Google account access
Disconnect inside Windlord
Open Settings → Google Accounts → select the account → Disconnect and delete local data. This removes the device credential and that account’s encrypted local projection.
Revoke at Google
Remove Windlord from Google’s third-party access page. Google then rejects future token refreshes; Windlord marks the connection for reauthorization.
Open Google connectionsDisconnecting one account does not affect another. Actions already confirmed by Google remain part of your Gmail or Calendar until you reverse them there or through an authorized client.
Local mailbox and calendar data
Disconnecting a Google account deletes its cached threads, messages, labels, calendar data, search index, sync cursors, and credential through a crash-recoverable cascade. Deleting the app removes its application container. If encrypted multi-device sync is enabled, delete the Windlord account to erase hosted ciphertext and revoke other devices.
Google is the source of truth. Deleting Windlord’s local copy does not delete email or calendar events from Google. Use an explicit Gmail or Calendar action if that is your intent.
Agent access
Inspect
Settings → Agents lists the client identity, accounts, data classes, actions, risk ceiling, approval rules, content ceiling, creation time, and expiration for every grant.
Revoke
Select a grant → Revoke. Revocation closes derived sessions and prevents new requests. An in-flight provider attempt enters reconciliation; it is never silently replayed.
Reduce authority
Create a narrower replacement grant. Windlord does not mutate a grant in place or let renewal widen its authority.
Remove provider data
Deleting a Windlord grant cannot delete data retained by an external agent/model provider. Use that provider’s privacy controls separately.
Analytics controls
Native product evidence
Settings → Privacy → Product Evidence offers three explicit states:
- Off: record no product events.
- Local only: keep closed-schema, content-free events in the encrypted local database for your own diagnostics.
- Share pseudonymous evidence: upload content-free events to help evaluate attention and agent outcomes.
Leaving shared mode purges queued events, rotates the analytics identity and pseudonym key, and sends a durable deletion request for remote raw events. Analytics never includes message subjects/bodies, participants, calendar content, prompts/responses, provider IDs, URLs, attachment names, or arbitrary text.
Public website
The website loads no Google Analytics or Microsoft Clarity code before you opt in. Use Analytics choices in any page footer to allow, decline, or withdraw website analytics. Withdrawal disables collection, removes accessible first-party analytics cookies, and reloads the page without either provider. Website consent does not change the app’s Product Evidence setting, and app consent does not change website consent.
Export data and receipts
Settings → Data → Export creates a user-authorized package containing account metadata, preferences, agent grants, and receipt history. Mailbox and calendar source content remains available from Google’s own export tools. Export generation is local where possible and requires fresh device authorization for sensitive receipts.
For a hosted-account export or if the in-app control is unavailable, email team@supertrained.ai. We verify account/device authority before releasing data.
Subscription controls
Cancel through the provider used to purchase:
- Apple: iOS Settings → Apple Account → Subscriptions → Windlord.
- Web/Stripe: Windlord Settings → Plan → Manage billing.
- Organization plan: contact the organization administrator or the billing contact on the order.
Cancellation stops renewal but does not itself delete the Windlord account or Google data. Refunds are handled by the purchase provider and applicable law.
Delete the Windlord account
Settings → Account → Delete Windlord Account starts a fresh device-authorized ceremony. Before confirming, Windlord shows the devices, hosted ciphertext, entitlements, analytics state, and local effect.
- Revoke active agent grants and device sessions.
- Delete account-scoped hosted trust, relay, notification, commerce, and analytics records.
- Write only a minimum content-free tombstone needed to prevent an invitation, merchant webhook, or stale device from recreating the account.
- Return a signed deletion receipt that can be verified independently.
- Delete local account state and credentials; disconnect/revoke Google as selected.
If no trusted device is available, contact team@supertrained.ai. Recovery deletion requires identity and account-control verification to prevent hostile erasure.
Submit a privacy-rights request
Email team@supertrained.ai to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or an appeal. State your request and the minimum account identifier needed to locate the record. Never send passwords, OAuth tokens, recovery secrets, or mailbox contents.
We may request a device-signed challenge or other proportionate verification. We respond within the time required where you live and explain any denial and appeal route.