Privacy Policy

When you connect Gmail, Zerrow accesses message metadata, headers, and content for the purpose of classifying, summarizing, and filing your email. We also store your Google account identifier, email address, and the folder rules you define.

Email content is processed by AI models to assign your messages to the folders you create. Summaries and classifications are stored against your account so the app stays fast. We do not sell your data, and we do not use your email content to train third-party models.

Security procedures are in place to protect the confidentiality of your data. We use encryption to protect your information, both in transit and at rest:

• All traffic between your browser, Gmail, and Zerrow is encrypted in transit using TLS 1.2 or higher.
• Sensitive content — email subjects, snippets, bodies, recipient lists, AI-generated summaries and classification reasons, your saved reply drafts, and contact notes, phone numbers, and addresses — is encrypted at the column level using authenticated encryption (pgcrypto AEAD) with a server-held key, so the raw text is unreadable directly from the database. Routing fields needed to deliver and de-duplicate mail (sender address, Gmail message and thread identifiers, labels) are stored alongside in our managed Postgres database with disk-level encryption at rest provided by our infrastructure provider.
• Google OAuth access and refresh tokens are encrypted at the column level using a server-held key (pgcrypto) and are never exposed to the browser.
• Row-level security ensures each authenticated user can only access their own data. Server-side database access is gated by authenticated server functions that verify the requesting user before touching their data.
• Secrets are stored in a managed secret store rather than in source code or shipped to the browser, and production access is restricted.
• We periodically review our security procedures, dependencies, and access policies to keep your data protected.

Zerrow's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We use Google user data only to provide and improve the user-facing features of Zerrow (classifying, filing, summarizing, and drafting replies to your email).
• We do not sell Google user data and we do not use it for advertising.
• We do not transfer Google user data to others except as necessary to provide or improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not allow humans to read your Google user data, except with your explicit consent, for security and abuse investigations, to comply with applicable law, or where the data has been aggregated and anonymized.
• Email content sent to our AI provider for classification, summarization, and reply drafting is processed under that provider's API data-processing terms, which prohibit using customer API content to train their generalized models. We do not separately train any models on your email content.

We share data only with the infrastructure providers required to run Zerrow: hosting on Cloudflare, database and authentication on Supabase (via Lovable Cloud), and AI classification via the Lovable AI Gateway. Each provider is bound by their own data processing terms. We do not sell your data and we do not use it for advertising.

You can disconnect Gmail at any time from Settings. Disconnecting revokes your Google OAuth tokens at Google, stops further syncing, and removes that mailbox's synced messages, search index, reply drafts, calendar contacts, queued jobs, and the encrypted token record from our database. You can also delete your entire Zerrow account from Settings — this revokes Google access on every connected mailbox and immediately removes your synced messages, queued jobs, folders, filters, contacts, search index, push-notification logs, and sign-in record from our systems.

You can request a copy of the data we hold about you, or ask us to delete it, by contacting support. If you are in the EU or UK, you have additional rights under GDPR including objection and portability.

Questions about this policy? Email privacy@zerrow.app.