Privacy Policy
Effective date: April 12, 2026 · Last updated: April 20, 2026
1. Introduction
Amy (“Amy”, “we”, “us”, or “our”) is an AI executive assistant that helps you stay on top of your email and calendar. Amy reads your Gmail and Google Calendar (with your explicit consent), prepares a morning brief, triages incoming messages, and can draft replies for you to review and send. Amy is built by Shawn Hanson (operating as “Amy EA LLC”, a Delaware limited liability company).
This Privacy Policy explains what information Amy collects, how we use it, who we share it with, and the choices you have. If you have questions, contact us at support@amyea.com.
2. Information We Collect
2.1 Account information
When you sign up for Amy, we collect:
- Your name and email address (from Google Sign-In and/or Clerk authentication)
- A unique account identifier
- Device information needed to deliver push notifications (e.g., FCM device tokens)
2.2 Google Workspace data (Gmail and Calendar)
With your explicit OAuth consent, Amy accesses the following from your Google account:
| Data | Why |
|---|---|
| Gmail message metadata (sender, subject, timestamps, labels) | Triage and prioritization |
| Gmail message bodies (text content) | Summarization and draft-reply generation |
| Gmail drafts (created in your own Gmail) | To let you one-tap send from the Amy app |
| Calendar events (title, time, attendees, location, description) | Morning brief, conflict awareness, availability |
| Google Tasks (task titles, due dates, completion status) | Daily brief task summary and task completion from within Amy |
| Google Contacts (names, email addresses) | Relationship context in briefs and email drafts |
Amy uses the Google OAuth scopes openid, email, profile, https://www.googleapis.com/auth/gmail.modify, https://www.googleapis.com/auth/calendar.events, https://www.googleapis.com/auth/tasks, and https://www.googleapis.com/auth/contacts.
2.3 Voice notes
If you use Amy's voice features, we temporarily process your audio to transcribe what you said. Audio is streamed to a third-party speech-to-text provider, transcribed, and the raw audio is then discarded. Only the text transcript is retained, and only for as long as needed to act on your request.
2.4 Usage and diagnostic information
We collect basic usage data (timestamps of briefs, feature interactions, error logs) to keep Amy reliable. This data does not include the content of your emails or calendar events.
3. SMS Messaging
Amy sends SMS text messages to users who have voluntarily provided their phone number and consented to receive messages. Use cases: (1) one-time verification codes during sign-up and phone verification, (2) account security notifications (such as new device sign-in alerts), (3) user-configured activity notifications (new brief ready, meeting prep complete, email drafts awaiting review). Amy does not send promotional or marketing SMS content. SMS data is not shared with third parties beyond our SMS delivery provider (AWS End User Messaging).
Users may opt out at any time by replying STOP to any Amy SMS or by removing their phone number in Account Settings. Message frequency varies based on user account activity and notification preferences. Standard messaging and data rates from the user's mobile carrier may apply.
4. How We Use Information
Amy uses your information only to provide and improve the service you asked for:
- Morning brief assembly— combine calendar, priority emails, and news into a short daily summary.
- Email triage— rank incoming messages by urgency and summarize threads.
- Draft-reply generation— suggest replies you can edit or send with one tap.
- Voice-note processing— transcribe short audio messages you record in the app.
- Service operation— send you push notifications, authenticate requests, and debug issues.
Amy does not sell your data, show you advertising, or use your content to train AI models.
5. Limited Use of Google User Data
Amy's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain language, this means:
- We only use Google user data to provide or improve user-facing features of Amy that are prominent in the user interface.
- We do not transfer Google user data to others unless doing so is necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
- We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in accordance with applicable privacy requirements.
6. Data Storage and Retention
- Where— Data is stored in a cloud database (PostgreSQL, protected by AES-256 disk-level encryption at rest) and processed in serverless compute functions (us-east-1). Google OAuth tokens are managed by our authentication provider; Amy retrieves short-lived access tokens via a secure proxy and does not store Google refresh tokens directly.
- What we store— We store short summaries generated from your email and calendar content, not raw email bodies. Calendar events are cached to power the morning brief. Voice-note audio is transient and is discarded after transcription.
- How long— Summaries and cached calendar data are retained for 90 days from creation, then automatically deleted. Account metadata is retained for the life of your account.
- Deletion— When you delete your Amy account, all associated data is deleted from our systems and we revoke your Google OAuth tokens.
7. Third-Party Processors
Amy relies on the following processors to operate. Each is bound by its own terms; none of them train AI models on your personal data:
| Category | Purpose |
|---|---|
| AI language model provider | Summarization, triage, and draft generation. API terms prohibit training on customer data. |
| AI text-to-speech provider | Converting brief text to audio for voice playback. API terms prohibit training on customer data. |
| AI speech-to-text provider | Primary voice transcription of audio notes. |
| Cloud database provider | Persistent data storage (PostgreSQL). |
| Cloud hosting and serverless compute | Hosting the Amy web app and running backend processing functions. |
| Authentication and identity provider | User authentication and Google OAuth token management. |
| Push notification service | Push notification delivery to mobile and web devices. |
| Payment processor | Payment processing (credit card handling, billing, subscription management). Amy does not store credit card numbers. |
| Workflow orchestration platform | Coordinating multi-step backend workflows (e.g., brief assembly and delivery). |
| News aggregation API | Fetching relevant news headlines for inclusion in daily briefs. |
| Cloud messaging infrastructure | Reliable message delivery between backend services. |
8. What Amy Does NOT Do
- We do not sell or rent your data to anyone.
- We do not show you advertising.
- We do not use your email content, calendar content, or voice notes to train AI models.
- No human at Amy reads your email or calendar content, except where strictly required to investigate abuse or as required by law.
9. Your Rights and Choices
You can:
- Access— See the data Amy has about you by visiting your account settings.
- Delete— Delete your Amy account at any time. This cascades to all stored summaries, drafts, and cached data.
- Revoke Google access— Revoke Amy's OAuth permissions at any time at myaccount.google.com/permissions. This immediately cuts Amy off from your Gmail and Calendar.
- Contact us — Email support@amyea.com for any request.
Depending on where you live, you may have additional rights under laws such as GDPR or CCPA. Contact us and we will honor applicable rights.
10. Security
We take reasonable measures to protect your data, including:
- HTTPS/TLS for all traffic
- AES-256 disk-level encryption at rest on the database
- Google OAuth tokens managed by our authentication provider; Amy retrieves short-lived access tokens via a secure proxy and does not store Google refresh tokens directly
- Row-level security (RLS) on the database, so users can only access their own rows
- No raw email bodies retained after summarization
- Principle of least privilege for service accounts
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you as required by applicable law.
11. Children's Privacy
Amy is not directed at children under 13. We do not knowingly collect information from children under 13. If we learn we have collected such information, we will delete it. (Our Terms of Service require users to be 18 or older.)
12. International Users and Transfers
Amy is operated from the United States and processes data in AWS us-east-1 (Northern Virginia). If you use Amy from outside the United States, you understand and consent to the transfer of your data to the United States for processing.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) at least 30 days before the change takes effect. Continued use of Amy after the effective date means you accept the updated policy.
14. Contact
Questions about this policy? Reach out:
- Email: support@amyea.com
- Developer: Shawn Hanson (Amy)
- Website: https://amyea.com
This policy was last updated on April 20, 2026.