Mail2Brief — Privacy Policy

Last updated: April 14, 2026



Mail2Brief ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have.



1. Who We Are

Mail2Brief is an email productivity service that summarizes, prioritizes, and delivers your inbox as a structured audio/visual briefing. We are operated by Mail2Brief and can be reached at gombosdavid@mail2brief.com.



2. Data We Collect

2.1 Account Data

• Email address and bcrypt-hashed password

• Language/locale preference

• Optional profile: full name, role, company name, company size, use case (collected during onboarding)

• Subscription tier and usage limits

• Privacy Policy acceptance timestamp and marketing consent (collected at registration)



2.2 Email Data

When you connect your inbox, we access your emails in read-only mode and store the following in our database:

• Email subject line

• Sender display name (email addresses are stripped)

• First 280 characters of the email body (preview)

• Full plain-text body (email addresses stripped)

• Attachment metadata (filename, file type) — actual attachment files are never downloaded or stored

• AI-generated summary, priority level, and task extraction results



We never store the full raw email content beyond what is listed above, and we never store actual email attachments.



2.3 Authentication & Session Data

• Google and Microsoft OAuth access and refresh tokens (stored Fernet-encrypted with AES-128)

• Session tokens (stored as SHA-256 hashes, never in plain text)

• IP address and browser user-agent (stored per session for security purposes)



3. How We Use Your Data

• To authenticate you and maintain your session

• To sync your inbox and generate email summaries, priorities, and tasks

• To generate audio briefings via text-to-speech

• To send transactional emails (email verification, password reset)

• To send newsletters and marketing messages, if you explicitly opted in at registration



4. Third-Party Services

To provide our service, we share limited data with the following third parties:



4.1 Anthropic (AI Summarization)

We send the following data to Anthropic's API to generate email summaries and task extraction:

• Sender display name

• Email subject line

• Up to 900 characters of email body text

No user identifiers (such as your email address or account ID) are included in these requests. Per Anthropic's API Terms of Service, data submitted via the API is not used to train AI models. For more information, see anthropic.com/privacy.



4.2 OpenAI (Text-to-Speech)

We send AI-generated email summary text (derived from your email content) to OpenAI's API to generate audio briefings. This text is a processed summary, not raw email content. For more information, see platform.openai.com/privacy.



4.3 Google / Microsoft (Email Sync)

When you connect your Google or Microsoft account, we access your emails via their official APIs using read-only OAuth permissions. We never modify, delete, or send emails on your behalf. OAuth tokens are stored encrypted.



4.4 Resend (Transactional Email)

We use Resend to send email verification and password reset emails. We share only your email address and the relevant token for this purpose.



5. Data Retention

We follow a minimal retention policy:

• Email cards (summaries): deleted automatically at midnight if not pinned and no open tasks are associated

• Pinned email cards: retained until manually marked as completed by the user

• Tasks: retained until marked as completed or dismissed

• Audio files: deleted together with their associated email card

• Sessions: expire after 30 days of inactivity

• User accounts: retained until the user requests deletion



6. Data Security

• OAuth tokens are encrypted using Fernet symmetric encryption (AES-128-CBC) before being stored

• Session tokens are stored as SHA-256 hashes — never in plain text

• All communication between your browser and our servers is encrypted via HTTPS/TLS

• Passwords are hashed using bcrypt before storage

• Database access is restricted to our application server within a private network



7. Your Rights (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access — you can view your data within the app at any time

• Right to erasure — you can permanently delete your account and all associated data via Settings > Delete Account

• Right to data portability — you can export all your data as a JSON file via Settings > Export My Data

• Right to withdraw consent — you can withdraw marketing consent at any time by contacting us

• Right to object — you can object to processing by deleting your account



To exercise any of these rights, contact us at gombosdavid@mail2brief.com.



8. Cookies

We use only essential cookies necessary for authentication and session management. We do not use advertising, tracking, or analytics cookies. You can manage your cookie preferences via the cookie banner displayed on your first visit.



9. Children's Privacy

Mail2Brief is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.



10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice in the app. The "Last updated" date at the top of this page indicates when the policy was last revised.



11. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:



• Email: gombosdavid@mail2brief.com

• Website: mail2brief.com

• LinkedIn: linkedin.com/company/mail2brief