Privacy Policy

Brevit (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our AI-powered email briefing service (“Service”). By using Brevit, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you sign in with Google or Microsoft, we receive your name, email address, and a unique account identifier from the OAuth provider. We use this to create and manage your Brevit account.

Email Metadata and Content

To provide the Service, Brevit accesses your email accounts using OAuth. We read:

• Email subject lines
• Sender and recipient addresses
• Email dates and timestamps
• Email body content — read temporarily to perform AI analysis
• Reply-To headers (for security analysis)

We do not permanently store full email body content. Email bodies are passed to our AI provider (Anthropic Claude) for analysis and then discarded. We store only the structured output of that analysis: summaries, identified action items, and sender metadata.

OAuth Tokens

We store OAuth refresh tokens to allow ongoing access to your email accounts on your behalf. All tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database.

Usage Data

We collect standard server logs including IP addresses, browser type, and pages visited. This data is used to maintain and improve the Service and is not shared with third parties for marketing purposes.

Cookies and Local Storage

Brevit uses a small number of cookies and browser local storage for functional purposes only: a theme preference cookie (brevit-theme) and local sync timestamp caching. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

Subscription and Billing Data

When paid plans become available, payment processing will be handled by Stripe. We will not store your credit card number or full payment details. We will receive and store only your subscription status, plan type, and billing period from Stripe. Stripe’s handling of your payment information is governed by their Privacy Policy.

2. How We Use Your Data

We use the information we collect to:

• Monitor your email accounts and identify action items, questions, and deadlines
• Detect security threats including spoofed senders and lookalike domains
• Generate your daily or on-demand email briefings
• Learn your email preferences over time to reduce noise and improve relevance
• Send briefing emails to your registered address via our email delivery provider
• Maintain your account and provide customer support
• Comply with legal obligations

3. OAuth Scopes and Permissions

Brevit requests the minimum permissions necessary to provide the Service:

Google (Gmail)

• https://www.googleapis.com/auth/gmail.readonly — Read email content and metadata. We do not send, modify, or delete emails.
• openid email profile — Identify your account.

Microsoft (Outlook / Microsoft 365)

• Mail.Read — Read email content and metadata. We do not send, modify, or delete emails.
• User.Read — Identify your account.

4. Google API Services Limited Use Disclosure

Brevit’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Brevit limits its use of Google user data as follows:

• Data is used only to provide and improve user-facing features of the Brevit service (real-time email monitoring, action item identification, security alerts, and briefings).
• Data is not transferred to third parties except as necessary to provide the Service (Anthropic Claude API for AI analysis), with user consent, or as required by law.
• Data is not used for serving advertisements.
• Data is not used to train generalized AI or machine learning models. The Anthropic API does not use API-submitted data for model training.
• Human access to user data is limited to debugging and support purposes, and only with user consent or as required by law.

5. What We Store

We persistently store only what is necessary to operate the Service:

• Your name and email address (from your OAuth provider)
• Connected account records (email address, provider, encrypted refresh token)
• Outstanding items: sender name/email, subject line, AI-generated summary, urgency classification, and category — not full email bodies
• Your notification preferences (briefing schedule, timezone)
• Learned rules you create or that Brevit builds based on your feedback
• Security alert records associated with outstanding items
• Your subscription tier and trial status
• Filtered email records (sender, subject, account — used to show filtered items on your dashboard)

6. Third-Party Services

Brevit uses the following third-party services to operate:

7. Data Security

We implement industry-standard security measures to protect your data:

• All OAuth refresh tokens are encrypted at rest using AES-256-GCM before database storage
• All data in transit is protected by TLS/HTTPS
• Database access is governed by row-level security (RLS) policies — users can only access their own data
• Service-role database access is restricted to server-side code only
• We do not log or retain full email body content after analysis

8. Data Retention

Outstanding items remain on your dashboard until you resolve or dismiss them. Resolved and dismissed items are retained in your history for 30 days, after which they are automatically deleted. Filtered email records are retained until you dismiss them or they are cleaned up during routine processing.

Connected account records and encrypted OAuth tokens are retained until you disconnect the account.

Your subscription and preference data is retained for the duration of your account.

If you delete your Brevit account, all associated data — including your profile, connected accounts, outstanding items, learned rules, filtered emails, and preferences — is permanently deleted immediately. This action cannot be undone.

9. Your Rights

Brevit provides full self-service data management. You do not need to contact us to exercise any of these rights.

• Access: You can view all data associated with your account in the Brevit dashboard and Settings page.
• Export: You can download a complete copy of all your stored data at any time from Settings → Your Data → Export My Data. Data is provided in JSON format.
• Edit: You can update your profile information, display name, briefing preferences, and notification settings directly from the Settings page.
• Disconnect: You can disconnect any or all email accounts at any time from the Settings page. This immediately revokes Brevit’s access and deletes the stored OAuth tokens for that account.
• Delete: You can permanently delete your entire Brevit account and all associated data from Settings → Your Data → Delete All My Data. This removes your profile, all connected accounts, outstanding items, learned rules, and filtered emails. This action is immediate and irreversible.

For users in the European Union (GDPR) or California (CCPA), you additionally have the right to object to processing, restrict processing, and lodge a complaint with your local supervisory authority. All rights listed above can be exercised without contacting us. If you have additional requests, you may reach us at admin@brevit.app.

10. Children’s Privacy

Brevit is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at admin@brevit.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated “Last updated” date. Your continued use of the Service after any changes constitutes acceptance of the new policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: