Privacy Policy

Viltreon (“we,” “us,” “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you use our website, applications, and services.

1. Scope

This Privacy Policy applies to:

• visitors to our website;
• account holders and users of our Service;
• individuals who connect Gmail or Google accounts to the Service;
• people who contact us for support or other inquiries.

2. Information we collect

Information you provide directly

• name
• email address
• account login information (via Google sign-in)
• billing information (handled by Stripe)
• support messages
• any information you choose to send us

Information collected through the Service. If you connect a Gmail or Google account, we process the following to provide the Service. We distinguish between what we store and what we only handle in memory during a single classification and then discard:

• Stored: account identifiers (name, email), your OAuth access and refresh tokens (encrypted at rest), your AI API key (encrypted at rest), your label structure (names and IDs), service settings and preferences, and a sort log for each classified email consisting of the label applied, the confidence score, and the model used (retained at most 30 days, then deleted).
• Processed in memory only, never written to our database or logs: message bodies and attachments, sender addresses, and recipient lists. These are used for the few seconds it takes to generate a label and are then discarded.

Information collected automatically

• IP address, browser type, device type, operating system
• pages visited, timestamps
• error and performance logs related to your use of the Service

3. How we use information

We use personal information to:

• provide, operate, and maintain the Service;
• sort, classify, organize, or manage email as requested;
• authenticate users and manage accounts;
• process payments and subscriptions;
• communicate with you about your account, security, billing, and the Service (transactional messages);
• with your permission, send product updates, beta announcements, and other Service-related news, which you can opt out of at any time;
• provide support and respond to inquiries;
• detect, prevent, and investigate fraud, abuse, and security incidents;
• debug, improve, and optimize the Service;
• comply with legal obligations.

We send two kinds of email: essential account, security, and billing messages tied to your use of the Service, and non-essential product updates and beta announcements. You can unsubscribe from non-essential email at any time using the link in those messages or by contacting us; we will still send essential messages while your account is active.

4. Gmail and Google data; Limited Use

If you connect a Gmail or Google account, we access only the data necessary to provide the Service based on the permissions you authorize. We may use Gmail-related data to analyze and sort emails, apply labels and categories, perform user-requested automations, and maintain your account settings and preferences.

What we never do.Google’s permission screen lists the ability to read, compose, and send email. That is because Gmail bundles those capabilities into a single permission (gmail.modify), which is the only permission that lets an inbox organizer move a message between labels. Viltreon uses it for exactly that and nothing more: it reads a newly arrived message and re-files it. We never send, compose, forward, reply to, draft, or delete email. Our application code contains no send or delete operations of any kind.

Viltreon’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• we use Gmail data only to provide and improve the user-facing sorting feature you signed up for;
• we do not transfer Gmail data except as necessary to provide that feature, with your consent, for security, or to comply with law;
• we do not use Gmail data for advertising;
• we do not allow humans to read your Gmail data, except with your consent for specific messages, where necessary for security or to comply with law, or where the data has been aggregated and anonymized;
• we do not sell Gmail data, and we do not use it to train generalized AI or machine-learning models.

5. Legal bases for processing

Where required by law, including for users in the European Economic Area, the United Kingdom, or similar jurisdictions, we may process personal information based on:

• your consent;
• performance of a contract;
• our legitimate interests;
• compliance with legal obligations.

6. How we share information

We do not sell or rent your data. We may share personal information with:

• service providers and subprocessors that help us operate the Service (hosting, database, queue, classification, email delivery);
• payment processors (Stripe);
• analytics, monitoring, and security providers;
• professional advisers such as lawyers, accountants, and auditors;
• law enforcement, regulators, or others when required by law;
• a buyer or successor in connection with a merger, acquisition, financing, or sale of assets.

We require service providers to use personal information only as needed to provide services to us and to protect it with appropriate safeguards.

7. International transfers

Your information may be stored and processed in Canada, the United States, or other countries where we or our service providers operate. Those countries may have different privacy laws than your home jurisdiction. Where required for transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the Standard Contractual Clauses.

8. Data retention

We keep personal information only as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required by law. Retention may depend on whether your account is active, whether we must keep records for legal, tax, or accounting reasons, security and fraud prevention needs, and backup and disaster recovery cycles.

If you delete your account or disconnect your Gmail account, we will take reasonable steps to delete or de-identify related personal information, subject to legal, technical, or backup limitations.

9. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal information, including AES-256 encryption of tokens and keys at rest and HTTPS in transit. However, no system is completely secure, and we cannot guarantee absolute security.

10. Your rights and choices

Depending on where you live, you may have rights to:

• access your personal information;
• correct inaccurate information;
• delete certain information;
• withdraw consent;
• object to or restrict certain processing;
• request portability, where applicable.

To exercise your rights, contact us at support@viltreon.com. You may also disconnect your Gmail account from within the Service or from your Google Account permissions page.

11. Cookies and analytics

We use a small number of strictly necessary cookies (set by NextAuth) to keep you signed in and to protect sign-in against cross-site request forgery; they are HttpOnly, Secure, and SameSite=Lax. We do not use advertising cookies or third-party tracking pixels. For the full list, see our Cookie Notice. If we introduce analytics, we will update this Policy and, where required, provide a cookie preference tool.

12. Children’s privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children without lawful authorization. If we learn that we have, we delete it.

13. Third-party services and links

Our website and Service may link to third-party websites or integrate with third-party services. We are not responsible for the privacy practices, content, or security of those third parties.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law or through the Service, and update the “Effective date” above.

15. Contact us

If you have questions or privacy requests, contact us. For users in the EEA or UK, the data controller is Viltreon, Edmonton, Alberta, Canada.

• Viltreon
• Edmonton, Alberta, Canada
• support@viltreon.com