Privacy & data
Core Concepts

Privacy & data

What DUGGAI stores, where it lives, and the things we explicitly never do with your email.

This page is the practical version. The full legal policy is at /privacy.

What we store

DataWhereWhy
Email content & metadataSupabase (encrypted at rest)To classify and draft replies
Embeddings of email + connected app dataSupabaseSemantic search across your context
AI-generated drafts and chat messagesSupabaseTo show you the queue, edit them later
Style learning signals (edits, approvals)SupabaseTo improve drafts inside your account
OAuth tokensComposio (encrypted)To talk to Gmail / connected apps

What we never do

  • Sell your data — to anyone, ever.
  • Train public or third-party AI models on your emails.
  • Use your data for advertising or marketing.
  • Share email content across DUGGAI accounts.
  • Store your email password (we use OAuth exclusively).
  • Store attachment files (we keep filename and type only; the file is fetched on-demand if you open it).

Model providers

DUGGAI routes requests to frontier models through OpenRouter. We have explicitly disabled prompt logging and training opt-ins. OpenRouter and the underlying providers retain only request metadata (timestamps, token counts) — not prompts or completions.

Privacy controls you have

  • Exclude contacts. Add an address (e.g. legal@, hr@) to the exclusion list. DUGGAI stops processing mail from that contact entirely.
  • Disable connected apps. Disconnect any integration to stop new data ingestion from that source.
  • Auto-send is off by default. Nothing ships without your approval until you turn it on, per-contact or globally.
  • Delete your account. Two-step deletion wipes every record across all 14 data tables, your auth record, and your tokens. See Delete your account.
Disconnecting ≠ deleting
Disconnecting an app stops new ingestion. To remove what we already indexed, you need to delete the account.

Where data lives

All durable storage is in Supabase, hosted in US regions. The web app is hosted on Vercel. OAuth is brokered by Composio. Our subprocessor list is at /privacy.

Compliance

DUGGAI complies with Google's API Services User Data Policy. We are not yet SOC2 certified — that's on the roadmap. If you need a DPA or have a vendor security questionnaire, email support@duggai.com.

Previous
Style learning
Next
Smart Inbox