AES-256Encryption at rest & in transit
OAuth 2.0We never see your password
Row Level SecurityUser-level data isolation
No AI trainingYour data never trains models
At rest All stored data encrypted with AES-256, the same standard used by banks and governments.
In transit All connections secured with TLS 1.3. Data is encrypted between your browser, our servers, and third-party APIs.
Database PostgreSQL with encrypted storage volumes. Automatic daily backups, also encrypted.
OAuth 2.0 alfred_ connects to Gmail, Outlook, and Google Calendar via OAuth 2.0. We never see, store, or ask for your email password.
Scoped permissions We request only the minimum permissions needed: read/write email and calendar access. Nothing more.
Token security OAuth tokens are encrypted at rest and refreshed automatically. You can revoke access at any time from your provider's settings.
What we access Email metadata (sender, subject, date), email body content for AI processing, and calendar events for scheduling intelligence.
What we don't We don't access your contacts list, files, drives, or any data outside of email and calendar.
No training on your data Your emails, tasks, and calendar data are never used to train AI models. Your data is yours.
Infrastructure
Supabase + PostgreSQL Production database hosted on Supabase with enterprise-grade PostgreSQL infrastructure.
Row Level Security (RLS) Database-level access control ensures every query is scoped to the authenticated user. No cross-user data leaks.
Automatic backups Daily automated backups with point-in-time recovery capabilities.
Processing-focused AI processes your emails to categorize, summarize, and draft replies. We don't store raw AI conversation logs.
No data sharing Your email content is not shared with third parties for advertising, analytics, or any purpose beyond providing alfred_ functionality.
Model providers AI processing uses Anthropic (Claude) APIs with enterprise data protection agreements in place.
User-level isolation Every user's data is isolated at the database level. There is no shared data pool between accounts.
Session management Secure session tokens with automatic expiry. Sessions are invalidated on password change or account actions.
Admin access Internal access to production data is strictly limited, logged, and requires multi-factor authentication.
GDPR-friendly Data deletion on request, data export capabilities, and transparent data processing practices aligned with GDPR principles.
Data deletion Delete your account and all associated data at any time from Account Settings. Deletion is permanent and irreversible.
Payment security Payments processed by Stripe (PCI DSS Level 1). alfred_ never sees or stores your credit card number.