Privacy Policy

Last updated: April 19, 2026

1. Who we are

Automails (“we”, “our”) is a CRM and email-generation tool used by independent financial advisors to manage their client pipeline. This page explains what personal data we collect, why, and how long we keep it.

2. What we collect

  • Account identity. Your Google-account email address, display name, and profile picture, obtained when you sign in with Google.
  • CRM records you create. Contact details and pipeline data for the prospects you add to the app (names, phone numbers, email addresses, meeting dates, internal notes, enumerated statuses).
  • Google OAuth tokens. When you opt into the Google Sheets synchronisation feature, we store a short-lived access token and a refresh token scoped to drive.file and spreadsheets. These tokens live in our database and are never exposed to the browser.
  • Subscription metadata. Stripe customer ID, plan, and renewal date, if you subscribe to a paid plan.
  • Operational logs. Minimal server logs (request path, timestamp, coarse error information) used to operate and debug the service. No request bodies are logged.

3. How we use your Google data

When you enable the Google Sheets view, Automails requests two OAuth scopes:

  • https://www.googleapis.com/auth/drive.file — the narrowest possible Drive scope. It lets us create one spreadsheet per user inside your own Google Drive. We cannot see, list, or modify any other file in your Drive. Only the spreadsheet our app created is visible to us.
  • https://www.googleapis.com/auth/spreadsheets — used exclusively to read and write cell values on the spreadsheet our app provisioned. We push CRM changes to the sheet (forward sync) and read edits you make in the sheet back into the CRM (reverse sync). We do not access any other spreadsheet in your account.

Automails's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it, do not transfer it to third parties except as needed to provide the service, and do not allow humans to read it unless we have your explicit consent, it is required for security, or it is needed to comply with law.

4. Where your data lives

  • Supabase (hosted in the EU region) — stores your CRM records, account identity, and Google OAuth tokens. Database access is protected by row-level security so users cannot read each other's data.
  • Google Drive & Google Sheets (your own account) — the synchronised spreadsheet lives in your Drive, not ours. You retain ownership at all times.
  • Stripe — handles billing if you have a paid plan. We never see or store your card details.
  • Netlify / Vercel — hosts the web application. They see request metadata (IP, timestamp) as any web host does.

5. How long we keep it

  • CRM records & account data: kept while your account is active.
  • OAuth tokens: kept while the corresponding Google permission is granted. Revoked tokens are deleted within 7 days.
  • Operational logs: rotated after 30 days.
  • On account deletion: all of the above are removed within 30 days, except where legal obligations require longer retention (e.g. invoicing).

6. Your rights

Under GDPR and equivalent laws, you have the right to access, correct, export, and delete your personal data. You can also revoke Google's permission at any time via Google Account Permissions. Contact us at the address below to exercise any of these rights.

7. Security

All traffic is encrypted in transit (HTTPS). OAuth tokens are stored server-side only and are never transmitted to the browser. Access to production infrastructure is limited to the project owner.

8. Changes to this policy

We may update this policy as the product evolves. The “last updated” date at the top reflects the most recent change. Material changes will be surfaced inside the app before they take effect.

9. Contact

Questions, data-rights requests, or security reports: sebastiaan.mertens98@gmail.com.