Privacy Policy

Effective date: March 7, 2026  |  Last updated: March 27, 2026

This Privacy Policy describes how InnovateIQ (“we,” “us,” or “our”) collects, uses, and protects information when you use Butler OS (“the Service”) at useinboxbutler.com. Butler OS is an AI-powered email triage and draft-generation service that integrates with Microsoft 365 and Gmail. We have designed the Service from the ground up around a zero-retention model: your email content is never written to our databases, logs, or any external storage.

1. Information We Collect

1.1 Account and Identity Information

When you authenticate via Microsoft OAuth 2.0, we receive and store:

  • Your Microsoft Object ID (OID) and Tenant ID (TID) — used to identify your account and organization
  • Your display name and work email address — used to populate your profile and send service notifications
  • Your organization’s Microsoft tenant domain

We do not store your Microsoft account password. Authentication is handled entirely by Microsoft.

If you authenticate via Google OAuth 2.0, we receive and store:

  • Your Google User ID (sub claim) — used as a stable identifier for your account
  • Your Gmail address and display name — used to populate your profile and send service notifications

We do not store your Google account password. Authentication is handled entirely by Google.

1.2 OAuth Tokens

To operate on your behalf, we store OAuth access and refresh tokens for each connected mailbox. All tokens are encrypted at rest using AES-256-GCM before being written to our database and are decrypted in memory only when making API calls on your behalf.

For Microsoft 365 accounts, we store your Microsoft OAuth access token and refresh token. We use these tokens only to read your inbox, set email categories, and create draft replies — the exact permissions you granted during sign-in.

For Gmail accounts, we store your Google OAuth access and refresh tokens. We use these solely to read inbox messages, create Butler/* Gmail labels, save draft replies to your Gmail Drafts folder, mark messages read or unread, and register real-time push notifications via Google Cloud Pub/Sub.

1.3 Voice Profile and Preferences

During onboarding, you answer a questionnaire about your communication style. The resulting voice profile (a description of your writing preferences and category rules) is encrypted with AES-256-GCM and stored in our database. It is decrypted in memory only when generating a draft reply, and is never logged or transmitted to third parties.

1.4 Usage and Billing Records

We store operational records necessary to provide the Service and manage billing:

  • Count of emails triaged and drafts generated (no email content)
  • Model used, latency, and error codes for each operation
  • Subscription plan, trial dates, and billing status via Stripe

Billing and payment information (credit card numbers, etc.) is handled entirely by Stripe and is never transmitted to or stored on our servers.

1.5 Email Content — Zero-Retention Policy

We do not store, log, or retain your email content. When a new email arrives in your inbox, the following occurs entirely in memory:

For Microsoft 365 accounts:

  1. We fetch the email body, subject, and sender from Microsoft Graph API
  2. We pass the content to Claude AI (Anthropic) for triage classification
  3. We apply the resulting category to your email in Microsoft 365
  4. If a draft reply is warranted, we generate and save it directly to your Microsoft 365 Drafts folder
  5. All email content variables are discarded — they are never written anywhere

For Gmail accounts:

  1. We fetch the email body, subject, and sender from Gmail API
  2. We pass the content to Claude AI (Anthropic) for triage classification
  3. We apply a Butler/{category} label to the message in Gmail
  4. If a draft reply is warranted, we generate and save it directly to your Gmail Drafts folder
  5. All email content variables are discarded — they are never written anywhere

Our Anthropic AI agreement includes Zero Data Retention (ZDR), meaning Anthropic does not retain your email content for model training or any other purpose.

2. Microsoft Graph API Permissions

Butler OS requests the following delegated Microsoft Graph permissions. No admin consent is required.

PermissionPurpose
User.ReadRead your profile (name, email, tenant ID) for account setup
Mail.ReadRead inbox messages for AI triage classification
Mail.ReadWriteApply email categories and create draft replies in your Drafts folder
offline_accessObtain a refresh token to maintain access without repeated sign-in prompts

We request Mail.ReadWrite solely to (a) set category labels on emails and (b) save draft replies to your Drafts folder. We do not send email on your behalf (Mail.Send is not requested).

You may revoke these permissions at any time via your Microsoft account at myapps.microsoft.com or by disconnecting from the Settings page within Butler OS.

