Security & data

What we request from Google

• gmail.readonly — read message metadata only. We use this to fetch the From and Subject headers of your emails. We never read bodies or attachments.

How tokens are stored

Your Gmail OAuth tokens live in our database, scoped to your account, and are only accessible from server code authenticated as you. Tokens are refreshed automatically and never sent to your browser.

Retention

Scans are automatically deleted 30 days after they ran. Your account and Gmail connection persist until you disconnect or delete them.