Privacy Policy

Last Updated: September 19, 2025

Espa Labs, Inc. (“Espa,” “we,” “our,” or “us”) values your privacy and is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, how we protect it, and the choices you have regarding your information. By using Espa, you agree to the practices described below.

1. Information We Collect

a. Information You Provide

• Account Information: Email address, phone number and WhatsApp contact, and payment details (processed by Stripe).
• Preferences & Settings: Task and scheduling preferences, and other personalization data you configure in your dashboard.
• Conversation Data: Messages, commands, or feedback you provide to the AI through our web app, mobile app, or WhatsApp/SMS. Used to execute your requests and improve your experience.

b. Information We Access via Google OAuth

• Gmail: Subject lines, sender/recipient info, message bodies, and attachments as needed to triage, draft replies, follow up, unsubscribe, and act on user-approved tasks.
• Calendar: Event details (title, time, participants) to schedule, coordinate, and remind you of meetings.
• Basic Profile: Your Google profile email and name for identification.

We request only the minimum OAuth scopes required and follow Google’s User Data Policy, including the Limited Use requirements.

c. Automatically Collected Data

• Usage Data: Metadata such as timestamps, performance metrics, and interaction counts to improve reliability and diagnose issues.
• Device/Browser Info: Non-identifiable technical details used for security and performance optimization.

2. How We Use Your Information

• Perform the core functions of the Service (email triage, drafting, scheduling, reminders).
• Remember your preferences in a user-auditable way to personalize your experience.
• Improve service quality and reliability (using anonymized or aggregated insights where possible).
• Provide onboarding, billing, and service updates.
• Ensure system security, monitor for abuse, and comply with legal obligations.

We do not use your Gmail or Calendar data for advertising, profiling, or unrelated analytics.

3. How We Share Your Information

• Third-Party AI Providers: OpenAI, Anthropic, and Google Gemini to process tasks you request. These providers operate under Zero Data Retention commitments: they must not train on your data and must delete data after processing and a safety/abuse monitoring window.
• Payment Processor: Stripe, for subscription billing and payment security.
• Infrastructure/Security Providers: Cloud hosting, logging, and monitoring under strict contractual obligations; they cannot use your data for their own purposes.
• Legal Requirements: When required by law, subpoena, or to enforce our Terms of Service.

We never sell your personal data.

4. Data Storage, Retention & Deletion

• Zero Data Retention with Model Providers: Data sent to third-party models is automatically discarded after processing and is not used for training.
• Mail & Calendar Data: Deleted from our systems (logs, databases, backups) within 7 days of processing.
• Memories & Preferences: Stored in human-readable, user-auditable formats. You can edit or delete them anytime in your dashboard.
• User-Controlled Deletion: You may request deletion of your account and all data by contacting help@espa.ai.

5. Security & Access Control

• Encryption: All data encrypted in transit (TLS/HTTPS) and at rest.
• Access Controls: Production systems and logs are protected by strict role-based access control, least-privilege permissions, and comprehensive audit logging. No employee may access user data without explicit, case-specific, and logged authorization for operational needs (e.g., resolving a user-initiated support ticket).
• Operational Best Practices: We apply industry-leading security standards, periodic access reviews, and continuous monitoring for unauthorized access attempts.

6. Your Rights & Choices

• Revoke OAuth Access: Disconnect Espa from your Gmail/Calendar at any time via Google Security Settings.
• Access & Portability: Request a copy of your stored preferences and memories.
• Edit or Delete: Manage or remove memories directly in your dashboard.
• Erase Data: Request complete deletion by contacting help@espa.ai.

7. Google API Services User Data Policy — Compliance

This section consolidates our compliance with Google’s API Services User Data Policy (including Limited Use). It complements, and should be read with, Sections 1–6 above.

a. Scopes We Use (minimum necessary)

• gmail.readonly, gmail.modify
• calendar.events.readonly, calendar.events, calendar.calendarlist.readonly, calendar.settings.readonly
• userinfo.email

b. Purpose

We use these scopes only to read/triage mail, draft and (with your confirmation) send replies, manage events and scheduling, and personalize your experience. We do not use Google data for advertising or unrelated purposes.

c. Limited Use Commitment

• Your Gmail and Calendar data is never used to serve ads.
• We do not share Google data with third parties except as necessary to provide the Service (e.g., secure model/infrastructure providers bound by confidentiality and limited-use terms).
• Human access to Google data is restricted to the narrow cases necessary for security, legal compliance, or user-requested troubleshooting, and is always logged and access-controlled.
• You can revoke our access anytime in your Google Account’s Security settings.

Learn more: Google API Services User Data Policy.

8. Data Residency & Transfers

Espa processes and stores all data in the United States. We implement appropriate safeguards for international transfers as required by law for users using the Service outside the United States.

9. Service Transparency

Espa is currently in an Alpha release and may have occasional bugs or downtime. You can always ask, “What did you do today?” to view recent actions. Potentially destructive actions (e.g., sending or deleting emails) require your confirmation.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notifications. Your continued use of the Service constitutes acceptance of the updated policy.

11. Contact Us

Questions or requests? Contact help@espa.ai.