Privacy Policy

Welcome to mystacy.ai (“MyStacy,” “we,” “us,” or “our”).MyStacy is an AI-powered personal productivity platform developed by Kash Nawaz and operated by Veridix AI LLC, a Florida limited liability company.

MyStacy provides an AI assistant named Stacy that helps users manage email, tasks, contacts, calendar, and knowledge. The Service is available as a web application at app.mystacy.ai and as a Chrome browser extension.

This Privacy Policy describes what information we collect, how we use it, who we share it with, how we protect it, and what choices you have. It applies to all users of the mystacy.ai web application, Chrome extension, API integrations, and related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

Effective date: March 16, 2026

We collect the following categories of information:

Google Account Information

• Your name, email address, and profile picture, obtained via Google Sign-In (using the userinfo.email and userinfo.profile OAuth scopes) for authentication purposes.

Gmail Data

• Email metadata — sender, recipient, subject lines, and timestamps, accessed via the Gmail API using the gmail.readonly scope.
• Email body content — the full text content of emails, accessed via the Gmail API using the gmail.readonly scope, for display in the mail interface and AI summarization features.
• Email drafts — drafts created on your behalf via the Gmail API using the gmail.compose scope, only when you explicitly request the AI assistant to draft an email.

Google Calendar Data

• Event titles, times, attendees, and descriptions, accessed read-only via the Google Calendar API to display your schedule and create new events from captured information.

Google Contacts Data

• Contact names, email addresses, and phone numbers, synced read-only via the Google Contacts API to populate the contacts section and provide relationship intelligence.

User-Generated Content

• Tasks, projects, notes, contacts you create manually, knowledge base entries, AI conversation history, captures (quick-capture inputs), and triggers (automated rules).

Usage Data

• Log data (IP address, browser type, pages visited within the Service), feature usage patterns, and device/browser information. This data is used to maintain and improve the Service.

Phone Number

• If you choose to enable SMS or WhatsApp messaging channels via Twilio, we collect your phone number to route messages between you and the Stacy AI assistant.

Chrome Extension Data

• Text selections — only when you explicitly select text and click an action button (Ask Stacy, Summarize, Explain, Save to Capture, or Draft Reply).
• Page content — only when you explicitly click “This page” from the side panel context menu to chat with the current page. Up to 8,000 characters of visible body text are sent as conversation context.
• Chat messages — messages you type and send to Stacy via the side panel.
• Authentication session — a Supabase session token from app.mystacy.ai stored in chrome.storage.session (automatically cleared when the browser closes).
• Theme preference — your light/dark mode choice, stored locally in chrome.storage.local on your device only.

Gmail Data Usage

• Gmail data is used only to provide the mystacy.aiservice to you — specifically, reading emails for display in the mail interface and AI summarization, and creating drafts on your explicit request.
• Gmail data is not used to develop, improve, or train generative AI or machine learning models.
• Gmail data is not used for advertising, ad targeting, or ad personalization.
• Gmail data is not transferred to third parties except as necessary to provide the Service. Specifically, email content may be sent to the Anthropic Claude API for AI processing (summarization, draft generation) when you explicitly request it.
• Gmail data is not used for any purpose incompatible with the Gmail API Terms of Service.
• Access to Gmail is triggered only by explicit user action — when you navigate to the Mail section, click to read a specific email thread, or request the AI assistant to draft an email. We do not access your Gmail data in the background or without your direct interaction.
• Email drafts are never sent automatically. When the AI creates a draft, it is saved as a Gmail draft that you must explicitly review and confirm before it is sent. No email is ever sent on your behalf without your explicit action.

Calendar Data Usage

• Calendar data is used only to display your events within themystacy.ai interface and to create new calendar events from user captures when you explicitly request it.

Contacts Data Usage

• Contact data is used only to populate the contacts section withinmystacy.ai and to provide relationship intelligence features (such as showing recent interactions with a contact).

