Security & Data Handling

How Zephyr protects your email data.

The core principle

Zephyr does NOT store your email content. Ever. Your emails pass through our servers in memory only, are sent to the AI for processing, and the response is returned directly to your browser. Nothing is written to disk or database.

Data Flow

1 You click an action in the Zephyr add-in

2 Email content is sent over HTTPS to our API (AWS Lambda)

3 Lambda forwards it to your configured AI provider for processing transient

4 AI response returns through Lambda to your browser

5 Nothing is stored. Lambda memory is cleared. no storage

What we store vs what we don't

Stored (in encrypted DynamoDB)

Your preferences (theme, language, writing tone, response language)
Workflow definitions (the rules you create) and creation metadata
Workflow execution history (metadata only, no email content)
Email tracking records (recipient, subject, event timestamps only)
Email templates and follow-up reminders
Connected service tokens (encrypted OAuth tokens and personal access tokens for Jira, Slack, GitHub, Notion, Trello, Linear, Asana, HubSpot, Google Sheets, Airtable, and saved webhook endpoint URLs)
Daily usage count (number of AI calls)
Feedback you voluntarily submit

Never stored

Email body, subject, or attachments
AI-generated responses
Chat conversation history (browser-only)
Names or emails of people you communicate with
Calendar event content

Encryption

In transit: All communication uses TLS 1.2+ (HTTPS). No unencrypted connections.

At rest: DynamoDB uses AES-256 encryption by default for all stored data.

Third-party services

AI Providers

Processes email content for AI features. Supports Google Gemini and Azure OpenAI. Provider API terms apply.

Microsoft Graph API

Accesses your mailbox with your explicit OAuth 2.0 consent. We request only the permissions needed.

Stripe

Handles payment processing. We never see or store your card details.

AWS

Hosts our infrastructure. Data resides in US East (N. Virginia).

Logging

Our server logs contain only HTTP method and URL path (e.g. 'POST /ai/summarize'). No email content, request bodies, or personal data appears in logs.

Your rights

View your data: In the add-in, your stored preferences are visible in Settings.

Delete your data: You can permanently delete all your data at any time via the About section.

Data portability: Contact us to request an export of your stored data.

For questions: admin@zephyrapp.org

API endpoint

For automated compliance checks, our data flow is available as a machine-readable JSON endpoint:

GET /privacy/data-flow