Privacy Policy
Effective date: April 12, 2026 · Last updated: April 12, 2026
1. Introduction
Amy (“Amy”, “we”, “us”, or “our”) is an AI executive assistant that helps you stay on top of your email and calendar. Amy reads your Gmail and Google Calendar (with your explicit consent), prepares a morning brief, triages incoming messages, and can draft replies for you to review and send. Amy is built by Shawn Hanson (operating as “Amy EA LLC”, a Delaware limited liability company).
This Privacy Policy explains what information Amy collects, how we use it, who we share it with, and the choices you have. If you have questions, contact us at support@amyea.com.
2. Information We Collect
2.1 Account information
When you sign up for Amy, we collect:
- Your name and email address (from Google Sign-In and/or Clerk authentication)
- A unique account identifier
- Device information needed to deliver push notifications (e.g., FCM device tokens)
2.2 Google Workspace data (Gmail and Calendar)
With your explicit OAuth consent, Amy accesses the following from your Google account:
| Data | Why |
|---|---|
| Gmail message metadata (sender, subject, timestamps, labels) | Triage and prioritization |
| Gmail message bodies (text content) | Summarization and draft-reply generation |
| Gmail drafts (created in your own Gmail) | To let you one-tap send from the Amy app |
| Calendar events (title, time, attendees, location, description) | Morning brief, conflict awareness, availability |
| Google Tasks (task titles, due dates, completion status) | Daily brief task summary and task completion from within Amy |
Amy uses the Google OAuth scopes openid, email, profile, https://www.googleapis.com/auth/gmail.modify, https://www.googleapis.com/auth/calendar.events, and https://www.googleapis.com/auth/tasks.
2.3 Voice notes
If you use Amy's voice features, we temporarily process your audio to transcribe what you said. Audio is streamed to a transcription provider (Deepgram, with OpenAI Whisper as a fallback), transcribed, and the raw audio is then discarded. Only the text transcript is retained, and only for as long as needed to act on your request.
2.4 Usage and diagnostic information
We collect basic usage data (timestamps of briefs, feature interactions, error logs) to keep Amy reliable. This data does not include the content of your emails or calendar events.
3. How We Use Information
Amy uses your information only to provide and improve the service you asked for:
- Morning brief assembly— combine calendar, priority emails, and news into a short daily summary.
- Email triage— rank incoming messages by urgency and summarize threads.
- Draft-reply generation— suggest replies you can edit or send with one tap.
- Voice-note processing— transcribe short audio messages you record in the app.
- Service operation— send you push notifications, authenticate requests, and debug issues.
Amy does not sell your data, show you advertising, or use your content to train AI models.
4. Limited Use of Google User Data
Amy's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain language, this means:
- We only use Google user data to provide or improve user-facing features of Amy that are prominent in the user interface.
- We do not transfer Google user data to others unless doing so is necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
- We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in accordance with applicable privacy requirements.
5. Data Storage and Retention
- Where— Data is stored in Supabase (PostgreSQL, encrypted at rest) and processed in AWS Lambda (us-east-1). Secrets and OAuth tokens are stored encrypted in AWS Secrets Manager.
- What we store— We store short summaries generated from your email and calendar content, not raw email bodies. Calendar events are cached to power the morning brief. Voice-note audio is transient and is discarded after transcription.
- How long— Summaries and cached calendar data are retained for 90 days from creation, then automatically deleted. Account metadata is retained for the life of your account.
- Deletion— When you delete your Amy account, all associated data is deleted from our systems and we revoke your Google OAuth tokens.
6. Third-Party Processors
Amy relies on the following processors to operate. Each is bound by its own terms; none of them train AI models on your personal data:
| Processor | Purpose |
|---|---|
| Anthropic (Claude API) | Summarization, triage, draft generation. API terms prohibit training on customer data. |
| OpenAI (Whisper / TTS fallback) | Fallback transcription and voice output. API terms prohibit training on customer data. |
| Deepgram | Primary voice transcription. |
| Supabase | Database and authentication backend. |
| Vercel | Hosting of the Amy web app. |
| Clerk | User authentication. |
| AWS (Lambda, Secrets Manager, us-east-1) | Compute and secrets. |
| Firebase Cloud Messaging (FCM) | Push notification delivery. |
| Stripe | Payment processing (credit card handling, billing, subscription management). Amy does not store credit card numbers. |
7. What Amy Does NOT Do
- We do not sell or rent your data to anyone.
- We do not show you advertising.
- We do not use your email content, calendar content, or voice notes to train AI models.
- No human at Amy reads your email or calendar content, except where strictly required to investigate abuse or as required by law.
8. Your Rights and Choices
You can:
- Access— See the data Amy has about you by visiting your account settings.
- Delete— Delete your Amy account at any time. This cascades to all stored summaries, drafts, and cached data.
- Revoke Google access— Revoke Amy's OAuth permissions at any time at myaccount.google.com/permissions. This immediately cuts Amy off from your Gmail and Calendar.
- Contact us — Email support@amyea.com for any request.
Depending on where you live, you may have additional rights under laws such as GDPR or CCPA. Contact us and we will honor applicable rights.
9. Security
We take reasonable measures to protect your data, including:
- HTTPS/TLS for all traffic
- Encryption at rest (Supabase)
- OAuth tokens encrypted in AWS Secrets Manager
- Row-level security (RLS) on the database, so users can only access their own rows
- No raw email bodies retained after summarization
- Principle of least privilege for service accounts
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you as required by applicable law.
10. Children's Privacy
Amy is not directed at children under 13. We do not knowingly collect information from children under 13. If we learn we have collected such information, we will delete it. (Our Terms of Service require users to be 18 or older.)
11. International Users and Transfers
Amy is operated from the United States and processes data in AWS us-east-1 (Northern Virginia). If you use Amy from outside the United States, you understand and consent to the transfer of your data to the United States for processing.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) at least 30 days before the change takes effect. Continued use of Amy after the effective date means you accept the updated policy.
13. Contact
Questions about this policy? Reach out:
- Email: support@amyea.com
- Developer: Shawn Hanson (Amy)
- Website: https://amyea.com
This policy was last updated on April 12, 2026.