General Data Usage

• To provide, maintain, and improve the Service and its features.
• To authenticate your identity and secure your account.
• To process your requests to the AI assistant (Stacy) and return responses.
• To send you transactional communications (account verification, security alerts, service updates).
• To detect, prevent, and address technical issues, abuse, and security threats.
• To comply with legal obligations.

We do not use your data for advertising, user profiling for third parties, or any purpose unrelated to the Service’s described functionality.

mystacy.ai’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with Google’s Limited Use requirements, we confirm the following:

1. We only use Google API data to provide and improve user-facing features. Your email content, calendar events, and contact information are used solely to power the features described in this Privacy Policy — displaying your mail, generating AI summaries, creating drafts, showing your calendar, and populating your contacts.
2. We do not transfer Google API data to third parties except as necessary to provide the Service (specifically, sending email content to the Anthropic Claude API for AI processing when you request it), with your explicit consent, for security purposes (investigating abuse), or to comply with applicable laws.
3. We do not allow humans to read your Google API data unless: (a) you have given explicit consent for a specific message, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymized and is used for internal operations.
4. We do not use Google API data for advertising purposes, including retargeting, personalized, or interest-based advertising. We do not use Google API data for data brokering, credit assessment, surveillance, lending decisions, or any purpose other than providing the user-facing features of mystacy.ai.

The MyStacy Chrome Extension’s single purpose is to let you interact with the Stacy AI assistant from any webpage — through text selection tools, the side panel, input field assist, and voice dictation.

Permissions Requested

• Host permissions (all_urls) — required so the content script can inject the selection toolbar and input field assist button on any webpage where you choose to use the extension. The extension does not read, collect, or transmit any page data unless you explicitly interact with it.
• sidePanel — required to open the Stacy side panel for chat, captures, and context menu actions.
• storage (session + local) — chrome.storage.session stores your authentication token (automatically cleared when the browser closes). chrome.storage.local stores your theme preference only.

What the Extension Does NOT Collect

• No keystroke logging or typing pattern monitoring.
• No browsing history or page visit logs.
• No passwords, payment information, or financial data.
• No cookies or data from websites other than app.mystacy.ai.
• No data from pages where you have not explicitly interacted with the extension.

Communication & Security

• The extension communicates exclusively via HTTPS to app.mystacy.ai. No data is sent to any other domain.
• Session tokens are stored in chrome.storage.session, which is automatically cleared when the browser closes. Tokens are never written to persistent storage or exposed to other extensions.
• Content scripts run inside a closed Shadow DOM, fully isolated from the host page’s JavaScript context to prevent interference.
• The extension loads no remote code. There is no dynamic code evaluation and no inline scripts. The Content Security Policy restricts all script sources to self only.

Voice Dictation

• Voice input is processed entirely locally by Chrome’s built-in Web Speech API. The resulting text appears in the input field. No audio data is ever sent to mystacy.ai servers. Audio processing happens entirely within Chrome’s speech recognition engine.

We take the security of your data seriously. The following measures are in place to protect your information:

• Database security — all user data is stored in Supabase PostgreSQL with Row-Level Security (RLS) enabled on every table. RLS policies ensure that users can only access their own data — no user can read, modify, or delete another user’s records.
• Encryption at rest — OAuth tokens and other sensitive data are encrypted using AES-256-GCM before being stored in the database.
• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2+. No data is ever transmitted over unencrypted connections.
• Server-side token storage — OAuth tokens for Google APIs (Gmail, Calendar, Contacts) are stored exclusively server-side. No OAuth tokens are stored in client-accessible storage, except for session tokens in chrome.storage.session which auto-clear when the browser closes.
• HTTPS-only with HSTS — the application enforces HTTPS connections and sends HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks.
• Input validation — all API routes validate input server-side using Zod schema validation to prevent injection attacks and malformed data.
• Rate limiting — authentication endpoints and API routes are rate-limited to prevent brute-force attacks and abuse.

