OwlGuardian Privacy Policy

Last updated: February 18, 2026

OwlGuardian ("we", "our", "the app") is an email security service that protects vulnerable individuals from phishing, fraud, and social engineering by analyzing incoming emails and alerting a designated trusted contact when threats are detected.

This privacy policy explains what data we collect, how we use it, who we share it with, and how we protect it.

1. Data We Collect

Google Account Data

When you sign in with Google, we receive:

• Email address — to identify your account and monitor your inbox
• OAuth access and refresh tokens — to access the Gmail API on your behalf

Email Data (via Gmail API)

We request the following Gmail API scopes:

• gmail.readonly — to read incoming email content (sender, subject, body, headers, labels) for scam analysis
• gmail.modify — to quarantine dangerous emails by modifying Gmail labels (moving to a quarantine label, removing from inbox) and to restore emails when a trusted contact marks them as safe

We access email content only for the purpose of automated scam detection. We do not access drafts, sent mail, contacts, or any data beyond what is necessary for threat analysis.

Trusted Contact Information

• Trusted contact email address — provided by the user during setup, used to send security alert notifications

Analysis Results

When an email is flagged as suspicious or dangerous, we store:

• Sender address and subject line
• Email body text (for trusted contact review)
• AI-generated analysis: verdict, risk score, red flags, summary, and recommendation
• Review status and trusted contact decisions

2. How We Use Your Data

• Scam detection — Email content is sent to OpenAI's API for automated analysis to determine if an email is safe, suspicious, or dangerous. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models.
• Email quarantine and restoration — We modify Gmail labels to move dangerous emails out of the inbox and restore them when a trusted contact confirms they are safe.
• Trusted contact alerts — When a threat is detected, we send an email notification to the designated trusted contact containing the sender, subject, risk assessment, and a link to review the email.
• Review dashboard — Trusted contacts can view all flagged emails for an account through a web-based dashboard.

We do not use your data for advertising, marketing, profiling, or any purpose unrelated to email security.

3. Data Sharing

We share data only in these limited circumstances:

• Trusted contact — The person you designate receives email alerts containing the sender address, subject line, AI-generated risk assessment and summary, and a link to review the flagged email (including its body text). The trusted contact does not receive access to your entire inbox — only emails flagged as suspicious or dangerous.
• OpenAI — Email content is sent to OpenAI's API for scam analysis. OpenAI processes this data under their API terms and does not use API data to train models.
• Amazon Web Services (AWS) — Our infrastructure runs on AWS. Data is encrypted in transit and at rest using AWS Key Management Service (KMS).

We do not sell, rent, or trade your personal data to any third party.

4. Data Storage and Security

• OAuth tokens are encrypted using AWS KMS before storage and are never stored in plaintext.
• Review items (flagged email analysis results) are stored in AWS DynamoDB with encryption at rest and are automatically deleted after 90 days via time-to-live (TTL) expiration.
• Email content is not permanently stored beyond the review item record. Full email content is only retained to allow trusted contacts to review flagged messages.
• All data transmission uses HTTPS/TLS encryption.
• Access to infrastructure is restricted and secured with IAM policies.

5. Data Retention and Deletion

• Review items are automatically deleted 90 days after creation.
• Account data is retained while your account is active.
• You can request deletion of all your data at any time by contacting us at privacy@owlguardian.net. Upon request, we will delete your account, stored tokens, and all associated review items.
• You can revoke OwlGuardian's access to your Gmail at any time through your Google Account permissions.

6. Google API Services User Data Policy Compliance

OwlGuardian's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Gmail data for the purpose of providing email security protection as described in this policy.
• We do not use Gmail data for serving advertisements.
• We do not allow humans to read your email data unless you have given affirmative consent for specific messages (via the trusted contact review feature), it is necessary for security purposes, or it is required by law.
• We do not transfer Gmail data to third parties except as described in this policy (OpenAI for analysis, trusted contact for review).

7. Children's Privacy

OwlGuardian is not directed at children under 13. We do not knowingly collect personal information from children under 13.

8. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the app after changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about this privacy policy or your data, contact us at:

privacy@owlguardian.net