OwlGuardian Privacy Policy

Last updated: April 25, 2026

OwlGuardian ("we", "our", "the app") is an email security service that protects vulnerable individuals from phishing, fraud, and social engineering by analyzing incoming emails and alerting a designated trusted contact when threats are detected.

This privacy policy explains what data we collect, how we use it, who we share it with, and how we protect it.

1. Data We Collect

Account Data

When you sign in with a supported email provider (Google, Yahoo, or AOL), we receive:

• Email address — to identify your account and monitor your inbox
• OAuth access and refresh tokens — to access your email on your behalf via the provider's API or IMAP

Email Data

We access your email through provider-specific methods:

Gmail (via Gmail API):

• gmail.readonly — to read incoming email content (sender, subject, body, headers, labels) for scam analysis
• gmail.modify — to quarantine dangerous emails by modifying Gmail labels (moving to a quarantine label, removing from inbox) and to restore emails when a trusted contact marks them as safe

Yahoo Mail and AOL Mail (via IMAP):

• mail-r (read) — to read incoming email content (sender, subject, body, headers) for scam analysis
• mail-w (write) — to quarantine dangerous emails by moving them to a dedicated "OwlGuardian Quarantine" IMAP folder and to restore emails back to the inbox when a trusted contact marks them as safe

We access email content only for the purpose of automated scam detection. We do not access drafts, sent mail, contacts, calendar, or any data beyond what is necessary for threat analysis.

Trusted Contact Information

• Trusted contact email address — provided by the user during setup, used to send security alert notifications

Phone Numbers and Identity Verification Data

During account setup, we collect:

• Monitored user's phone number — provided by the trusted contact and confirmed by the monitored user during onboarding. Used for identity verification and to deliver account-related SMS messages (see Section 3 below).
• Trusted contact's phone number — verified via SMS at the trusted contact's own signup, used to deliver account notifications and to establish identity for anti-impersonation purposes.
• Identity verification facts — three short personal facts about the monitored user (such as a pet's name, a grandchild's name, or a street they grew up on) supplied by the trusted contact during signup. These facts are displayed to the monitored user during the onboarding flow so that they can confirm the trusted contact's identity is legitimate. Facts are encrypted at rest using AWS KMS and are deleted within 30 days of the account being closed or monitoring being revoked.

Analysis Results

When an email is flagged as suspicious or dangerous, we store:

• Sender address and subject line
• Email body text (for trusted contact review)
• AI-generated analysis: verdict, risk score, red flags, summary, and recommendation
• Review status and trusted contact decisions

2. How We Use Your Data

• Scam detection — Email content is sent to OpenAI's API for automated analysis to determine if an email is safe, suspicious, or dangerous. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models.
• Email quarantine and restoration — For Gmail, we modify labels to move dangerous emails out of the inbox. For Yahoo/AOL, we move emails to a dedicated IMAP quarantine folder. In both cases, emails are restored when a trusted contact confirms they are safe.
• Trusted contact alerts — When a threat is detected, we send an email notification to the designated trusted contact containing the sender, subject, risk assessment, and a link to review the email.
• Review dashboard — Trusted contacts can view all flagged emails for an account through a web-based dashboard.
• SMS communications — See Section 3 below.

We do not use your data for advertising, marketing, profiling, or any purpose unrelated to email security.

3. SMS Communications

OwlGuardian sends SMS (text) messages for account verification and security notifications. This section describes our SMS practices.

Types of SMS we send

• Verification messages — One-time passcodes sent during account setup to verify that a phone number belongs to the person being protected or to their trusted contact.
• Account notifications — Periodic reminders that your email is being monitored (typically monthly), with links to review or change who is monitoring it and instructions for ending monitoring.
• Security alerts — Messages directly related to your account's security posture (for example, confirmations that monitoring has been started, paused, or revoked).
• Opt-out acknowledgments — Confirmation that you have successfully opted out of future SMS after replying STOP.

All OwlGuardian SMS messages are transactional and related to your account. We do not send marketing or promotional text messages.