• Account data — your profile information (name, email, profile picture) is retained while your account is active.
• Gmail data — email content is processed in real-time for display in the mail interface and AI features. Email metadata (sender, subject, timestamps) is cached to power the mail interface. No permanent copy of full email bodies is stored beyond what is needed for active features. When you navigate away, cached content is not retained.
• Calendar and contact data — synced periodically from Google APIs. This data is deleted from mystacy.ai when you disconnect the integration or delete your account.
• Chat conversations — stored in your account until you delete them individually or delete your account.
• Captures, tasks, and knowledge — stored in your account until you delete them individually or delete your account.
• Authentication tokens — Chrome extension session tokens are session-only and automatically cleared when the browser closes. Server-side OAuth tokens for Google APIs are deleted when you disconnect the integration or delete your account.
• Anthropic (Claude AI) — per Anthropic’s commercial API terms, prompts and responses sent via the API are retained by Anthropic for up to 30 days for trust and safety purposes, then deleted. This data is not used for model training.

Account Deletion

• You can delete your account and all associated data (profile, conversations, tasks, contacts, knowledge, captures, projects, triggers, stored tokens) by contacting privacy@mystacy.ai or from within the application settings.
• Data deletion is permanent and is completed within 30 days of your request. Once deleted, your data cannot be recovered.

The Service relies on the following third-party providers to deliver its functionality. Each provider processes data under their own privacy policies:

• Google (Gmail API, Calendar API, Contacts API, Google Sign-In) — provides access to your email, calendar, and contact data. Google’s privacy policy: policies.google.com/privacy
• Anthropic (Claude AI API) — processes user text (chat messages, email content for summarization and drafting, captured text) to generate AI responses. Per Anthropic’s commercial API terms, data sent via the API is not used for model training. Anthropic retains prompts and responses for up to 30 days for trust and safety purposes. Anthropic’s privacy policy: anthropic.com/policies/privacy
• Supabase — provides database hosting, authentication, and row-level security for all user data. Supabase’s privacy policy: supabase.com/privacy
• Twilio — routes SMS and WhatsApp messages between you and the Stacy AI assistant. Twilio is only used if you explicitly enable a messaging channel. Twilio’s privacy policy: twilio.com/legal/privacy
• Vercel — hosts the mystacy.ai web application and API endpoints. Vercel processes HTTP requests but does not independently store or analyze your data. Vercel’s privacy policy: vercel.com/legal/privacy-policy

We do not share your data with advertising networks, data brokers, information resellers, analytics services, or any other third parties beyond those listed above.

You have the following rights regarding your personal data:

• Access, view, correct, and delete your personal data within the mystacy.ai application at any time.
• Revoke Google permissions at any time by visiting myaccount.google.com/permissions and removing mystacy.ai. This will immediately stop all access to your Gmail, Calendar, and Contacts data.
• Disconnect any integration (Gmail, Calendar, Contacts, SMS, WhatsApp, Telegram) individually from yourmystacy.ai settings at any time.
• Delete individual items — conversations, tasks, contacts, knowledge entries, captures, and projects can be deleted at any time from within the application.
• Delete your entire account and all associated data permanently from within the application or by contacting us.
• Opt out of SMS by replying STOP to any message or by disconnecting the SMS channel from your settings.
• Request data export or deletion by emailing privacy@mystacy.ai. We will respond to all requests within 30 days.
• Uninstall the Chrome extension to immediately remove all locally stored extension data (session tokens, theme preferences, cached state) from your browser.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have inadvertently collected personal data from a person under 18, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@mystacy.ai so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material changes: If we make material changes to this Privacy Policy, we will notify you via email (to the address associated with your account) and through an in-app notification at least 30 days before they take effect. This gives you time to review the changes and decide whether to continue using the Service.

The “Last updated” date at the top of this page will be revised whenever this policy is modified.

Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree to the updated policy, you should stop using the Service and may delete your account.

If you have questions about this Privacy Policy, how your data is handled, or wish to exercise any of your data rights, please contact us:

• Email: privacy@mystacy.ai
• Website: mystacy.ai

Veridix AI LLC
State of Florida, United States