Privacy Policy

Draft · effective date to be set at publication

Draft notice: this policy is in pre-launch review. Final text will be published once LetMeBeFrAInk LLC is registered and legal review is complete. References to {LEGAL_ENTITY} will be replaced with the registered entity name.

1. What IGOR is and what data we handle

IGOR is a paid email concierge. You connect your Gmail or Outlook account and IGOR reads your incoming mail to classify it into buckets (Inbox / Watch / Security / Transactions / Newsletters / Promotions / Suspicious), produce a scheduled digest of what needs your attention, and draft replies in your voice for you to review before sending.

IGOR handles three categories of data on your behalf:

Account data — your email address, password hash or magic-link session, billing identifiers from Stripe, and IGOR configuration.
Mailbox content — messages IGOR reads via OAuth to classify and draft. See §3 for handling.
Voice profile — if you opt into the voice feature, a structured summary of your writing patterns (greetings, closings, tone, length, common phrases) extracted from a sample of your sent mail. See §4.

2. How we access your mailbox — OAuth

IGOR connects to Gmail or Microsoft 365 via OAuth. You grant specific permissions at connection time — you see exactly what you're granting on Google's or Microsoft's consent screen. We request:

Google:

gmail.modify — read, apply labels, create drafts. We do not send or delete mail.
calendar.readonly — read upcoming events for digest context. We do not create or modify events.
openid + userinfo.email — to confirm which account you connected.

Microsoft:

User.Read, Mail.Read, Mail.ReadWrite — equivalent Outlook access.

You can revoke IGOR's access at any time from your IGOR settings or directly from myaccount.google.com (Google) or your Microsoft 365 account portal. Revocation deletes the stored refresh token immediately.

3. How mailbox content is processed

Transit: all connections to Gmail, Microsoft Graph, and our AI subprocessors use TLS.

PII redaction: every email body that would be sent to an AI subprocessor first passes through IGOR's PI scrubber. The scrubber replaces credit card numbers, SSNs, phone numbers, email addresses, physical addresses, and labeled account/order/invoice IDs with placeholder tokens ([CARD], [PHONE], etc.). For voice extraction, a secondary pass additionally redacts personal names. Voice signal — sentence structure, greetings, closings, tone, punctuation — is preserved.

AI subprocessors:

OpenAI receives scrubbed email content for classification and (with your opt-in) voice pattern extraction.
Anthropic receives scrubbed email content plus your voice profile to generate reply drafts.

Both operate under their standard enterprise data controls. Neither is authorized to train models on your data under the contracts we sign.

Storage: we do not mirror full email bodies in IGOR's database. What we retain per processed message is metadata only: message ID, thread ID, bucket assignment, subject hash, timestamp, and classifier reasoning. Raw body stays in your Gmail / Outlook.

Logs: IGOR's application logs do not contain email bodies, draft content, or PII. Subject length and bucket labels may appear in logs for debugging.

4. Voice profile (optional)

If you opt into voice extraction during signup or later in settings, IGOR:

Fetches up to 100 of your recent sent messages from your Sent folder.
Tags each by recipient tier (professional, personal, mixed) using your contact relationships.
Passes each message through the PI scrubber, including name redaction.
Sends the scrubbed, tiered samples to OpenAI for pattern extraction.
Stores the resulting voice profile (JSON structure of patterns — not the raw samples) in your encrypted IGOR user config.

You can delete your voice profile at any time from settings. Deletion removes the profile from IGOR's storage within 24 hours.

5. Token security

OAuth refresh tokens are stored encrypted at rest, with the encryption key held separately from the database. File permissions on token stores are set to owner-only read/write. Tokens are never logged, never transmitted outside our hosting infrastructure, and never included in error reports.

6. Your rights

You can:

Export your IGOR account data (config, voice profile, digest history) at any time via settings.
Delete your IGOR account at any time. Deletion purges all IGOR-side state (tokens, voice profile, config, digest history) within 24 hours.
Revoke OAuth grants independently via Google / Microsoft account pages.
Opt out of voice extraction at any time.

Depending on your jurisdiction, you may have additional rights under GDPR, CCPA, or similar laws. Email privacy@letmebefraink.com to exercise any of them; we respond within 30 days.

7. Changes to this policy

We'll notify you by email at least 14 days before any material change takes effect. Continued use after a change signifies acceptance.

8. Contact

Questions, concerns, or rights requests: privacy@letmebefraink.com.