Privacy Policy

PinoMail

Your emails never leave your Google account. PinoMail is an overlay on top of Gmail — it reads and writes email using your own Google OAuth token and our servers never see a single message.

📅 Last updated: June 24, 2026 📦 Extension: PinoMail v1.0.0 🏢 Publisher: PencilCard
🔒
Plain-English Summary: PinoMail reads your Gmail using Google's own APIs and your personal OAuth token. Email content flows between your browser and Google's servers only — it never touches PencilCard's infrastructure. A local IndexedDB cache stores thread metadata on your device for speed. AI features use Gemini Nano (fully on-device). BYOK cloud AI is opt-in and requires your explicit consent before any email snippet is processed externally.

1. Data We Collect

PencilCard does not collect, transmit, or store any email data on its servers. All data described below stays on your device or within your own Google account.

Data stored locally on your device

  • Thread metadata cache — sender name and email, subject, snippet (first ~200 characters), date, Gmail thread ID, read/unread status, star state, labels, and AI-assigned category. Stored in IndexedDB locally. This cache is a mirror of what is already in your Gmail account — it is rebuilt from Google's API on each sync and is never sent to PencilCard.
  • Priority sender list — email addresses you mark as "always Primary" are stored in chrome.storage.local. Never transmitted.
  • Tags and board column assignments — organisational data you create inside PinoMail. Stored in IndexedDB locally.
  • Saved text snippets — reusable reply templates you define in Settings. Stored locally.
  • Writing settings — AI engine preference, BYOK consent flag, smart reply toggle, tone corrections toggle. Stored in chrome.storage.local.
  • Style profile — a statistical model of your writing style (sentence length, punctuation frequency, vocabulary patterns) built on-device from your sent emails using Gemini Nano. The raw email text is never stored; only the derived numeric profile is kept in chrome.storage.local. Never transmitted.
  • Firebase authentication token — a short-lived token issued by Firebase on sign-in, stored in chrome.storage.local, used solely to verify your subscription tier. It does not carry any email data.

Data we do not collect

  • Email body text — never stored by PinoMail or sent to PencilCard
  • Attachments or file contents
  • Contact lists or address books
  • Full email headers beyond sender / subject / date
  • Passwords, OAuth tokens (beyond the short-lived local cache), or credentials
  • Browsing history, page content, or data from non-Gmail tabs

2. How Data Is Stored

IndexedDB (local)

Thread metadata, tags, board data, tasks, and calendar events are stored in an IndexedDB database on your device named pinomail_db. This database is sandboxed to the extension and is never synced to PencilCard servers. It is cleared when you uninstall the extension or clear site data for the extension in Chrome settings.

chrome.storage.local

Settings, the priority sender list, style profile, and the Firebase auth token are stored in Chrome's local extension storage. This data is sandboxed to the extension, is not synced across devices, and is cleared on uninstall.

Your Google account (via Gmail API)

Any modification you make — archiving, starring, snoozing (via Gmail label), sending a reply — is written directly to your Gmail account through Google's API using your personal OAuth token. PencilCard does not store a copy of these writes.

3. External Network Requests

Gmail API (googleapis.com)

PinoMail reads and writes your Gmail using https://gmail.googleapis.com/. All requests are authenticated with your personal Google OAuth token obtained via chrome.identity. Traffic goes directly between your browser and Google's servers — PencilCard operates no proxy or relay. Google's privacy policy governs Gmail data.

Google Calendar API (optional)

If you enable the Calendar view, PinoMail calls https://www.googleapis.com/calendar/v3/ to list upcoming events. Same OAuth token, same direct browser-to-Google path.

Firebase (auth and entitlement only)

On sign-in, PinoMail calls Firebase Identity Toolkit to exchange your Google ID token for a Firebase session. It then reads your subscription tier from Firestore. Only your Firebase UID is transmitted — no email data is included in these requests. Entitlement is cached locally so subsequent launches do not require a network call.

BYOK cloud AI (optional, explicit consent required)

If you enable BYOK (Bring Your Own Key) AI and explicitly grant consent in Settings → AI Engine → "I consent to sending anonymised email content to my configured AI provider", PinoMail may send anonymised email snippets to the Gemini API using your own API key. Anonymisation (on-device PII stripping) runs before any data leaves the browser. See Section 5 for full details. This path is disabled by default and requires two explicit user actions to activate.

