Gustavia

Privacy Policy

Last updated: 2026-05-27

Gustavia exists to help you wrangle appointments across many inboxes. To do that we touch your message content. This page lays out exactly what we collect, why, who else sees it, and what choices you have.

1. What we collect

  • Account info: email, hashed password (bcrypt, cost 12), 2FA secret (encrypted at rest), session metadata (IP hash + user-agent).
  • OAuth tokens: access/refresh tokens for connected providers (Gmail, Outlook). Encrypted per-user with AES-256-GCM.
  • Message content: subject and body of messages your connected providers return to us, only as needed to extract appointments. We poll at most once every 5 minutes.
  • Extracted events: title, time, location, attendees of appointments we found. We retain these so you can review/save/dismiss them.
  • Audit log: action type, hashed IP, truncated user-agent. No content. Retained 12 months.

2. What we do NOT collect

  • We do not collect payment-card details — Stripe (when paid plans launch) handles that.
  • We do not train AI models on your data.
  • We do not sell, share, or rent your data to advertisers, data brokers, or anyone else.
  • We do not log message bodies or recipient identities. Server logs include only path, status code, and userId.
  • We do not use third-party tracking cookies, fingerprinting, or session-replay tools.

3. Sub-processors

We share narrowly with the following:
  • Anthropic — receives message text we need to summarise into appointments. Per Anthropic's commercial terms, this data is not used to train models.
  • OpenAI — optional fallback for appointment extraction when Anthropic is unavailable. Same no-training contract terms.
  • Google — only when you connect Gmail; we use Google's OAuth + Gmail/Calendar APIs.
  • Microsoft — Entra ID (login), Microsoft Graph (transactional email + connected Outlook/Calendar). Mailbox: [email protected].
  • Cloudflare — edge / CDN / DDoS protection in front of our API and site.
We do not use any other third-party mailer or analytics vendor.

4. Encryption and access control

OAuth tokens, 2FA secrets, and backup codes are encrypted at rest with per-user keys derived via HKDF-SHA256 from a server master key. Even our database admins cannot read these without that master. Tenant isolation is enforced on every API endpoint — every query is scoped by your user id; nobody else can read your rows. See /security for details.

5. Your rights (GDPR + CCPA)

Whatever country you're in, you can:
  • Access + export — Settings → Export my data. JSON of everything we hold about you.
  • Delete — Settings → Delete all data. Wipes your User row + all child rows. Hashed deletion log retained for audit.
  • Correct — change your email or password from Settings.
  • Object / restrict — disconnect any provider to stop new ingestion. Pause your account by deleting tokens but keeping the row.
  • Portability — the export is a standard JSON file you can move anywhere.
  • Complaint — EU/UK users may contact their data protection authority. CA users can email [email protected] to invoke CCPA rights (we treat all users equally regardless of residence).

6. Retention

  • Active account: data kept until you ask us to delete.
  • Closed account: deleted within 30 days.
  • Audit log: 12 months (security incident investigation).
  • Hashed deletion log: indefinite (one-way SHA-256 of your user id, no PII).

7. Children

Gustavia is not intended for users under 16. We do not knowingly collect data from children. If you believe we have, email [email protected] and we will delete it.

8. International transfers

Our servers are in the US. EU/UK users: by using the Service you consent to transfer of your data to the US under the EU Standard Contractual Clauses we sign with each sub-processor above.

9. Changes

Material changes get 30 days' email notice. Minor wording fixes (typos, clarifications) are posted here with an updated date and no notice.

10. Contact

Privacy questions: [email protected].
Security disclosures: [email protected].
Everything else: /support.