Your emails never leave your Google account. PinoMail is an overlay on top of Gmail — it reads and writes email using your own Google OAuth token and our servers never see a single message.
PencilCard does not collect, transmit, or store any email data on its servers. All data described below stays on your device or within your own Google account.
chrome.storage.local. Never transmitted.chrome.storage.local.chrome.storage.local. Never transmitted.chrome.storage.local, used solely to verify your subscription tier. It does not carry any email data.Thread metadata, tags, board data, tasks, and calendar events are stored in an IndexedDB database on your device named pinomail_db. This database is sandboxed to the extension and is never synced to PencilCard servers. It is cleared when you uninstall the extension or clear site data for the extension in Chrome settings.
chrome.storage.localSettings, the priority sender list, style profile, and the Firebase auth token are stored in Chrome's local extension storage. This data is sandboxed to the extension, is not synced across devices, and is cleared on uninstall.
Any modification you make — archiving, starring, snoozing (via Gmail label), sending a reply — is written directly to your Gmail account through Google's API using your personal OAuth token. PencilCard does not store a copy of these writes.
PinoMail reads and writes your Gmail using https://gmail.googleapis.com/. All requests are authenticated with your personal Google OAuth token obtained via chrome.identity. Traffic goes directly between your browser and Google's servers — PencilCard operates no proxy or relay. Google's privacy policy governs Gmail data.
If you enable the Calendar view, PinoMail calls https://www.googleapis.com/calendar/v3/ to list upcoming events. Same OAuth token, same direct browser-to-Google path.
On sign-in, PinoMail calls Firebase Identity Toolkit to exchange your Google ID token for a Firebase session. It then reads your subscription tier from Firestore. Only your Firebase UID is transmitted — no email data is included in these requests. Entitlement is cached locally so subsequent launches do not require a network call.
If you enable BYOK (Bring Your Own Key) AI and explicitly grant consent in Settings → AI Engine → "I consent to sending anonymised email content to my configured AI provider", PinoMail may send anonymised email snippets to the Gemini API using your own API key. Anonymisation (on-device PII stripping) runs before any data leaves the browser. See Section 5 for full details. This path is disabled by default and requires two explicit user actions to activate.
| Permission | Why it is needed |
|---|---|
| identity | Obtains a Google OAuth token via chrome.identity to authenticate Gmail and Calendar API calls on your behalf. PinoMail never sees your Google password — Chrome handles the OAuth flow. |
| storage | Stores settings, priority senders, style profile, and the Firebase auth token in chrome.storage.local. All data stays on your device. |
| alarms | Schedules periodic inbox sync (every 2–5 minutes depending on plan) and snooze wake-ups. No data is transmitted by the alarm itself. |
| scripting | Injects a small content script into Gmail tabs to detect the currently focused thread and surface a "Focus in PinoMail" quick-action button. The script is read-only, does not exfiltrate any data, and is scoped exclusively to mail.google.com. |
| host: mail.google.com | Required for the Gmail content script above. PinoMail does not inject into any other host. |
| host: gmail.googleapis.com | Required to call the Gmail REST API directly from the extension context. |
| host: www.googleapis.com | Required to call the Google Calendar API if the Calendar view is enabled. |
| host: firestore.googleapis.com, identitytoolkit.googleapis.com, securetoken.googleapis.com | Required for Firebase sign-in and subscription entitlement check. No email data is sent to these endpoints. |
| host: generativelanguage.googleapis.com (optional) | Used only when BYOK AI is enabled and you have given explicit consent. Sends anonymised thread snippets to the Gemini API under your own API key. |
Thread classification (Primary / Action / Newsletter / Receipt / FYI), smart reply suggestions, and action extraction all run using Chrome's built-in Gemini Nano model via window.ai.languageModel. This model runs entirely on your device — no data leaves the browser and no API key is required. Gemini Nano availability requires Chrome 127+ with the model downloaded.
PinoMail can build a writing style profile from your Sent mail to improve reply suggestions. This analysis runs entirely on-device using Gemini Nano. The raw text of your emails is not stored; only the derived numeric model is kept in chrome.storage.local. Style profiling is Nano-only and will never use a BYOK cloud provider — sending your prose to an external LLM would both violate your privacy and destroy the personalisation signal. You can disable style profiling at any time in Settings → Writing.
If you configure a Gemini API key and wish to use it for thread triage, two explicit steps are required:
Without both steps, the BYOK path is blocked in code and Nano is used instead. When BYOK is active, email content is anonymised on-device (names, addresses, phone numbers, and amounts replaced with placeholders) before the snippet is sent to the Gemini API under your own key and your own GCP project — PencilCard does not receive this data.
PencilCard does not sell, rent, or share your data. PencilCard operates no servers that receive email content.
generativelanguage.googleapis.com under your own API key if you have enabled and consented to BYOK triage. Traffic goes to your own GCP project, not to PencilCard.Settings → Data → "Clear local cache" deletes all locally cached thread metadata, tags, and board data. Your actual Gmail messages are unaffected — they remain in your Google account.
Visit myaccount.google.com/permissions, find PinoMail, and click Remove. This immediately revokes the OAuth token and PinoMail can no longer access Gmail on your behalf.
Email [email protected] to request deletion of your Firebase account record and Firestore subscription data.
Uninstalling the extension removes all locally stored data, including the thread cache, settings, priority senders, and the style profile.
PencilCard processes only your Firebase UID and subscription tier. For email data, your rights under Google's policies apply — exercise them at myaccount.google.com. To exercise rights over PencilCard-held data, contact [email protected]. We aim to respond within 5 business days.
PinoMail requires a Google account and is not directed at children under 13. We do not knowingly collect information from children. As no email data is stored on PencilCard servers, the extension does not create a personal data profile for any user of any age.
We will update this page if PinoMail's privacy practices change. Any change that introduces new external data transmission will be communicated via the extension update notes and an updated "Last updated" date. The current version is always at pencilcard.com/privacy-pinomail.
We aim to respond within 5 business days.