1 Who We Are
Mail2Brief ("Mail2Brief", "we", "our", or "us") is an email productivity service that summarizes, prioritizes, and delivers your inbox as structured audio and visual briefings. Mail2Brief also helps users create editable AI-assisted reply drafts and, where enabled, send user-confirmed replies.
Mail2Brief is operated by David Gombos, who acts as the data controller.
2 Data We Collect
2.1 Account Data
When you create or use a Mail2Brief account, we may collect:
- Email address and bcrypt-hashed password
- Language and locale preferences
- Optional profile information, such as full name, role, company, company size, and use case
- Subscription tier, usage limits, and billing-related status
- Privacy Policy acceptance timestamp
- Marketing consent, if you explicitly opt in
2.2 Connected Email Account Data
When you connect an email account, Mail2Brief accesses and processes email data only to provide the service features you request. Depending on your provider and enabled features, we may process:
- Connected account email address
- OAuth access and refresh tokens or provider-specific authentication credentials
- Email message IDs and thread/conversation IDs
- Email subject lines
- Sender display names and sender email addresses where needed for reply, filtering, account matching, and rule processing
- Recipient, reply-to, and header metadata where needed to preserve email threading and send replies
- Message timestamps, labels, folders, and read/sync metadata
- Email snippets and previews
- Plain-text email body content where needed for summarization, prioritization, task extraction, audio briefing generation, and reply draft generation
- Attachment metadata, such as filename and file type; attachments are not downloaded or stored unless a future feature explicitly asks for separate user consent
- AI-generated summaries, priority levels, categories, extracted tasks, deadlines, missing-information notes, and reply drafts
- User-edited reply drafts and send status metadata
Email content is processed automatically. Humans do not access your email content except in the limited circumstances described in this policy.
2.3 Voice Reply Data
If you use the "Reply with voice" feature, your browser records audio only after you grant microphone permission and start recording. We may process:
- The audio recording you choose to submit
- A text transcript generated from that audio
- The AI-rewritten reply draft generated from your spoken instruction
- The final edited reply text if you choose to send it
Voice recordings are used only to create a transcript and reply draft. We do not use voice recordings for advertising or model training. We do not intentionally retain voice recordings after transcription unless temporary processing storage is technically required.
2.4 Authentication, Security, and Session Data
We may collect and process:
- OAuth access and refresh tokens, encrypted at rest where applicable
- Session tokens, stored as secure hashes or secure session identifiers
- IP address, browser user-agent, and related request metadata for security, abuse prevention, and troubleshooting
- Audit and error logs that do not intentionally include email bodies, full AI drafts, OAuth tokens, passwords, or secret values
3 How We Use Your Data
We use your data to:
- Authenticate users and maintain secure sessions
- Connect to your selected email provider
- Sync recent inbox messages and maintain incremental sync state
- Generate email summaries, priorities, categories, tasks, and deadlines
- Generate audio briefings using text-to-speech
- Generate editable AI-assisted reply drafts based on the selected email and your instructions
- Transcribe voice reply instructions when you use the voice reply feature
- Rewrite voice instructions into business-appropriate editable reply drafts
- Send an email reply only after you explicitly review and confirm the final draft
- Send transactional emails, such as verification and password reset emails
- Provide account, privacy, export, and deletion functionality
- Improve reliability, security, and product quality
- Send marketing communications only if you explicitly opt in
We request only the permissions needed to provide Mail2Brief's features. We do not use your email data for advertising.
4 Email Access and Sending
4.1 Reading Emails
Mail2Brief uses read access to retrieve email data needed to create your private email briefing. This may include message headers, sender information, subject lines, timestamps, labels, snippets, body text, message IDs, and thread IDs.
4.2 Sending Replies
If reply sending is enabled for your connected provider, Mail2Brief may request permission to send email replies. Mail2Brief does not send emails automatically. A reply is sent only when all of the following are true:
- You open or generate a reply draft
- You review and may edit the draft
- You click the Send action
- You confirm the final send step
AI-generated and voice-generated drafts are never sent without explicit user confirmation.
5 Third-Party Services
5.1 Anthropic — AI Processing
We may send relevant email context to Anthropic to generate summaries, extract tasks, classify priority, and create or rewrite reply drafts. Anthropic does not use this data to train models where our provider terms or account settings prohibit training on submitted data.
5.2 OpenAI — Transcription and Text-to-Speech
We may use OpenAI services to generate audio briefings from processed summary text and to transcribe voice reply recordings submitted by the user.
