Privacy Policy

Effective date: July 2, 2026  ·  For the Gmail Tool personal MCP server

Scope of This Policy

This privacy policy applies to the Gmail Tool — a personal MCP server that provides read-only access to a single Gmail account. It is used exclusively by Yves La Rose for personal productivity purposes. It is not a commercial product or service available to the public.

What Data Is Accessed

With the user's explicit consent via Google OAuth 2.0, the Gmail Tool accesses the following from the authenticated Gmail account:

All access is read-only. The tool cannot compose, send, modify, delete, or transfer any email, attachment, or label.

How Data Is Used

Accessed data is used solely to fulfill the developer's personal assistant queries. Specifically:

No email data is shared with third parties. No email data is used for training machine learning models, analytics, advertising, or any purpose outside the developer's personal assistant workflow.

Data Storage & Retention

OAuth tokens: Access and refresh tokens are stored securely in an encrypted credentials store on the developer's personal infrastructure. These tokens are never shared with third parties.

Email content: Email data is accessed in-session only. It is not persisted to disk, database, or any long-term storage beyond the duration of the active session in which it was retrieved. When the session ends, any email data held in memory is discarded.

No caching or logging: The tool does not cache email content or log message bodies. Standard server logs may record connection metadata (timestamps, request types) for operational purposes but do not include email content.

Data Sharing

We do not sell, rent, trade, or otherwise transfer any accessed Gmail data to third parties. The OAuth token is used exclusively by this tool to authenticate with Google's Gmail API.

Third-Party Services

This tool communicates with Google's Gmail API via the standard OAuth 2.0 flow. Google's privacy policy governs the underlying Gmail service. The tool itself is hosted on the developer's own infrastructure and does not rely on any additional third-party data processors.

Data Protection

OAuth tokens are stored using age encryption (age-encryption.org). The tool runs on the developer's own infrastructure with standard operating system security controls (full-disk encryption, firewall, regular updates). Access to the underlying system is limited to the developer and authorized administrators.

User Rights

Since this tool is used by the developer for their own account, rights of access, correction, and deletion can be exercised directly by revoking the OAuth grant through the Google Account permissions page at myaccount.google.com/permissions. Revocation immediately terminates all data access.

Contact

Questions about this privacy policy or data practices:

Yves La Rose
Email: hello@netherlabs.ai