Privacy Policy — Edith

Last Updated: November, 2025

Edith (“we”, “our”, “us”) is a macOS personal assistant designed to help you automate tasks, organize your workflows, and take action across your digital accounts. This Privacy Policy explains how we collect, use, store, and protect your information, including information received from Google APIs.

We are committed to protecting your privacy and complying with all applicable laws, including Google’s API Services User Data Policy, User Data Transparency Policy, and Limited Use Requirements.

If you have questions, contact us at kush@tryedith.com.

1. Information We Collect

1.1 Google Account Data

When you connect Edith to your Google account, you voluntarily grant access to specific Google API scopes so Edith can perform the actions you request. Edith may request the following scopes:

• https://www.googleapis.com/auth/userinfo.email
  
• https://www.googleapis.com/auth/userinfo.profile
  
• https://www.googleapis.com/auth/drive
  
• https://www.googleapis.com/auth/drive.file
  
• https://www.googleapis.com/auth/calendar
  
• https://www.googleapis.com/auth/documents
  
• https://www.googleapis.com/auth/spreadsheets
  
• https://www.googleapis.com/auth/presentations
  
• https://www.googleapis.com/auth/gmail.modify
  
• https://www.googleapis.com/auth/gmail.compose
  

These scopes enable features such as drafting emails, checking upcoming events, creating/editing Drive files, or extracting task-related metadata. We request only the scopes needed to provide the features you choose to use.

Raw Google content is NEVER stored

Edith does not store:

• Gmail bodies or full message text
  
• Google Drive file contents
  
• Google Docs / Sheets / Slides content
  
• Calendar event descriptions
  

We only store:

• Encrypted OAuth tokens
  
• Extracted task metadata (e.g., reminders, due dates, follow-ups)
  
• Minimal execution logs that do not include raw content
  

1.2 Data Processed on Your Device (Local-Only)

On macOS, Edith may access data from:

• Apple Notes
  
• Reminders
  
• Local files you permit
  
• System metadata used to personalize your experience
  

This data stays entirely on your device.
It is processed locally and is not uploaded to Edith’s servers unless explicitly required to perform a Google API action you request.

1.3 Server-Side Data (Supabase)

The only data stored on Edith servers is:

• Encrypted OAuth tokens
  
• Processed metadata/action items
  
• Minimal logs necessary for debugging and reliability (no raw content)
  

We use Supabase as our secure infrastructure provider.
No third parties receive access to raw Google data.

2. How We Use Information

We use your information strictly to:

• Execute tasks you request (e.g., draft an email, edit a document, check availability, summarize metadata)
  
• Generate reminders or action items using extracted metadata
  
• Maintain your authenticated session
  
• Improve reliability, performance, and debugging
  
• Communicate important updates or respond to support requests
  

We do not use your data for advertising, user profiling, or any purpose beyond what you explicitly request.

3. Google API Compliance

3.1 API Services User Data Policy

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Policy reference:
 https://developers.google.com/terms/api-services-user-data-policy

3.2 Limited Use Requirements

• Under Google’s Limited Use Policy:
• We do not sell Google user data.
• We do not share Google user data with advertisers, analytics providers, or data brokers.
• We do not use or transfer Google user data for serving ads, including retargeting, personalized, or interest-based advertising.
• We do not use Google user data for marketing, profiling, or any other purpose not described in this Privacy Policy.
• We do not use Google user data to train, retrain, or improve any machine learning or AI models.
• Access to Google user data is limited to what is necessary to provide user-facing features that you have enabled.

Human Access Restriction

Edith is designed so that Google user data is processed automatically. We do not routinely allow humans to read Google user data.

We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes (for example, investigating abuse, preventing fraud, or resolving technical issues), or it is required to comply with applicable law. In rare cases where you explicitly request support that requires temporary access, such access is limited, logged, and revoked after the issue is resolved.

4. Storage, Retention, and Deletion

4.1 Storage

We store only:

• Encrypted OAuth tokens
  
• Generated metadata (“action items”)
  
• Minimal operational logs (no raw Google content)
  

4.2 Retention

We retain data only as long as necessary to provide the service or until you request deletion.

4.3 Deletion

You may request deletion at any time by emailing: kush@tryedith.com

Upon deletion:

• OAuth tokens are revoked
  
• Metadata and logs are erased
  
• No raw Google content is retained anywhere
  

You may also revoke Edith’s Google access at:
 https://myaccount.google.com/permissions

5. Sharing and Disclosure

We do not sell, rent, or trade your personal information.

We only share data with essential service providers who support the operation of Edith:

• Supabase — token storage and metadata hosting
  
• Cloud hosting providers — application operation
  

These providers do not access your raw Google content and are contractually obligated to protect your information and use it only to provide their services to us.

We do not share your data with advertisers or marketing partners.

6. Security Measures

We use industry-standard security measures, including:

• TLS/HTTPS encryption for data in transit
  
• Encryption at rest for all stored data
  
• Strict access controls and audit logs
  
• Secure token lifecycle management
  
• Segmented infrastructure
  

While no system is completely secure, we take all reasonable steps to protect your data.

7. Verified Domains & Redirect URIs

To comply with Google’s domain verification requirements, Edith uses the following verified domains:

• https://tryedith.com — homepage, documentation, privacy policy
  
• https://uktfoabbzbbmadupztiz.supabase.co — OAuth redirect domain
  

Both domains are verified in Google Search Console and listed under Authorized Domains in our Google Cloud OAuth configuration.

8. Your Rights

You may:

• Access your stored metadata
  
• Request deletion of all data
  
• Disconnect Edith from your Google account
  
• Contact us with any privacy question
  

Contact: kush@tryedith.com

9. Children’s Privacy

Edith is not intended for individuals under 16.
We do not knowingly collect information from children.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically.
Updates will be posted on this page with a revised “Last Updated” date.
Significant changes may also be communicated via email or in-product notifications.

11. Contact Us

For privacy inquiries or data requests, contact:
kush@tryedith.com