5.3 Google and Microsoft — Email Access and Sending
We access connected Google and Microsoft accounts through their official APIs and OAuth authorization flows. Depending on the provider and permissions granted, Mail2Brief may read email data for briefing and may send replies only after explicit user confirmation.
5.4 iCloud and IMAP/SMTP Providers
Where supported, Mail2Brief may access email using provider-specific IMAP and SMTP settings and user-provided app-specific passwords or credentials. These credentials are used only to provide email sync and reply functionality.
5.5 Email Delivery Providers
We may use third-party providers, such as Resend or similar services, to send transactional emails including verification and password reset messages.
5.6 Hosting, Storage, and Infrastructure
We may use hosting, database, storage, logging, and infrastructure providers to operate the service securely and reliably.
6 Google User Data Compliance
Mail2Brief's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing Mail2Brief features
- We do not use Google user data for advertising
- We do not sell Google user data
- We do not transfer Google user data to third parties except as necessary to provide or improve Mail2Brief's user-facing features, comply with applicable law, or protect security
- We do not use Google user data to train generalized AI or machine learning models
- We do not allow humans to read Google email content except with your explicit consent, when necessary for security or abuse investigation, to comply with applicable law, or to provide support at your request
7 Data Retention
We follow a minimal data retention policy and retain data only as long as needed to provide the service, comply with legal obligations, resolve disputes, or maintain security. Retention may include:
- Account data: retained until account deletion or as required by law
- OAuth tokens and connected account records: retained while the email account remains connected
- Email cards, summaries, priorities, and tasks: retained according to product settings, inactivity cleanup, task status, and user actions
- Pinned or active items: retained until unpinned, completed, dismissed, or deleted
- Reply drafts: retained until sent, deleted, expired, or removed as part of account deletion
- Generated audio files: retained only as needed for playback and deleted with associated summaries
- Voice recordings: not intentionally retained after transcription
- Sessions: expire after inactivity
- Security logs: retained for a limited period for abuse prevention, troubleshooting, and legal compliance
- Backups: may persist for a limited period before automatic deletion
You may request deletion of your account and associated data as described below.
8 Data Security
We implement appropriate technical and organizational measures designed to protect your data, including:
- HTTPS/TLS encryption for data in transit
- Encryption of sensitive tokens and credentials where applicable
- Secure password hashing using bcrypt
- Access controls and restricted database access
- Session security protections
- Logging practices designed to avoid storing full email bodies, OAuth tokens, passwords, or secret values
- Operational controls to limit access to production systems
No method of transmission or storage is completely secure, but we work to protect your data using reasonable safeguards.
9 Legal Basis for Processing (GDPR)
Where GDPR applies, we process personal data under the following legal bases:
- Contract: to provide the Mail2Brief service you request
- Consent: to connect email accounts, process email data, process voice recordings, use AI-powered features, and send marketing communications where applicable
- Legitimate interests: to secure, maintain, troubleshoot, and improve the service
- Legal obligation: where processing is required by applicable law
You may withdraw consent where applicable, but doing so may prevent certain features from working.
10 International Data Transfers
Some of our service providers may process data outside your country or outside the European Economic Area (EEA). Where required, we use appropriate safeguards for international transfers, such as contractual protections or other legally recognized transfer mechanisms.
11 Your Rights and Choices
Depending on your location, you may have rights to:
- Access your personal data
- Correct inaccurate data
- Export your data
- Request deletion of your data
- Withdraw consent
- Object to or restrict processing
- Disconnect a connected email account
- Revoke Google or Microsoft access from your provider account settings
You can exercise these rights through the app where available or by contacting us at support@mail2brief.com.
12 Data Export and Deletion
Mail2Brief provides or may provide in-app options to export your data and delete your account. When you request account deletion, we aim to delete or anonymize your account profile, sessions, connected inbox records, OAuth tokens, email cards, summaries, tasks, reply drafts, audio files, voice transcripts, and other service data associated with your account.
Some data may remain for a limited time in backups, security logs, legal records, or fraud-prevention records where necessary.
You may also revoke Mail2Brief's Google access at any time from: https://myaccount.google.com/permissions
13 Cookies
We use essential cookies and similar technologies required for authentication, session management, security, and core service operation. We do not use tracking or advertising cookies unless we update this policy and request consent where required.
14 Children's Privacy
Mail2Brief is not intended for children under 16. We do not knowingly collect personal data from children under 16.
15 Changes to This Policy
We may update this Privacy Policy from time to time. If we make significant changes, we will notify users through the app, by email, or by another appropriate method.