Privacy Policy

Last updated: April 18, 2026

1. Overview

Zephyr ("the Add-in") is an AI-powered email assistant that runs inside Microsoft Outlook. This policy explains how we handle your data.

2. Data We Collect

We collect and store only the minimum data necessary to provide the service:

• Account information: Your Microsoft email address and display name (obtained via Microsoft OAuth 2.0 consent).
• Preferences: Theme selection, writing tone, default language, response language, tracking settings.
• Workflow definitions: The automation rules you create (trigger type, conditions, actions) and creation metadata for quality monitoring.
• Workflow execution history: Metadata only (timestamp, workflow name, success/failure). No email content.
• Email tracking records: Recipient email, subject line, and event timestamps (open, click, reply). No email body content.
• Email templates: Template names and body text you create for reusable replies.
• Follow-up reminders: Recipient email, subject, and reminder date for pending reminders.
• Connected service tokens: Encrypted OAuth tokens and personal access tokens for third-party integrations (Jira, Slack, GitHub, Notion, Trello, Linear, Asana, HubSpot, Google Sheets, Airtable).
• Webhook endpoints: Named HTTPS endpoint URLs you save for workflow automation.
• Usage counts: Aggregate counts of AI calls per day for rate limiting and tier enforcement.
• Feedback: Bug reports and feature requests you voluntarily submit.

3. Data We Do NOT Collect or Store

• We do NOT store, cache, or retain any email content (body, subject, attachments).
• We do NOT store AI responses or conversation history on our servers.
• We do NOT read your emails in the background or without your explicit action.
• We do NOT sell, share, or monetize your data in any way.

4. How Email Content Is Processed

When you use an AI action, the email content is:

• Sent from your browser directly to our API endpoint over HTTPS.
• Forwarded to your configured AI provider for processing.
• The AI response is returned to your browser and displayed.
• No email content is stored at any point in this process.

5. Third-Party Services

• AI Providers (Google Gemini, OpenAI, Anthropic Claude, Azure OpenAI): Processes email content for AI features. Subject to each provider's terms of service.
• Microsoft Graph API: Accesses your mailbox with your explicit OAuth 2.0 consent. We request only the permissions necessary.
• Stripe: Handles payment processing for Pro and Enterprise subscriptions. We never see or store your payment card details.
• Amazon Web Services (AWS): Hosts our backend infrastructure including Lambda, DynamoDB, S3, and CloudFront.
• Third-party Connectors (Atlassian, Slack, GitHub, Notion, Trello, Linear, Asana, HubSpot, Google, Airtable): When you connect a service, OAuth tokens or personal access tokens are stored encrypted. Zephyr accesses these services only when your workflows trigger actions.

6. Data Storage and Security

All data is stored in AWS DynamoDB in the US East (N. Virginia) region. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Authentication tokens are stored securely and used only to access Microsoft Graph on your behalf.

7. Data Retention and Deletion

Your preferences and workflow data are retained as long as your account is active. You can permanently delete all your data at any time using the 'Delete my data' button in the add-in's About section. This removes all preferences, workflows, usage history, and feedback from our servers.

8. Logging

Our server logs contain only HTTP method and URL path (e.g. 'POST /ai/summarize'). No email content, request bodies, or personal data appears in logs.

9. Security

For detailed information about our data handling, encryption, and security practices, see our Security page.

10. Children's Privacy

Zephyr is not intended for use by children under 13. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

12. Contact

For privacy questions, data deletion requests, or concerns, email: admin@zephyrapp.org