Privacy Policy

1. Introduction

This Privacy Policy describes how Minmailist (the "Extension," "we," "us," or "our") collects, uses, and protects information when you install and use the Minmailist Chrome extension. Minmailist is operated by an individual developer based in India.

Minmailist is a Chrome extension that transforms Gmail into a calmer, more focused inbox by classifying messages into Important and Other splits, hiding noise, and offering optional AI-powered organization tools (snooze, sticky notes, board view, star collections, ⌘K launcher, summaries, and AI labels).

If you do not agree with this policy, please do not install or use Minmailist.

2. Limited Use of Google User Data

Minmailist's use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data, except (a) with your affirmative agreement for specific messages, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used for internal operations.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models.

3. What Information We Access

3.1 Google Account information

When you sign in with Google, we receive your email address and basic profile information (name and profile picture) via the userinfo.email scope. This is used to identify your account inside Minmailist and to display the signed-in user in the interface.

3.2 Gmail content

With your explicit OAuth consent, Minmailist accesses your Gmail messages using the following scopes:

We never send, delete, or modify the contents of your emails. Modify scope is used only for labels and archive state.

3.3 Information you create inside Minmailist

• Split definitions, sticky notes, board layouts, star collections, ⌘K launcher history, Zen Home configuration, and snooze schedules.

3.4 Account and subscription information

• A unique user ID (assigned by Firebase Authentication).
• Your subscription status (free or paid) and the associated Dodo Payments customer ID, used to validate your subscription.

3.5 Feature-usage events

Anonymous feature events tied to your user ID, such as "opened board view," "created split," or "invoked summary." These contain no email content, subjects, senders, or any Gmail data. We use them only to understand which features users find useful and to improve the product.

4. Where Your Data Lives

Minmailist is built on a local-first architecture. The vast majority of your Gmail data never leaves your browser.

4.1 In your browser (default)

Your Gmail messages are fetched directly from Google's servers to your browser using the Gmail API and stored in your local IndexedDB and chrome.storage. This includes:

• Cached message metadata (sender, subject, date, snippet, labels)
• Computed classifications (Important / Other split assignments)
• Your Minmailist preferences and content (sticky notes, board state, star collections, snooze schedule, etc.)

This data stays on your device. We cannot read it.

4.2 In Firebase Firestore (Google Cloud)

Firestore stores only:

• Your account metadata (user ID, email, account creation date)
• Subscription status (active / inactive, plan tier)
• Synced preferences (split definitions, board layouts, sticky note text, etc.) so your setup follows you across devices
• Feature-usage events as described in §3.5

No Gmail content, subjects, senders, or message bodies are ever stored in Firestore.

4.3 In our backend Cloud Function (transient, pass-through only)

For the optional AI features (classification, summaries, AI labels), the minimum necessary input is sent to a Google Cloud Function we operate, which forwards the request to Google Vertex AI and returns the response.

• For classification: only the email subject line and sender are transmitted.
• For summaries: the message body is transmitted only when you explicitly invoke "Summarize" for that specific message.
• The Cloud Function is strict pass-through: it does not log, cache, or persist email data. The data exists only in memory for the duration of the request (typically under one second), then is discarded.

4.4 In Google Vertex AI

The data described in §4.3 is processed by Google Vertex AI under Google Cloud's enterprise terms. Per those terms, Vertex AI does not use customer data to train or improve its models, and the data is not retained beyond what is necessary to serve the request.

4.5 In Dodo Payments

When you subscribe to a paid plan, you are redirected to Dodo Payments' hosted checkout page. Minmailist never sees or stores your card or payment information. We receive only a Dodo Payments customer ID and subscription status from Dodo's webhooks.

5. What We Do Not Do

• We do not sell, rent, or trade your data to anyone.
• We do not run ads inside Minmailist, and we do not share your data with advertisers.
• We do not use your Gmail data, or any data derived from it, to train AI models.
• We do not read your emails. The classifier and AI features run automatically against the data you send them; no human at Minmailist sees your messages.
• We do not collect health, financial, location, or browsing-history data.

6. Authentication and OAuth Tokens

Minmailist uses Google OAuth 2.0 to authenticate you. When you sign in:

1. Google asks you to grant Minmailist the scopes listed in §3.2.
2. Chrome's chrome.identity API receives the access token and stores it in Chrome's secure token cache. The access token never leaves your browser except in authenticated requests directly to Google's own servers.
3. Firebase Authentication issues a session that links your Google identity to your Minmailist account, so we can match your subscription status when you use the extension.

You can revoke Minmailist's access at any time from your Google Account permissions page.

7. Data Retention

8. Your Rights

Depending on where you live, you may have legal rights over your personal data. Minmailist honors these rights for all users, regardless of jurisdiction:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to correct inaccurate data.
• Deletion: Ask us to delete your account and all associated data (subject to the retention exceptions in §7).
• Portability: Request your data in a machine-readable format.
• Withdraw consent: Revoke OAuth access via your Google Account, which stops Minmailist from accessing your Gmail.
• Object / restrict: Ask us to stop or limit certain processing.

To exercise any of these rights, email us at privacy@minmailist.com. We respond within 30 days.

Specific frameworks

• India (Digital Personal Data Protection Act, 2023): You have the rights described above as a "Data Principal." Our role is "Data Fiduciary." You may also nominate another person to exercise these rights on your behalf and may file a complaint with the Data Protection Board of India.
• European Union / UK (GDPR): You may lodge a complaint with your local supervisory authority. Our lawful basis for processing is your consent (Article 6(1)(a)) for Gmail and AI features, and contract (Article 6(1)(b)) for account/subscription management.
• California (CCPA/CPRA): We do not sell or "share" your personal information as those terms are defined under California law. You have rights to know, delete, correct, and opt out of any sale or share, none of which apply to us.

9. Security

• All data in transit is encrypted with TLS 1.2 or higher.
• Firebase Firestore is configured with security rules that prevent any user from reading another user's data.
• OAuth tokens are stored only in Chrome's protected token cache, never in our databases or logs.
• We follow the principle of least privilege for every API and database access path.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you and the relevant authorities as required by law (including the DPDP Act's notification obligations).

10. Third-Party Service Providers

Minmailist relies on these service providers, each of which has its own privacy policy:

We do not share your data with any other third parties.

11. International Data Transfers

Because we use Google Cloud and Dodo Payments, your data may be processed on servers located outside India (typically in the United States). When this happens, we rely on standard contractual clauses and the providers' compliance certifications (SOC 2, ISO 27001) to safeguard your data.

12. Children's Privacy

Minmailist is not intended for users under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please email privacy@minmailist.com and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this page.
• Notify you in-product or via email if the change is material (for example, a new category of data collection).

Continued use of Minmailist after a change indicates acceptance of the updated policy.

14. Contact

For any questions, requests, or complaints about this policy or your data:

Email: privacy@minmailist.com
Operator: Individual developer, India

This policy is provided in plain English and is intended to be straightforward. If anything is unclear, please email us — we will explain.