2a. Google API Permissions (Gmail)

If you connect a Gmail account, Butler OS requests the following Google OAuth scopes. These are requested via the standard Google OAuth consent screen and require your explicit approval.

ScopePurpose
openid, email, profileAuthenticate your identity; read your name and Gmail address for account setup
https://www.googleapis.com/auth/gmail.modifyRead inbox messages for AI triage; create Butler/* labels and apply them to messages; save AI-generated draft replies to your Gmail Drafts folder; mark messages read or unread; register and deregister real-time push notifications via Google Cloud Pub/Sub (required by the Gmail watch API)

We request gmail.modify because gmail.readonly does not permit label creation, label assignment, draft creation, or watch registration — all of which are required to deliver Butler OS’s core features. We do not request gmail.send; Butler OS never sends email on your behalf.

At connect time, Butler OS also reads your Gmail send-as settings (gmail.googleapis.com/gmail/v1/users/me/settings/sendAs) to fetch your existing email signature. This signature is stored in our database and appended to AI-generated drafts so replies match your normal email format. You can view and edit this signature at any time from the Butler OS Settings page.

You may revoke Gmail access at any time via your Google Account at myaccount.google.com/permissions or by disconnecting from the Settings page within Butler OS. Disconnecting removes the stored OAuth tokens from our database and deregisters the Gmail push notification subscription.

Butler OS’s use of Google APIs and the data received from those APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. How We Use Your Information

We use the information we collect exclusively to:

  • Authenticate and identify your account
  • Operate the email triage and draft-generation features on your behalf
  • Provide usage statistics and time-savings metrics on your dashboard
  • Send transactional emails (weekly summaries, trial reminders, incident notifications)
  • Calculate and process billing via Stripe
  • Diagnose errors and improve service reliability

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Data Storage and Security

4.1 Data Residency

Our infrastructure is hosted on Railway in the United States. Our PostgreSQL database and Redis instance are both Railway-managed services operating in the US region.

4.2 Encryption

  • In transit: All communication between your browser, our API, and Microsoft Graph uses TLS 1.2 or higher
  • At rest: OAuth tokens and voice profiles are encrypted using AES-256-GCM with a server-held master key before being written to the database
  • Payment data: Processed by Stripe; we never see or store card numbers

4.3 Access Controls

Our database uses PostgreSQL Row-Level Security (RLS) to enforce strict tenant isolation. No user or process can access another organization’s data. All database queries are parameterized to prevent SQL injection.

5. Data Retention and Deletion

We retain different data categories for different periods:

  • Account data (name, email, OID/TID): Retained for the life of your account
  • OAuth tokens: Retained while your account is active; deleted on account deletion or disconnect
  • Voice profile: Retained while your account is active; deleted on request
  • Usage event counts: Retained for 2 years for billing integrity, then purged
  • Audit logs: Retained for 2 years; contain no email content
  • Email content: Never stored — zero retention by design

To request deletion of your account and all associated data, contact us at [email protected]. We will complete deletion within 30 days and confirm by email.

6. Third-Party Services

We use the following third-party services to operate Butler OS:

ServicePurposeData Shared
Microsoft Graph APIEmail access and calendar integrationOAuth tokens; email content processed in memory only
Google Gmail API / Google Cloud Pub/SubReal-time Gmail inbox notifications; email read, label, and draft operationsOAuth tokens; email content processed in memory only, never retained
Anthropic (Claude AI)Email triage and draft generationEmail content (in memory only, ZDR agreement — not retained)
StripeSubscription billingName, email, billing address
RailwayCloud infrastructure hostingAll application data (hosted on Railway servers)

7. Your Rights (GDPR and CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interests
  • Opt-out of sale: We do not sell personal data

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request.

8. Cookies and Tracking

Butler OS uses a single session cookie to maintain your authenticated session. This cookie is HttpOnly, Secure, and scoped to useinboxbutler.com. It expires after 7 days of inactivity. We do not use advertising cookies, third-party tracking pixels, or analytics cookies.

9. Children’s Privacy

Butler OS is designed for enterprise business use and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us immediately at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

InnovateIQ
Butler OS Support
[email protected]