Privacy Policy

Application Name: gmail-api-transport
Developer: ScottESanDiego
Effective Date: December 28, 2025
Last Updated: December 28, 2025
Project Repository: https://github.com/ScottESanDiego/gmail-api-client

1. Introduction

This Privacy Policy describes how gmail-api-transport ("the Application") accesses, uses, stores, and shares Google user data. The Application is an open-source project designed to deliver email messages to Gmail accounts via the Gmail API and IMAP protocols. It is intended for integration with mail transfer agents (such as Exim) and is primarily used by system administrators to route incoming mail to Gmail.

2. What This Application Does

The Application functions as a mail delivery transport that:

Receives email messages from your mail transfer agent (e.g., Exim) via standard input
Delivers these messages TO your Gmail account using Gmail API or IMAP
Does NOT read, access, or analyze your existing Gmail messages
Processes all data locally on your mail server
Performs minimal API connectivity checks (e.g., reading language settings for --test-api)

Important: This application delivers mail TO Gmail. It does not read existing Gmail messages, create backups, or export data FROM Gmail.

3. Google User Data Access

The Application requests access to the following Google Cloud API scopes:

For gmail-api-transport:

https://www.googleapis.com/auth/gmail.modify
- Purpose: To insert and import email messages into your Gmail mailbox using the Gmail API, to modify message labels (INBOX, UNREAD) after delivery to ensure proper visibility, and to read minimal account settings (language preference) for API connectivity testing.
- What we access: The application only uploads new messages to your Gmail account. It does not read, delete, or modify your existing messages.

For gmail-imap-transport:

https://mail.google.com/
- Purpose: To deliver email messages to your Gmail account using IMAP APPEND command and to authenticate via OAuth2 XOAUTH2 SASL mechanism.
- What we access: The application only appends new messages to your INBOX. It does not list, read, delete, or modify your existing messages.

4. How We Use Your Data

The Application uses Gmail API and IMAP access solely to deliver incoming email messages to your Gmail account. Specifically:

Data Collection:

Email Messages: The application receives email messages from your mail transfer agent and temporarily holds them in memory during the delivery process (typically 1-10 seconds).
OAuth2 Tokens: Your OAuth2 access and refresh tokens are stored locally on your server to authenticate with Gmail.
Configuration Data: Settings such as timeout values, retry attempts, and file paths are stored in local configuration files.

Data Usage:

Message Delivery: Email messages are uploaded to your Gmail account via Gmail API (Import/Insert endpoints) or IMAP APPEND.
Label Management: The application may add system labels (INBOX, UNREAD) to delivered messages to ensure they appear in your inbox.
API Verification: When using the --test-api flag, the application reads your Gmail language setting to verify API connectivity.
Local Processing Only: All message processing occurs locally on the machine where the Application is installed.
No Analysis or Storage: The application does not analyze, index, or permanently store message content.

Data We Do NOT Collect or Use:

We do NOT read your existing Gmail messages
We do NOT access your Gmail contacts
We do NOT access your Google Calendar, Drive, or other Google services
We do NOT track your behavior or usage patterns
We do NOT collect analytics or telemetry data

5. How We Store and Protect Your Data

Storage:

OAuth2 Tokens: Stored in local JSON files on your server with restricted file permissions (0600 recommended).
Email Messages: Held temporarily in system memory only during the delivery process (typically seconds), then immediately discarded.
Configuration Files: Stored locally on your server.
No Cloud Storage: No data is transmitted to or stored on servers operated by the developer.

Protection Mechanisms:

File Permissions: Token and credential files should be secured with restrictive permissions (0600 or 0400).
Atomic Writes: Token files are written atomically using temporary files and rename operations to prevent corruption.
File Locking: Exclusive file locks prevent concurrent access corruption.
TLS Encryption: All communication with Gmail uses TLS encryption.
OAuth2 Security: Uses OAuth2 with refresh tokens; no passwords are stored.
Local Processing: Messages never transit through third-party servers.

6. Data Retention and Deletion

Email Messages: Retained in memory only for the duration of the delivery operation (typically 1-10 seconds), then immediately discarded.
OAuth2 Tokens: Stored indefinitely on your local system until you manually delete them or revoke application access.
Delivered Messages: Once delivered to Gmail, messages are subject to Gmail's retention policies and your Gmail account settings.
User Control: You have full control over your local environment and can delete all application data at any time.
Token Revocation: You can revoke the application's access at any time via your Google Account settings at https://myaccount.google.com/permissions

7. Data Sharing and Disclosure

The Application does not share your data with anyone. Specifically:

No Third-Party Services: Email messages are delivered only to your Gmail account, not to any third-party services.
No Developer Access: The developer (ScottESanDiego) does not have access to your emails, tokens, or any user data.
No Analytics Services: No data is sent to analytics, tracking, or monitoring services.
No Advertising Networks: No data is shared with advertising networks.
Self-Hosted: The application runs entirely on your infrastructure.
Open Source: The complete source code is available for audit at the GitHub repository.

Exception for Legal Requirements: As the application is self-hosted and the developer has no access to your data, the developer cannot disclose your data even if legally compelled. You are responsible for responding to any legal requests regarding data stored on your systems.

8. Limited Use Disclosure (Google Compliance)

gmail-api-transport's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

The application uses Google user data only to provide and improve the email delivery functionality described in this policy.
No Google user data is used for serving advertisements.
No Google user data is sold to third parties.
No Google user data is used for purposes unrelated to the application's core mail delivery functionality.
The application requests only the minimum scopes necessary for its functionality.

9. Security Practices

We implement and recommend the following security practices:

Least Privilege: Run the application under a dedicated user account with minimal system privileges.
File Permissions: Secure credential and token files with 0600 permissions.
Regular Updates: Keep the application updated to receive security patches.
Secure Configuration: Store configuration files outside web-accessible directories.
Network Security: All Gmail API and IMAP communication uses TLS encryption.
Audit Trail: The application can log operations for security auditing (logs should be secured appropriately).

10. Your Rights and Controls

As the application is self-hosted, you have complete control over your data:

Access: You have direct access to all configuration files and logs on your system.
Deletion: You can delete the application and all associated data at any time.
Revocation: You can revoke the application's Gmail access at https://myaccount.google.com/permissions
Modification: As an open-source application, you can modify the code to suit your needs.
Audit: You can review the source code to verify data handling practices.

11. Children's Privacy

This application is not intended for use by individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). The application does not knowingly collect or process data from children. This application is designed for use by system administrators managing mail infrastructure.

12. International Data Transfers

The application processes data locally on your server. When messages are delivered to Gmail, they are subject to Google's data handling practices and may be transferred internationally according to Google's Privacy Policy. The application itself does not transfer data internationally.

13. Changes to This Privacy Policy

As this is an open-source project, any changes to how the application handles data will be reflected in the source code and this document. Users are encouraged to review the GitHub repository for updates, check the git commit history before updating to new versions, and review this privacy policy periodically for changes.

14. Third-Party Services

The Application interacts with the following third-party services:

Google Gmail API: Used to deliver messages to your Gmail account. Subject to Google's Privacy Policy and Terms of Service.
Google OAuth2: Used for authentication. Subject to Google's authentication policies.

The application does not integrate with any other third-party services.

15. Contact Information

If you have questions about this privacy policy or the Application's data handling practices, you can contact the developer via:

GitHub Issues: https://github.com/ScottESanDiego/gmail-api-client/issues

Note: As this is a self-hosted application, the developer does not have access to your data and cannot assist with data-specific requests. For data access, modification, or deletion, you must manage your own installation and Google Account permissions.