The short version
- Google remains the authoritative source for Gmail and Calendar.
- Windlord stores OAuth credentials in protected operating-system credential storage and caches mailbox/calendar data in an encrypted database on your device.
- Windlord’s hosted services are designed not to accept plaintext Gmail or Calendar content by default.
- A cloud-backed agent may receive selected content only after you connect that agent and approve a specific grant. The agent provider is a separate service.
- Product evidence stays encrypted on your device by default and cannot contain mailbox content, calendar content, prompts, participants, provider resource IDs, URLs, attachment names, or arbitrary text.
- We do not sell personal data, run ads, track you across other companies’ apps or sites, or use Google Workspace data to train a general-purpose AI model.
Google Limited Use. Windlord’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Who and what this policy covers
This policy applies to Windlord apps, the Windlord website, and Windlord-hosted account, trust, notification, commerce, deletion, and analytics services operated by Supertrained Inc. (“Windlord,” “we,” “us”). It does not replace the privacy terms of Google, Apple, Stripe, or an external agent or model provider you independently choose.
If an organization provides your Windlord account, that organization may separately control account administration and its own data. This policy covers Windlord’s processing; your organization’s notice covers its processing.
Data Windlord handles
On your device
To provide the product, Windlord may process and retain locally:
- Google account subject, email address, display name, granted scopes, and connection state;
- OAuth authorization credentials in the iOS Keychain, macOS Keychain, Android Keystore-backed custody, or Windows protected credential storage, depending on platform;
- Gmail message bodies, subjects, sender and recipient information, labels, snippets, attachment metadata and, when requested, attachment content;
- Calendar lists, event titles, descriptions, attendees, timing, recurrence, locations, conferencing details, and provider revisions;
- local search indexes, attention decisions and evidence, preferences, drafts, agent grants, operations, approvals, receipts, and encrypted device-sync state.
On-device processing is not accessible to Windlord merely because it exists in the app. Removing an account deletes its associated local projection and credential through a crash-safe deletion flow. Removing the app deletes its application container, subject to operating-system behavior and any encrypted device sync you have enabled.
In Windlord’s hosted services
Windlord may process:
- opaque Windlord account and device identifiers, public device keys, signed trust registries, invitation state, and encrypted device-sync relay ciphertext;
- content-free notification routing, APNs or platform push tokens, push environment, app version, operating-system version, and delivery status;
- subscription provider references, product/price identifiers, entitlement state, transaction status, tax/accounting records, and refund or cancellation state;
- security events, bounded request metadata, coarse service health, signed deletion receipts, and minimum tombstones needed to prevent deleted accounts from being recreated by replay;
- content-free product events only after explicit analytics consent.
Our public control plane is designed to reject Gmail bodies, subjects, participants, calendar details, Google OAuth tokens, plaintext Windlord state, agent prompts, model responses, and executable agent commands.
Website and support
The website does not load analytics until you explicitly allow it. Before that choice, it makes no request to Google Analytics or Microsoft Clarity and stores no analytics cookie. Our hosting infrastructure may still process short-lived security and delivery information needed to serve a request, such as IP address, user agent, request time, route, and response status. If you email support, we receive the address, contents, and attachments you send. Do not send mailbox contents or credentials unless support specifically requests a minimized diagnostic after explaining the need.
How we use Google user data
Windlord requests only the Google scopes required for visible product features:
openid, email, and profile identify each connected account;- read-only Calendar List access shows and lets you select calendars;
- Calendar Events access reads and performs user-requested event operations;
- Gmail Modify access builds the inbox/attention views and performs user-requested or user-authorized mail operations such as send, reply, archive, label, star, read/unread, and trash.
Google user data is used only to provide or improve visible inbox, calendar, attention, and accountable-agent features. We do not use it for advertising, marketing profiles, credit decisions, sale to data brokers, surveillance, or development of a general-purpose AI model.
Windlord may transfer Google user data only when necessary to provide a user-facing feature, with your consent, for security or legal obligations, or as otherwise permitted by Google’s Limited Use requirements. Human access is prohibited except when you explicitly ask for support involving specific data, access is necessary for security or abuse investigation, law requires it, or the data has been aggregated and anonymized for internal operations.
External agents and model providers
Agent access is optional. Windlord does not bundle a hidden assistant that automatically reads your mailbox. When you connect an agent, Windlord identifies the integration and requires an explicit grant describing the permitted accounts, resource classes, time or item bounds, action classes, content ceiling, risk ceiling, approval conditions, and expiration.
A local agent process may itself communicate with a cloud model provider. Before enabling that path, Windlord tells you the named agent and provider, the data and actions in scope, and the provider’s separate role. Windlord never gives the agent your Google OAuth credential. It releases only grant-authorized data and accepts only typed requests that pass the authority and risk checks.
Your selected agent/model provider may retain prompts or content under its own terms. Windlord cannot erase data held by an independent provider; use the provider’s controls. Windlord’s own product analytics never record the agent conversation, prompt, model response, message content, or calendar content.
Analytics are explicit and bounded
Native product evidence
By default, product events remain local. You may separately opt in to pseudonymous sharing. The event schema is closed: it records coarse product surface, action class, risk/approval outcome, timing buckets, and provider-confirmation outcome. It cannot represent arbitrary text or content-shaped identifiers.
Turning sharing off purges queued local events, rotates the analytics identity and pseudonym key, advances the consent generation, and creates a durable request to delete previously uploaded events. Analytics failure cannot block or roll back a mailbox, calendar, approval, or agent action.
