xCopilot
Sign in

Legal

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy describes how xCopilot ("we", "us", "our") handles information when you use our website at xcopilot.io, our Chrome extension, and related services (collectively, the "Service").

1. Who this applies to

This policy applies to visitors, account holders, and users who connect a Google Gmail account to the Service.

2. Information we collect

  • Account information: email address and authentication data when you sign in (for example via email verification or Google sign-in where enabled).
  • Gmail data (only if you connect Gmail):message metadata and content needed to provide the Service, such as sender, subject, snippet, body text, labels, and headers used for scam detection, organization, and optional spam cleanup. We access Gmail through Google's APIs using the permissions you approve on the OAuth consent screen.
  • Settings and activity: your remote mail preferences (scan schedule, scam tagging, spam deletion options) and a log of Service actions (for example scam marked, scan completed, mail deleted) shown in your dashboard.
  • Usage data: approximate counts of scans and AI reviews to enforce plan limits and improve reliability.
  • Technical data: standard server logs (IP address, user agent, timestamps) for security and debugging.

3. How we use information

We use information to:

  • Provide scam and phishing detection, Gmail labeling, optional spam deletion, and inbox insights;
  • Run scheduled or manual inbox scans according to your settings;
  • Authenticate you and keep your account secure;
  • Operate, maintain, and improve the Service;
  • Comply with law and protect users from abuse.

We do not sell your personal information. We do not use Gmail data to train generalized public AI models for unrelated products.

4. Google API Services

xCopilot's use of information received from Google APIs follows the Google API Services User Data Policy, including the Limited Use requirements. Gmail access is optional and only occurs after you explicitly connect your inbox and grant OAuth consent.

5. Storage and processors

Data is stored using cloud infrastructure (including Google Cloud / Firebase Firestore and Cloud Run) and processed on servers in the United States unless otherwise stated. OAuth refresh tokens for Gmail are stored securely to perform background scans you enable.

6. Retention

We retain account and settings data while your account is active. Activity history may be deleted automatically according to your retention settings or when you clear it in the dashboard. When you disconnect Gmail, we stop new Gmail processing; you may request deletion of stored account data by contacting us.

7. Sharing

We may share information only:

  • With infrastructure providers that host the Service under confidentiality obligations;
  • When required by law or to protect rights, safety, and security;
  • With your direction (for example when you use features that call third-party AI APIs to analyze mail you submit).

8. Your choices

  • Disconnect Gmail at any time from the dashboard;
  • Adjust or disable automated scans and spam deletion in settings;
  • Sign out and request account data removal by contacting us.

9. Security

We use industry-standard measures such as HTTPS, access controls, and API keys for service-to-service calls. No method of transmission or storage is 100% secure.

10. Children

The Service is not directed to children under 13, and we do not knowingly collect their data.

11. International users

If you use the Service from outside the United States, you understand that data may be processed in the US or other countries where our providers operate.

12. Changes

We may update this policy. We will post the new date at the top of this page. Continued use after changes means you accept the updated policy.

13. Contact

For privacy questions or requests, contact: privacy@xcopilot.io

Back to homeTerms of Service