Your emails. Treated like the business asset they are.

We connect to Gmail and Outlook via OAuth 2.0. You never give us your password — Google or Microsoft issues a revocable access token. You can revoke access at any moment from your Google or Microsoft account settings, or directly inside SmartEmails with one click.

Scopes are minimal by design:

• Read — to fetch the emails we classify
• Labels / folders management — to apply SmartEmails labels (Gmail) or move messages to folders (Outlook)
• Drafts — to save the AI-generated reply as a Gmail/Outlook draft in your account

We do not request send permission. SmartEmails cannot send emails on your behalf.

• Industry-standard TLS encryption on all traffic between your browser, SmartEmails, and the services we rely on
• Strict tenant isolation — your data is inaccessible to any other customer at every layer of the stack
• OAuth tokens encrypted at rest in the database
• Hosted on EU-based infrastructure — full subprocessor list at /subprocessors

To classify an email and let you act on it in the app, we persist:

• Email metadata: sender, recipient, subject, date, thread ID, a snippet of the body
• The classification: category, priority, reason
• When you generate a draft reply: the AI-generated draft (so you can review it in the app)

The full email body is not kept in our database as a long-term copy. It is sent to our AI provider at classification time, under the terms described below, and only a short snippet is retained for display purposes.

When you disconnect your mailbox or delete your account, all of the above is purged within 30 days. You can also request an immediate full deletion by writing to privacy@smartemails.ai.

SmartEmails uses the Anthropic Claude API to classify emails and generate draft replies. Per Anthropic's API terms:

• Your email content is not used to train Anthropic's models
• Anthropic retains inputs only for limited operational purposes (abuse detection, up to 30 days) unless a Zero Data Retention addendum is in place
• No third parties other than Anthropic's infrastructure see the content of emails sent for classification

For full details on how our AI provider processes your data, see /subprocessors.

• ❌ Sell, rent or share your data with advertisers, data brokers, or marketing platforms
• ❌ Use your emails to train ML models — ours or anyone else's
• ❌ Share your data with any subprocessor other than those listed on /subprocessors
• ❌ Keep anything after a documented deletion request beyond the 30-day purge window

SmartEmails is fully GDPR-compliant. You have the right to access, rectify, export, and delete your data at any time. Most of these rights are exercisable directly in the app; for export or full deletion requests, write to privacy@smartemails.ai.

A Data Processing Agreement is available — see /dpa. /dpa

The list of every third party that processes your data is public and maintained at /subprocessors. We notify customers of new subprocessors before they are added.

If you discover a security vulnerability, please email security@smartemails.ai. We acknowledge reports within 48 hours and aim to issue a fix within 30 days for critical issues. We operate a responsible disclosure policy — no legal action against good-faith research.

In the event of a data breach that affects your account, we will notify you and, where applicable, the relevant data protection authority within 72 hours, as required by GDPR Article 33.

Reach out directly to security@smartemails.ai. If you are evaluating SmartEmails on behalf of your company and need written answers for a security review, we can turn around a complete questionnaire within 5 business days.

New OAuth applications that request access to sensitive Google data — such as reading email body or modifying labels — must go through Google's formal verification process before the warning is removed for end users. Until that process completes, every new user sees a red warning screen the first time they connect their Gmail or Calendar account.

This warning is about Google not having reviewed our app yet — it does NOT mean SmartEmails is unsafe. Most early-stage SaaS products that integrate with Gmail or Outlook go through the same warning during their first months in production. It is the default for any new application pending verification — not a SmartEmails-specific signal.

What we are doing about it:

• Verified domain ownership — smartemails.ai is verified in Google Search Console.
• Brand verification — our app name, logo and links are reviewed and approved by Google.
• CASA Tier 2 security audit — an independent assessor approved by Google's App Defense Alliance is auditing our code, performing a manual penetration test, and verifying our security controls. This is the most rigorous tier required by Google for restricted scopes (more than what most consumer SaaS go through). Cost: ~25 000 €. Annual.
• Final OAuth verification submission — submitted with our scope justification document, demo video, and CASA report. Google reviews and lifts the warning.

Total timeline: 3-6 months. We started immediately after first launch. The warning is a byproduct of the timing, not a security signal.

How to proceed safely as a first-time user:

• On the warning screen, click "Advanced" (small link, bottom of the page).
• Click "Continue to smartemails.ai (unsafe)". The wording "unsafe" is Google's default copy for any unverified app — not specific to SmartEmails.
• The normal Google consent screen appears, listing the permissions we request. You can review each one and either grant or deny.
• You can revoke access at any time at myaccount.google.com/permissions, or from your SmartEmails Dashboard → Settings → Disconnect.

Detailed scope-by-scope justification for every permission we request is part of our public documentation. See also our Privacy Policy and Data Processing Agreement for the full commitments around what we store and don't store.

If you use Outlook or Office 365, Microsoft shows an "Unverified publisher" warning the first time you connect. This is the same phenomenon as on the Google side: every new application requesting access to mail data must go through Microsoft's formal Publisher Verification process before the warning is removed for end users.

What we are doing about it: we have already configured App Branding (logo, links to this Privacy page and our Terms) so the consent screen looks as professional as possible. Microsoft Publisher Verification is lighter than Google's CASA — no external security audit, just legal entity identity validation. It is in progress.

How to proceed safely: on the warning screen, you can simply click "Accept" to continue (works for personal accounts @outlook.com / @hotmail.com and most Office 365 accounts). If you use a corporate account where your IT admin has locked down third-party apps, you will see an "Admin approval required" message — in that case, contact your admin to authorize SmartEmails.