Privacy Policy

1. Information We Collect

We collect only the information necessary to operate and improve the Loreflow service. This may include:

• Account information (such as email address and authentication identifiers)
• Usage data related to interactions with the application
• Gmail data, when a user explicitly authorizes access via Google OAuth
• Limited technical metadata required to operate workflows

Loreflow does not collect unnecessary personal data.

2. Google OAuth and Gmail Data Access

Loreflow allows users to connect their Gmail account using Google OAuth. Gmail access is explicitly initiated and approved by the user.

Depending on enabled features, Loreflow may access the following Gmail data:

• Email metadata (sender, subject, timestamps)
• Email content required to generate replies
• Draft messages
• Gmail labels and message state (read/unread)

Purpose of access

Gmail access is used solely to enable email productivity features, including:

• Detecting new emails via Gmail push notifications (Pub/Sub)
• Analyzing incoming emails to understand context
• Generating draft replies using AI-powered agents
• Saving generated drafts to the user’s Gmail account
• Applying or updating Gmail labels as part of automated workflows

Loreflow does not send emails automatically and does not perform actions beyond those initiated or configured by the user.

3. Use of Pub/Sub

Loreflow uses Google Pub/Sub only to receive notifications that a new email has arrived in a user’s inbox.

• Pub/Sub does not provide access to email content
• It is used solely as a trigger mechanism
• All email content access occurs via the Gmail API with user-authorized OAuth tokens

4. Data Storage and Retention

Loreflow distinguishes between email-related content data and account or authorization data.

Gmail message content and processing data used to generate drafts or automate workflows is stored only as long as necessary for functionality and may be automatically deleted after a limited retention period (for example, up to 60 days).

Account-related data, such as OAuth tokens, connection status, and user configuration settings, is stored for as long as the user maintains an active account.

All stored data is deleted when a user deletes their account or revokes Gmail access.

Users may request deletion of their data at any time.

5. Data Security

Loreflow applies industry-standard security practices to protect user data, including:

• Encrypted connections (TLS) for data in transit
• Secure infrastructure and managed databases

Loreflow uses Supabase for backend data storage and Vercel for application hosting. These providers apply standard security and encryption measures to protect stored data.

6. Third-Party Services

Loreflow uses third-party services strictly to operate the platform, including:

• Google APIs, including the Gmail API
• Infrastructure and hosting providers (such as Supabase and Vercel)

All access to Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Loreflow:

• Does not sell personal data
• Does not use Gmail data for advertising
• Does not use Gmail data to train generalized AI models

7. User Rights and Control

Users may, depending on applicable law:

• Request access to their data
• Request correction or deletion of data
• Revoke Google OAuth access at any time

Revoking access immediately stops Loreflow’s ability to access Gmail data.

8. Contact Information

For privacy-related questions or requests, contact:

Email: support@loreflow.ai

9. Legal Status

Loreflow is currently operated by an individual based in Norway. A formal business entity may be established as the service is publicly launched and scaled internationally.