Opt-in

You provide SMS consent during OwlGuardian's account setup flow, either through the OwlGuardian iOS app or on this website. At that time, you will see the following disclosure:

"I agree to receive text messages from OwlGuardian for account verification, security alerts, and account notifications. Message and data rates may apply. Message frequency varies. Reply STOP to opt out, HELP for help."

Each person who receives texts opts in for their own number: on the screen where they enter their phone number, they check this consent box before any verification code is sent. No SMS is sent to a number until its owner has personally checked the consent box.

Opt-out and support

You can stop receiving SMS messages at any time by replying STOP to any OwlGuardian text message. You may also reply HELP for assistance or email support@owlguardian.net.

Replying STOP immediately ends all SMS communications to that number and terminates any active monitoring of the associated email account. Your trusted contact is notified that monitoring has been revoked.

Message frequency and rates

Message frequency varies based on account activity; typical volume is 1–4 messages per month. Message and data rates may apply depending on your mobile carrier plan. OwlGuardian does not charge for SMS; any charges are assessed by your carrier.

Mobile information sharing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing with subcontractors who directly support our messaging operations (such as our SMS delivery provider) is permitted in support of those operations. All other categories of personal information exclude text messaging originator opt-in data and consent — this information will not be shared with any third parties.

We do not sell, rent, or trade phone numbers or SMS opt-in data to any third party. Phone numbers and SMS consent are used solely for operating the OwlGuardian service.

4. Data Sharing

We share data only in these limited circumstances:

• Trusted contact — The person you designate receives email alerts containing the sender address, subject line, AI-generated risk assessment and summary, and a link to review the flagged email (including its body text). The trusted contact does not receive access to your entire inbox — only emails flagged as suspicious or dangerous.
• OpenAI — Email content is sent to OpenAI's API for scam analysis. OpenAI processes this data under their API terms and does not use API data to train models.
• Amazon Web Services (AWS) — Our infrastructure runs on AWS. Data is encrypted in transit and at rest using AWS Key Management Service (KMS).

We do not sell, rent, or trade your personal data to any third party.

5. Data Storage and Security

• OAuth tokens are encrypted using AWS KMS before storage and are never stored in plaintext.
• Review items (flagged email analysis results) are stored in AWS DynamoDB with encryption at rest and are automatically deleted after 90 days via time-to-live (TTL) expiration.
• Email content is not permanently stored beyond the review item record. Full email content is only retained to allow trusted contacts to review flagged messages.
• All data transmission uses HTTPS/TLS encryption.
• Access to infrastructure is restricted and secured with IAM policies.

6. Data Retention and Deletion

• Review items are automatically deleted 90 days after creation.
• Account data is retained while your account is active.
• You can request deletion of all your data at any time by contacting us at privacy@owlguardian.net. Upon request, we will delete your account, stored tokens, and all associated review items.
• You can revoke OwlGuardian's access at any time through your provider's account settings: Google Account permissions, or Yahoo Connected Apps.

7. Google API Services User Data Policy Compliance

OwlGuardian's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Gmail data for the purpose of providing email security protection as described in this policy.
• We do not use Gmail data for serving advertisements.
• We do not allow humans to read your email data unless you have given affirmative consent for specific messages (via the trusted contact review feature), it is necessary for security purposes, or it is required by law.
• We do not transfer Gmail data to third parties except as described in this policy (OpenAI for analysis, trusted contact for review).

8. Yahoo/AOL Data Policy Compliance

OwlGuardian's use of Yahoo and AOL user data adheres to Yahoo's Developer Network Terms of Use and applicable data access policies.

Specifically:

• We only use Yahoo/AOL mail data for the purpose of providing email security protection as described in this policy.
• We do not use Yahoo/AOL data for advertising, user targeting, or monetization of any kind.
• We do not allow humans to read your email data unless you have given affirmative consent for specific messages (via the trusted contact review feature), it is necessary for security purposes, or it is required by law.
• We do not transfer Yahoo/AOL data to third parties except as described in this policy (OpenAI for analysis, trusted contact for review).
• We access only IMAP mail data. We do not access contacts (CardDav) or calendar (CalDav) data.

9. Children's Privacy

OwlGuardian is not directed at children under 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the app after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this privacy policy or your data, contact us at:

privacy@owlguardian.net