HeyEnso

Privacy Policy

Last updated: 2026-06-08

1. Who we are

HeyEnso ("we", "our", "us") provides an AI-powered email assistant application. Contact: privacy@heyenso.com.

2. Data we collect

Account data

When you sign in, we receive your Google account identifier and basic profile details (such as name, email address, and profile photo) needed to operate your account.

Gmail data (restricted scope)

To provide core functionality, we request Gmail API access including the https://www.googleapis.com/auth/gmail.modifyscope. This may include message content, metadata, labels, and thread context needed to read, triage, draft, and organize mail on your behalf.

Optional analytics data (consent-based)

If you explicitly enable analytics in onboarding or Settings, we collect product usage events (for example, feature interactions, screen-level events, and error diagnostics). We do not require analytics consent to use paid or core app functionality.

Billing and subscription data

Subscription status and billing entitlement data are processed through RevenueCat to manage plans and subscription state.

3. How we use data

  • Provide and maintain the HeyEnso service
  • Authenticate users and secure accounts
  • Sync, summarize, and draft email workflows you initiate
  • Process account lifecycle requests such as deletion
  • Improve reliability and product quality through consented analytics

We do not sell personal data and do not use Gmail data for advertising or data-broker purposes.

4. Legal bases

Depending on jurisdiction, we process data based on contract necessity (service delivery), legitimate interests (security and reliability), legal obligations, and consent where required (including optional analytics).

5. Third-party processors

We use service providers to operate HeyEnso, including:

  • Google Firebase / Google Cloud (authentication, storage, cloud functions, app infrastructure)
  • PostHog (EU cloud) (consented product analytics)
  • RevenueCat (subscription and entitlement management)
  • OpenRouter (embedding generation for selected product features)
  • Google Gemini (summary, auto-reply, and compose assistance features)
  • Google APIs (Gmail integration and event handling)
  • Other AI model providers (transient inference for user-requested AI features, including content you submit or select for processing)

6. Data location and transfers

Core app infrastructure is hosted on Google Cloud/Firebase resources configured in Australia. Consented analytics events are sent to PostHog EU cloud. AI-related requests may be processed by OpenRouter and Google Gemini using only the text or email content needed to generate requested embeddings, summaries, replies, and compose improvements. Some processors may operate globally; we apply contractual and technical safeguards appropriate to applicable law.

7. Retention

  • Account and service data: retained while your account is active, then deleted per our deletion process.
  • Analytics events: retained up to 90 days in PostHog project settings.
  • Data required for legal, accounting, fraud-prevention, or security obligations may be retained as required by law.

8. Data protection and security

We use administrative, technical, and organizational safeguards to protect Google user data and other sensitive data against unauthorized access, disclosure, alteration, and loss.

  • Encryption in transit: HeyEnso uses HTTPS/TLS for communication between the app, our web services, Google APIs, Firebase, and other service providers.
  • Encryption at rest: Data stored in Google Cloud and Firebase is protected using Google Cloud/Firebase encryption controls. Gmail OAuth refresh tokens are additionally encrypted before storage using Google Cloud Key Management Service.
  • Access controls: Access to production systems and stored user data is limited to authorized personnel and service accounts with a business need. We use Firebase Authentication, App Check, Firestore Security Rules, and Google Cloud IAM controls to restrict access.
  • Data minimization: We request only the Gmail API scope needed to provide user-facing inbox features and process Gmail data only for the features described in this policy.
  • Processor safeguards: We use service providers only to operate HeyEnso, such as hosting, authentication, analytics with consent, subscription management, and user-requested AI features. We do not allow processors to use Gmail data for advertising, data brokerage, or training generalized AI models.
  • Deletion and revocation: Users can disconnect Gmail access, revoke access from their Google Account, or request account deletion. When deletion is processed, we delete or de-identify account and service data according to this policy and legal requirements.

9. Your choices and rights

  • Access, correct, export, or delete your personal data
  • Withdraw analytics consent at any time in app Settings (opt-out)
  • Revoke Google API access via Google Account permissions
  • Request account deletion in app or via our web deletion page

You can request deletion via Delete My Data or by emailing privacy@heyenso.com.

10. Google Workspace API Limited Use disclosure

The use of information received from Google Workspace APIs will adhere to the Google Workspace API User Data and Developer Policy, including the Limited Use requirements.

11. Children's privacy

HeyEnso is not directed to children under 13. We do not knowingly collect personal data from children under 13.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated through in-app notice, website updates, or email.

13. Contact

Privacy: privacy@heyenso.com