4. Permissions Justification

PermissionWhy it is needed
identityObtains a Google OAuth token via chrome.identity to authenticate Gmail and Calendar API calls on your behalf. PinoMail never sees your Google password — Chrome handles the OAuth flow.
storageStores settings, priority senders, style profile, and the Firebase auth token in chrome.storage.local. All data stays on your device.
alarmsSchedules periodic inbox sync (every 2–5 minutes depending on plan) and snooze wake-ups. No data is transmitted by the alarm itself.
scriptingInjects a small content script into Gmail tabs to detect the currently focused thread and surface a "Focus in PinoMail" quick-action button. The script is read-only, does not exfiltrate any data, and is scoped exclusively to mail.google.com.
host: mail.google.comRequired for the Gmail content script above. PinoMail does not inject into any other host.
host: gmail.googleapis.comRequired to call the Gmail REST API directly from the extension context.
host: www.googleapis.comRequired to call the Google Calendar API if the Calendar view is enabled.
host: firestore.googleapis.com, identitytoolkit.googleapis.com, securetoken.googleapis.comRequired for Firebase sign-in and subscription entitlement check. No email data is sent to these endpoints.
host: generativelanguage.googleapis.com (optional)Used only when BYOK AI is enabled and you have given explicit consent. Sends anonymised thread snippets to the Gemini API under your own API key.

5. AI Features & Privacy

Gemini Nano (on-device, default)

Thread classification (Primary / Action / Newsletter / Receipt / FYI), smart reply suggestions, and action extraction all run using Chrome's built-in Gemini Nano model via window.ai.languageModel. This model runs entirely on your device — no data leaves the browser and no API key is required. Gemini Nano availability requires Chrome 127+ with the model downloaded.

Style profiling

PinoMail can build a writing style profile from your Sent mail to improve reply suggestions. This analysis runs entirely on-device using Gemini Nano. The raw text of your emails is not stored; only the derived numeric model is kept in chrome.storage.local. Style profiling is Nano-only and will never use a BYOK cloud provider — sending your prose to an external LLM would both violate your privacy and destroy the personalisation signal. You can disable style profiling at any time in Settings → Writing.

BYOK cloud AI (opt-in, double-consent)

If you configure a Gemini API key and wish to use it for thread triage, two explicit steps are required:

  1. Set your API key in Settings → AI Engine.
  2. Check "I consent to sending anonymised email content to my AI provider" in the same panel.

Without both steps, the BYOK path is blocked in code and Nano is used instead. When BYOK is active, email content is anonymised on-device (names, addresses, phone numbers, and amounts replaced with placeholders) before the snippet is sent to the Gemini API under your own key and your own GCP project — PencilCard does not receive this data.

⚠️
BYOK is never used for style profiling or smart replies. These features use Nano only. BYOK applies solely to thread triage classification when you have explicitly consented.

6. Data Sharing

PencilCard does not sell, rent, or share your data. PencilCard operates no servers that receive email content.

  • Google (Gmail & Calendar API) — all email reads and writes go to Google's servers using your OAuth token. Google's privacy policy governs this data.
  • Firebase — your Firebase UID and subscription tier are processed for sign-in and entitlement. No email data is included.
  • Gemini API (BYOK, optional) — anonymised thread snippets sent to generativelanguage.googleapis.com under your own API key if you have enabled and consented to BYOK triage. Traffic goes to your own GCP project, not to PencilCard.

7. Your Rights & Data Deletion

Clear local cache

Settings → Data → "Clear local cache" deletes all locally cached thread metadata, tags, and board data. Your actual Gmail messages are unaffected — they remain in your Google account.

Revoke Gmail access

Visit myaccount.google.com/permissions, find PinoMail, and click Remove. This immediately revokes the OAuth token and PinoMail can no longer access Gmail on your behalf.

Delete Firebase account

Email [email protected] to request deletion of your Firebase account record and Firestore subscription data.

Uninstall

Uninstalling the extension removes all locally stored data, including the thread cache, settings, priority senders, and the style profile.

Your rights under UK & EU data protection law

PencilCard processes only your Firebase UID and subscription tier. For email data, your rights under Google's policies apply — exercise them at myaccount.google.com. To exercise rights over PencilCard-held data, contact [email protected]. We aim to respond within 5 business days.

8. Children's Privacy

PinoMail requires a Google account and is not directed at children under 13. We do not knowingly collect information from children. As no email data is stored on PencilCard servers, the extension does not create a personal data profile for any user of any age.

9. Policy Changes

We will update this page if PinoMail's privacy practices change. Any change that introduces new external data transmission will be communicated via the extension update notes and an updated "Last updated" date. The current version is always at pencilcard.com/privacy-pinomail.

10. Contact

We aim to respond within 5 business days.