Privacy Policy
What we collect, how we use it, and your rights. Plain English.
1. Who we are
EmailSavy is an email tracking service operated via a Chrome extension and the website emailsavy.com. Contact: emailsavy@startuptalky.com.
2. Data we collect about YOU (the EmailSavy account holder)
- Account info: email, name (optional), bcrypt-hashed password, account creation timestamp.
- Tracked email metadata: for each email you send with tracking on — recipient address, subject line, send timestamp, the unique tracking ID we generated, the Gmail thread ID (if available).
- Engagement events: opens, clicks, replies. Each event captures timestamp, IP address of the device that triggered it, User-Agent string, derived city/country from IP, and a hashed device fingerprint for de-duplication.
- Custom tracking domain config (Pro feature, optional): the subdomain you chose, DNS verification status.
- Webhook URLs (Pro feature, optional): Slack/HTTPS endpoints you configured for real-time notifications.
- Payment metadata (Pro subscribers): Razorpay subscription ID + customer ID. We never store card numbers — Razorpay handles all payment data.
3. Data we do NOT collect
- The body of your outgoing emails
- Attachments
- Your contacts / address book
- Your browsing history outside of mail.google.com / outlook.com
- Credit card numbers or banking info (Razorpay handles those, never us)
- Behavioral analytics for advertising or third-party data sharing
4. Gmail API access (only if you connect Gmail)
Connecting your Gmail account is optional. You can use EmailSavy without ever doing this. If you choose to connect, we request read-only access via Google OAuth.
4.1 What scopes we request
gmail.readonly— read-only access to your Gmail messages and threads. Used to detect replies to your tracked emails server-side and fetch their content for the in-app preview.userinfo.email— your Google account email address. Used to display "Connected as <your-gmail>" in settings and to verify the connected account matches your EmailSavy account.
We never request: gmail.send (sending), gmail.modify (modifying labels/messages), gmail.compose (drafting), or any scope that lets us alter your inbox.
4.2 What we do with Gmail data
- We poll the Gmail API every 10 minutes for replies to emails you've already tracked.
- For matching threads, we fetch the most recent incoming message's body and store the first 240 characters as a "reply preview" so you can see the gist in the EmailSavy dashboard without opening Gmail.
- We store the canonical Gmail thread ID and reply timestamp on the corresponding tracked-email record.
- We do not read, store, or process emails that aren't replies to your tracked outbound mail.
- We do not read attachments.
- We do not share your Gmail data with anyone.
4.3 Limited Use disclosure (Google API Services User Data Policy)
EmailSavy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide or improve user-facing features (server-side reply detection + reply preview + canonical thread IDs).
- We do not use Google user data to train AI/ML models or generalized models.
- We do not sell, transfer, or share Google user data with third parties for advertising, marketing, or any commercial purpose.
- We do not allow humans to read Google user data, except: (i) with your specific consent, (ii) for security investigations or to comply with the law, or (iii) when the data has been aggregated and anonymized.
4.4 Disconnecting Gmail
You can disconnect Gmail at any time from /dashboard/settings or via your Google account permissions page. On disconnect we immediately revoke our refresh token at Google and delete it from our database. Already-fetched reply previews remain on your tracked-email records (they're your data, not Google's), but no further polling occurs.
5. Where data is stored
All data is stored on AWS infrastructure (Mumbai, India region) in a MongoDB database. Refresh tokens for Gmail OAuth are encrypted at rest using AES-256-GCM. All connections use TLS 1.2+ (HTTPS).
6. Third-party services
We use the following third-party services strictly to operate EmailSavy:
- Razorpay — processes Pro subscription payments. Razorpay receives the minimum necessary info (your email, plan name).
- Google Cloud (Gmail API) — only if you opt into the Gmail connection.
- OpenAI — currently NOT used by EmailSavy. Reserved for future opt-in features; if/when introduced, this clause will be updated and explicit consent collected.
- Sentry — error tracking. Only stack traces + request metadata, never email content or PII.
- AWS / Let's Encrypt — hosting + SSL.
7. Data retention & deletion
- Tracked email records: kept indefinitely while your account is active. You can delete individual emails or your entire history from the dashboard.
- Account deletion: use /dashboard/settings → "Delete my account". All your data — tracked emails, reminders, webhooks, sequences, custom domain config, Gmail OAuth tokens — is purged within 30 days.
- Gmail tokens on disconnect: deleted immediately, both at Google (revoke) and on our end.
- Backups: daily Mongo snapshots retained 30 days then auto-deleted. Account deletions propagate to backups within that window.
8. Your rights under the DPDP Act 2023 (India) and GDPR / CCPA
The Digital Personal Data Protection Act 2023 (India) grants you the following rights. You may exercise them directly from your dashboard or by contacting our Grievance Officer.
- Right to access (§11) — export all your data as JSON via GET /api/account/export (login required) or CSV from the dashboard.
- Right to correction and erasure (§12) — edit your account info in settings. To delete your account and all associated data, use the Delete Account option in your dashboard settings or call POST /api/account/delete (login required).
- Right to grievance redressal (§13) — contact our Grievance Officer: Shubham Kumar, StartupTalky — emailsavy@startuptalky.com. We respond within 30 days.
- Portability — JSON and CSV exports cover all your records.
- Objection / restriction — email emailsavy@startuptalky.com with your request.
9. Cookies
We use one essential cookie: mp_token, an HTTP-only session cookie that keeps you logged into the dashboard. We do not use tracking cookies, advertising cookies, or third-party analytics.
10. Children's privacy
EmailSavy is not intended for users under 16. We don't knowingly collect data from minors.
11. Changes to this policy
If we materially change this policy, we'll email all active users at least 14 days before the change takes effect. Minor wording updates (typo fixes, clarifications) will be reflected on this page with the "Last updated" date refreshed.
12. Security
Found a vulnerability? Email emailsavy@startuptalky.com with subject line "Security report". See our security.txt for full disclosure policy.
13. Contact
For privacy questions, data requests, or anything else: emailsavy@startuptalky.com.