Privacy at AgentEnvoy

What We Access

Your Google account

When you sign in with Google, we receive your name, email address, and profile picture (openid, email, profile). We also store a Google-issued refresh token so we can maintain your connection without asking you to sign in again.

Your Google Calendar (hosts)

When you grant calendar access, AgentEnvoy requests two Google API scopes:

• https://www.googleapis.com/auth/calendar.readonly — to read your calendars, events, working-location and out-of-office entries, and your timezone setting. Envoy uses this to know when you're free.
• https://www.googleapis.com/auth/calendar.events — to create a calendar event when both parties agree on a time, to place short tentative holds during an active coordination, and to delete or adjust those events when you cancel or reschedule through AgentEnvoy.

Which scopes we ask for depends on how you sign in. If you sign up through our front door — the header, homepage, or /login page — we request read and write together, since you're signing up to host meetings. If you connect a calendar from within a meeting link someone shared with you, we request read-only; you'll only be asked for write later if you become a host yourself. The goal is to ask for the narrowest access that fits what you're actually doing.

By default Envoy reasons only about when you are busy — not why. We see “busy 9–10am,” not “Doctor appointment with Dr. Smith.” You may choose to let Envoy also consider event titles and locations so it can reason about your flexibility (for example, noticing that a nearby lunch makes an in-person meeting convenient). When you do, Envoy uses those details internally and never shares them with the other party.

Your Google Calendar (guests)

If you're a guest invited to a meeting, you can optionally connect your calendar so AgentEnvoy can find a mutual time. This uses https://www.googleapis.com/auth/calendar.readonly — read-only. We can never create, modify, or delete anything on a guest's calendar. We read only the free/busy windows needed for the coordination you're in.

Data you provide directly

Messages you send to Envoy during a coordination, preferences you set (meeting duration, phone number, video provider, scheduling rules), and any knowledge you explicitly teach Envoy about how you prefer to work.

Patterns Envoy learns about you

As you use AgentEnvoy, Envoy derives a set of scheduling preferences from how your calendar actually looks — the hours you tend to be working, buffers around focus time, and which people you make time for most easily. These derived patterns are stored against your account so Envoy can make smarter proposals on your behalf. They're available for you to review and edit on your dashboard, and they're deleted when you delete your account.

Product-usage events

We record a small set of product-usage events (for example, “you finished onboarding,” “you confirmed a meeting”) on our own database so we can see which parts of the product work and which don't. Event names are enumerated in our source code under an allowlist, and event properties are limited to short primitive values (strings, numbers, booleans). Calendar content, message text, and free-text input are never captured through this channel. We do not currently send these events to any third-party analytics vendor; if that ever changes, we'll update this policy and list the vendor here before any data leaves our infrastructure.

When you send us feedback

There's a “Send feedback” link in the product. When you use it, you can optionally include recent activity (your latest messages, active sessions, and any route errors from the last day) so we can see what you were seeing. Calendar event contents are redacted before anything is stored — we keep times, titles, status, and participant counts; we strip descriptions, attachments, non-participant emails, and URL-shaped locations. If you opt to share, we gather only what you chose to share. Feedback is a gift — thank you for taking the time. 💜

How We Use It

Your data is used for one purpose: facilitating the meeting coordination in front of you.

• Scheduling. Calendar data is used to compute availability, propose times, and place or confirm events.
• Envoy's reasoning. Messages and (optionally) event titles are passed to our AI model so it can respond in the coordination. Nothing is retained by the AI provider beyond the single request that generates each reply.
• Account operation. Your Google identity is used to authenticate you and keep you signed in. Your email address is used for transactional notifications (meeting confirmations, cancellations, a welcome message).

We do not:

• Sell, rent, or share your data for advertising or marketing
• Use your data or any data received through Google APIs to train, fine-tune, or improve AI or machine-learning models
• Build cross-session profiles or behavioral models
• Share one party's event details or private context with the other party
• Access more calendar data than the specific coordination requires

AgentEnvoy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Services We Use

We rely on a small number of infrastructure providers to operate. Each is a data processor acting under our instructions, bound by their own published terms:

• Google APIs — authentication and Google Calendar access. Data shared: OAuth tokens and API requests on your behalf.
• Anthropic (Claude) — AI model that powers Envoy. Data shared: coordination messages and the specific calendar context relevant to the current conversation (times; titles only if you've enabled enhanced access). Anthropic does not retain this data beyond the individual request and does not use it to train models.
• Amazon Web Services (SES) — sends our transactional emails (meeting confirmations, cancellation notices, occasional account notices). Data shared: recipient email addresses and the email content itself.
• Vercel — application hosting and serverless execution. Data shared: every request you make to AgentEnvoy passes through Vercel's infrastructure.
• Supabase — managed PostgreSQL database. Data shared: everything we persist about your account and coordinations is stored here, encrypted at rest.
• Cloudflare — DNS for agentenvoy.ai.

We do not share your data with any third party for advertising, analytics, profiling, or any purpose unrelated to operating AgentEnvoy. We do not use advertising trackers, analytics pixels, or data brokers.

How We Protect It

• In transit: all traffic between your browser, AgentEnvoy, and every service we use is encrypted with TLS (HTTPS).
• At rest: the database is encrypted at rest by Supabase. OAuth refresh tokens are stored in the same encrypted database; they are never logged or exposed to the client.
• Access control: no advertising identifiers, tracking cookies, or cross-site trackers are set. Session cookies are HTTP-only and scoped to agentenvoy.ai.
• Access within AgentEnvoy: see “Internal access audit” below — every internal read of user-specific data is logged, and team access to your thread or calendar requires your explicit opt-in.
• Scope minimization: we request the narrowest Google OAuth scopes that allow the product to function — read events, read timezone, create/modify our own booked events. Nothing broader.

Internal Access Audit

Every internal admin read of user-specific data — feedback reports, user drawers, event streams — writes a row to an internal audit log (AdminAccessLog). The log records which admin, which route, and when. This is a structural control: the audit exists by construction, not by policy. If you'd like a copy of your own log entries, email privacy@agentenvoy.ai.

When our team needs to read your specific thread or calendar to help you with a bug, we ask for your explicit opt-in via the Privacy section of your Account page. The consent is revocable at any time, and every access is still logged.

Retention and Deletion

We keep data only as long as it serves a purpose.

• Coordination sessions (messages, proposals, outcomes) are retained for 30 days after completion, accessible to both parties. After 30 days, session data is permanently deleted.
• Guest calendar data (availability from a guest's connected calendar) is retained for 30 days, then permanently deleted. Guest OAuth credentials are revoked and deleted at the same time.
• Host calendar cache (the scored availability view Envoy uses) is refreshed continuously and discarded whenever you revoke access or delete your account.
• Host account data (profile, preferences, calendar connection) persists for the life of your account.

Deleting your account and data

You can permanently delete your AgentEnvoy account at any time from the Account page under Delete account. When you do:

• All your profile, preference, and session data is deleted from our database
• All cached calendar data is deleted
• Your Google OAuth authorization is revoked with Google on our side
• Confirmed calendar events AgentEnvoy previously created are left in place — those are yours

You can also revoke AgentEnvoy's access to your Google data at any time from Google Account Permissions. Once revoked, we stop accessing any Google data immediately and delete any cached calendar data within 30 days.

Questions, or need help with deletion or a data export? Email privacy@agentenvoy.ai.

Contact

Questions about this policy or your data: privacy@agentenvoy.ai