Privacy Policy

1. Introduction

Sottocapo (“we,” “our,” “us”) provides an AI-powered assistant that drafts and sends email on behalf of authorized users. This Privacy Policy describes the information we collect, how we use it, and the choices you have. By using Sottocapo, you agree to the practices described here.

2. Information we collect

From you

• Your name and email address from your Google account at sign-in.
• Optional profile information (display name, bio, preferences) that you provide via the settings page.
• Slack account information you provide to enable approval notifications.

From Gmail

• OAuth tokens that allow Sottocapo to read and send mail on your behalf.
• Email metadata and content needed to classify recruiter messages and draft responses (sender, subject, body of incoming messages).

Automatically

• Standard log information (IP address, browser type, timestamps) when you interact with the service.

3. How we use information

• To provide the core service: classify incoming mail and draft replies.
• To send approval notifications via Slack.
• To send mail from your account, only after your explicit approval.
• To improve the quality of classification and drafting over time.
• To comply with legal obligations.

4. Data storage and encryption

OAuth tokens are encrypted at rest using AES-256-GCM. Encryption keys are stored separately from the encrypted data and are not accessible to third parties. We store data in Supabase's managed Postgres, located in the United States.

5. Third-party services

• Google — provides authentication and Gmail API access. Your data is subject to Google's Privacy Policy.
• Anthropic — processes email content to classify messages and draft responses. Subject to Anthropic's Privacy Policy.
• Supabase — managed database. Subject to Supabase's Privacy Policy.
• Slack — sends approval notifications. Subject to Slack's Privacy Policy.
• Vercel — hosts the application. Subject to Vercel's Privacy Policy.

6. Your rights

You have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data.
• Export your data in a portable format.
• Revoke Google or Slack access at any time.

To exercise any of these rights, contact us at contact@sottocapo.com.

7. Data retention

We retain personal information for as long as your account is active. Upon account deletion, all personal data, OAuth tokens, and processed email metadata are removed within thirty days. Aggregated, non-personal usage data may be retained for analytical purposes.

8. Security practices

We use industry-standard security practices including encryption in transit (TLS), encryption at rest for sensitive credentials, and principle-of-least-privilege access for our infrastructure. No system is perfectly secure; we take reasonable measures to protect your information and notify affected users in the event of a material breach.

9. Children's privacy

Sottocapo is not directed to children under the age of 16. We do not knowingly collect information from children. If we learn we have collected such information, we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via the dashboard at least thirty days before they take effect.

11. Contact

Questions, requests, or concerns? Email contact@sottocapo.com.