Security

Your data, protected.

alfred_ handles your most sensitive professional data: email, calendar, and tasks. Here's exactly how we keep it safe.

AES-256Encryption at rest & in transit
OAuth 2.0We never see your password
Row Level SecurityUser-level data isolation
No AI trainingYour data never trains models

Authentication

OAuth 2.0 alfred_ connects to Gmail, Outlook, and Google Calendar via OAuth 2.0. We never see, store, or ask for your email password.
Scoped permissions We request only the minimum permissions needed: read/write email and calendar access. Nothing more.
Token security OAuth tokens are encrypted at rest and refreshed automatically. You can revoke access at any time from your provider's settings.

Data Privacy

What we access Email metadata (sender, subject, date), email body content for AI processing, and calendar events for scheduling intelligence.
What we don't We don't access your contacts list, files, drives, or any data outside of email and calendar.
No training on your data Your emails, tasks, and calendar data are never used to train AI models. Your data is yours.

Infrastructure

Supabase + PostgreSQL Production database hosted on Supabase with enterprise-grade PostgreSQL infrastructure.
Row Level Security (RLS) Database-level access control ensures every query is scoped to the authenticated user. No cross-user data leaks.
Automatic backups Daily automated backups with point-in-time recovery capabilities.

AI Processing

Processing-focused AI processes your emails to categorize, summarize, and draft replies. We don't store raw AI conversation logs.
No data sharing Your email content is not shared with third parties for advertising, analytics, or any purpose beyond providing alfred_ functionality.
Model providers AI processing uses Anthropic (Claude) APIs with enterprise data protection agreements in place.

Access Control

User-level isolation Every user's data is isolated at the database level. There is no shared data pool between accounts.
Session management Secure session tokens with automatic expiry. Sessions are invalidated on password change or account actions.
Admin access Internal access to production data is strictly limited, logged, and requires multi-factor authentication.

Compliance & Practices

GDPR-friendly Data deletion on request, data export capabilities, and transparent data processing practices aligned with GDPR principles.
Data deletion Delete your account and all associated data at any time from Account Settings. Deletion is permanent and irreversible.
Payment security Payments processed by Stripe (PCI DSS Level 1). alfred_ never sees or stores your credit card number.

Security questions, answered

Frequently Asked Questions

Does alfred_ store my email password?

No. alfred_ uses OAuth 2.0 to connect to your email provider. We never see, ask for, or store your email password.

Can alfred_ send emails without my permission?

No. alfred_ drafts replies for your review, but you must explicitly approve and send every message.

Is my email data used to train AI models?

No. Your emails, calendar data, and tasks are never used to train AI models. Your data is processed only to provide alfred_ functionality.

How do I delete my data?

Go to Account Settings and select "Delete Account." This permanently removes all your data from our systems.

What happens if alfred_ is breached?

All data at rest is encrypted with AES-256, so even in a breach scenario, data is not readable without encryption keys.

Can I revoke alfred_'s access to my email?

Yes, at any time. You can revoke OAuth access from your Google or Microsoft account settings.

Where is my data stored?

Data is stored on Supabase-hosted PostgreSQL databases with encrypted storage volumes in SOC 2 compliant data centers.

Questions about security? We're happy to walk your team through our practices, data handling, and compliance posture in detail.