Privacy Policy


Effective Date: January 10, 2025

Last Updated: July 21, 2025

Filo Mail ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our services. By using Filo Mail, you agree to the practices described in this policy. If you do not agree, please refrain from using our services.


1. Information We Collect

We collect only the information required to deliver and improve Filo Mail.

1.1 Account Information

  • Name, email address, and password (hashed).
  • Optional profile details you choose to provide.

1.2 Email Metadata

  • Sender, recipient, timestamp, and subject line (needed for features such as categorization and prioritization).
  • We do not store the body of your emails.

1.3 Usage Data

Anonymous information about how you interact with Filo Mail—feature usage, settings, crash data—used strictly to improve performance and reliability.


2. How We Use Your Information

We process your information solely to provide, maintain, and enhance the service.

  • AI Assistance – Temporary analysis of email content to power summarization, categorization and priority alerts.
  • Push Notifications – Inform you of high-priority or time-sensitive messages.
  • Customer Support – Investigate and resolve issues you raise.

We never use your data to train AI models and we never sell personal information.


3. Data Security

We employ layered defences to protect the confidentiality, integrity, and availability of your information:

  • End-to-end TLS 1.3 with forward secrecy for all data in transit.
  • AES-256 encryption at rest backed by AWS KMS; customer master keys rotate every 90 days.
  • Isolated production VPC and hardened build pipeline.
  • Quarterly penetration tests and continuous vulnerability scanning.
  • Nitro Enclaves isolate sensitive AI inference workloads.

Despite our best efforts, no system is completely secure; safeguard your credentials accordingly.


4. Data Sharing

We do not sell or share your data except:

  • Service Providers – Trusted partners who must process data to provide the service and are bound by strict confidentiality.
  • Legal Requirements – To comply with applicable law or valid legal process.
  • Business Transfers – In connection with a merger, acquisition, or sale of assets, subject to this Policy.

5. Data Lifecycle & Retention

Filo never keeps data longer than necessary:

Data CategoryRetention WindowDeletion Mechanism
Messages & attachments (server-side)Not stored - streamed live from Gmail APICryptographic shred
Search queries (Gmail API passthrough)Zero retention - streamed live from Gmail APIAutomatic shard destruction
LLM cacheEphemeral RAM onlyWiped after inference
Application logs30 daysLog rotation & shred

Deletion timers run on immutable CloudWatch Rules and cannot be paused or altered by human operators.


6. Third-Party Sub-processors

ProviderRegionPurposeEncryption
Amazon Web Servicesus-west-2Compute, storage, key managementAES-256-KMS
CloudflareGlobalWAF, DDoS, Zero-Trust gatewayTLS 1.3 / mTLS
Google-GeminiGlobalAI Summaries · To-Do extraction · Compose/Reply · Chat(zero-retention)TLS 1.3 PFS
Anthropic-Claudeus-west-2AI Summaries · To-Do extraction · Compose/Reply · Chat(zero-retention)TLS 1.3 PFS
OpenAI- Azureus-east-2AI Summaries · To-Do extraction · Compose/Reply · Chat(zero-retention)TLS 1.3 PFS
Sentry SaaSus-west-2Crash telemetry (PII stripped)AES-256-GCM

We update this list whenever we add or remove a sub-processor.


7. AI Data Handling & Model Safety

  • Requests to the language model are encrypted in transit and routed to a zero-retention endpoint.
  • Plaintext is never written to disk; inference happens in volatile memory only.
  • Model outputs are not written back into any training set.
  • You can disable all AI features per mailbox or across your workspace (Planned).

8. Responsible Disclosure

We welcome security research and community feedback:

We acknowledge reports within 5 business days and remediate confirmed issues within 45 days.


9. Key Management & Encryption

  • Summaries and To-Dos generated by Filo are encrypted at rest with AES-256 using AWS-managed envelope keys, and encrypted in transit via TLS 1.3/SSL.
  • Encryption keys are centrally managed in AWS Key Management Service (KMS) and rotated automatically every 90 days.
  • User login credentials—including password hashes and OAuth tokens—are encrypted at rest with AWS‑managed AES‑256.
  • Only short‑lived, in‑memory data keys are used during processing; no plaintext keys are ever written to disk.
  • TLS 1.3 with forward secrecy secures all traffic between clients, servers, and sub‑processors.

10. Your Privacy Rights

Under GDPR (Articles 15-20) you may request access, correction, export, or deletion of your data at any time.

Email [email protected]

We will respond within 30 days.


11. OAuth Scope Transparency

Filo requests one and only one Google OAuth scope—the all-in-one Gmail scope. We keep it simple and transparent:

ScopeWhy We Need It
https://mail.google.com/Grants read, send, and modify rights in your mailbox. Required for Smart Inbox classification, AI Summaries, To-Do extraction, Compose/Reply assistance, and label management.
  • No additional Google scopes are requested.
  • Access is granted via OAuth tokens; we never see or store your Google password.
  • Tokens are encrypted at rest (AES-256 with AWS KMS) and transmitted over TLS 1.3.
  • Filo's implementation has passed Google's Cloud App Security Assessment (CASA) Tier 3 review.

12. Cookies & Tracking Technologies

Filo Mail uses cookies and similar technologies to maintain your session, remember preferences, and collect anonymized usage statistics. You can manage cookie preferences in your browser settings.


13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If significant changes are made, we will notify you via email or through a notice on our website. Your continued use of Filo Mail constitutes acceptance of the revised policy.


14. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at [email protected].