. When you delete your account, all associated data (emails, tokens, logs) is permanently deleted.

4.4 Infrastructure Security

• Database: Hosted on Supabase (EU region, Frankfurt). Supabase is SOC 2 Type II certified.
• Frontend: Hosted on Vercel with automatic HTTPS, DDoS protection, and security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS).
• Rate limiting: API endpoints enforce per-user rate limits to prevent abuse and unauthorized bulk data extraction.
• No source maps in production: Production builds do not include source maps, preventing reverse-engineering of application logic.

4.5 AI/ML Model Training Disclosure

AI Mail Agent uses the Anthropic Claude API solely to generate email reply suggestions. Your email content is not used to train any AI or machine learning models — neither by us nor by Anthropic. Each AI request is stateless and processed independently. We do not retain prompts or AI outputs beyond what is displayed to you in the app.

5. Data Storage and Retention

Your data is stored in Supabase (EU region, Frankfurt, Germany) under GDPR jurisdiction.

• Email data is retained while your account is active and for up to 30 days after deletion for backup recovery.
• OAuth tokens are deleted immediately upon account deletion or when you disconnect a provider.
• You can delete your account and all associated data at any time from the Settings page → "Delete Account".

6. Data Sharing

We share your data only with the following processors, strictly to provide the service:

• Supabase — database and authentication infrastructure (EU region)
• Anthropic — AI reply generation (email content sent per request, not stored)
• Vercel — frontend hosting (no user data stored)
• Stripe — payment processing (billing data only, no email content)

We do not sell, rent, or share your data with advertising networks, data brokers, or any other third parties.

7. Your Rights (GDPR)

If you are located in the European Union, you have the following rights:

• Right of access: Request a copy of all data we hold about you
• Right to erasure: Delete your account and all associated data
• Right to portability: Export your data in JSON format
• Right to rectification: Correct inaccurate personal data
• Right to object: Opt out of any data processing

To exercise these rights, use the Settings page in the app or contact us at the email below.

8. Cookies

We use only essential session cookies required for authentication (Supabase Auth). We do not use tracking cookies, advertising cookies, or third-party analytics.

9. Changes to This Policy

We will notify you of significant changes to this Privacy Policy by updating the "Last updated" date and, for material changes, by email. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

For privacy questions, data requests, or to report a security issue:

Email: privacy@ai-email-agent.com
Website: ai-email-agent.com