Website analytics
Website analytics is a separate, globally opt-in system. If you choose “Allow analytics,” the site loads Google Analytics 4 and Microsoft Clarity. They may receive the public page path, referring page, approximate location derived from network information, browser/device characteristics, performance diagnostics, and interactions such as page views, scrolling, clicks, and the private-beta request event. An IP address necessarily reaches those providers when your browser connects to them. Windlord does not send them a Windlord account identifier, Google account identifier, mailbox or calendar data, agent conversation, support email, form value, or advertising identifier.
Clarity is configured with cookies off until consent and Strict masking, which masks all page text in its recordings. We do not call Clarity’s identity API. Google advertising storage, Google Signals, ad-user data, and ad personalization are disabled. The page loads neither service after you decline. You can reopen “Analytics choices” in any page footer and withdraw consent; the site then disables collection, clears first-party analytics cookies it can access, and reloads without either provider.
When we disclose data
| Recipient | What | Why |
|---|---|---|
| OAuth and Gmail/Calendar requests | Connect accounts and read or modify provider data at your direction. | |
| Apple/platform services | App distribution, attestation, push token and content-free wake-up | Distribute, protect, and notify the app. |
| Your selected agent/model provider | Only grant-authorized Google-derived data and your task instruction | Perform the user-visible agent feature you approved. |
| Cloud infrastructure vendors | Opaque account/device data, ciphertext, operational and consented content-free analytics data | Host Windlord’s control plane. |
| Google Analytics and Microsoft Clarity | Consented public-website usage and diagnostics described above | Measure whether the public site is understandable and diagnose website usability; never app inbox or calendar behavior. |
| Payment providers | Account/transaction references and entitlement state | Process and reconcile subscriptions. Payment fields are handled by the payment provider. |
| Authorities or transaction counterparties | Minimum legally required data | Comply with law, defend rights, address security, or complete a corporate transaction with equivalent protections. |
We do not sell or rent personal data. We do not share data for cross-context behavioral advertising. We do not disclose Google Workspace data for training a general-purpose model.
Retention and deletion
- Google credentials: retained in protected device storage until disconnect, revocation, expiry, or app deletion.
- Local Gmail/Calendar data: retained until account removal or app deletion, with bounded-cache eviction where configured.
- Account/device trust and encrypted relay: retained for the account lifetime and deleted through the authenticated account-deletion ceremony, except a minimum content-free tombstone that prevents replay.
- Push registration: retained until device deregistration, token invalidation, or account deletion.
- Agent grants and receipts: retained in the encrypted local ledger until export or deletion; expired/revoked grants cannot execute.
- Shared content-free product evidence: our launch policy is up to 90 days for raw events and up to 25 months for de-identified aggregate scorecards. Revoking product-analytics consent requests deletion earlier.
- Website Google Analytics: user- and event-level retention is set to two months with reset-on-new-activity disabled; Google’s standard aggregated reports are not governed by that setting.
- Website Clarity: Microsoft retains playback data for 30 days and click, heatmap, labeled, or favorited-session data for up to nine months. Withdrawing website consent stops future collection but does not retroactively remove lawfully collected aggregate data.
- Commerce: entitlement records are deleted with the account except records retained for legal, tax, fraud, chargeback, or accounting duties.
- Support: retained only as long as needed to resolve the request, maintain security records, and satisfy legal obligations.
Deletion is authenticated to prevent an attacker from erasing your account. Windlord issues a signed deletion receipt when hosted account deletion commits. Backups expire on their protected rotation schedule and are not restored to recreate a deleted active account.
Security
Controls include encrypted local databases, device-protected secret storage, short-lived access credentials, hardware-bound device proof where available, App Attest/App Check on iOS, typed least-authority agent grants, confirmation for consequential actions, provider idempotency and reconciliation, tamper-evident receipt chains, encrypted device sync, restricted internal access, and content-minimized telemetry.
No system is perfectly secure. Report a suspected vulnerability or unauthorized access to team@supertrained.ai. Do not include live credentials or mailbox content in the initial report.
Your choices and privacy rights
The Data Controls page explains how to connect/disconnect Google, revoke Google authorization, remove local data, revoke agents, control analytics, export receipts, cancel a subscription, and delete your Windlord account.
Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or port personal data; withdraw consent; and appeal or complain to a privacy authority. We will verify the request and respond within applicable time limits. We do not discriminate for exercising privacy rights.
For EEA/UK users, our legal bases are performance of the service contract, consent for optional analytics and agent disclosures where required, legitimate interests in security and reliability, and compliance with legal obligations. Consent can be withdrawn without affecting prior lawful processing.
California residents may request access, correction, deletion, and information about categories, sources, purposes, and disclosures. Windlord does not sell or share personal information for cross-context behavioral advertising and therefore does not offer a “sale/share” opt-out.
International processing
Windlord and its providers may process data in the United States and other countries. Where required, we use recognized transfer mechanisms and contractual safeguards. Your Google and agent providers independently determine where they process the data you send to them.
Children
Windlord is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided data, contact us so we can investigate and delete it. Organizations deploying Windlord to younger users must have the authority and protections required by applicable law.
Changes to this policy
We will update this page when data practices change and revise the effective date. Material changes appear in the product or by another direct notice when required. App Store privacy answers and Google disclosures are updated with the shipping version; a new SDK, agent data path, billing path, or hosted content path reopens the privacy review.
Contact
Supertrained Inc. operates Windlord. Privacy and data-rights requests: team@supertrained.ai. Include the Windlord account identifier or connected email needed to locate the account, but never send a password, OAuth token, recovery secret, or mailbox content.