Privacy

When you connect your Google account, Tacitry receives an OAuth token from Google that lets us read and modify your Gmail and read/write your Google Calendar on your behalf. We also receive your name, email, and profile photo from Google for sign-in.

We never collect data from any account you have not explicitly connected.

On your initial connection, Tacitry analyzes up to 300 of your most recent sent messages to learn your writing style. The bodies of those messages are processed in memory and discarded; only extracted style patterns (tone, signature, common phrases) are retained.

When a new email arrives, Tacitry drafts a reply for you to accept, edit, or reject. The thread context required to draft is fetched on demand and not stored beyond what's needed to render the draft.

Calendar events are read on demand to inform replies and to propose times. Events are created or updated only when you explicitly accept a draft that schedules.

Knowledge base. If you upload documents (PDFs, Markdown, plain text, HTML, or a URL) under Settings → Knowledge base, Tacitry stores those files in its private Supabase Storage bucket and indexes their content as searchable chunks with vector embeddings. When you receive an email asking a question whose answer is in those documents, the relevant passages are retrieved and included in the prompt that drafts your reply, so the draft can be grounded in your own material. Documents you upload are retained until you delete them — there is no auto-purge.

Connectors are third-party integrations you authorize Tacitry to read so drafts can cite who the recipient is and what stage their deal or relationship is in. Each connector is opt-in and connected from Settings → Connectors.

What we cache locally, per connector. Tacitry stores only the fields listed below — a strict allowlist enforced at both ingest time and again at prompt-injection time (a two-tier control so a future ingest bug can't leak fields into a draft).

• HubSpot (OAuth via MCP) — deal stage and name, deal amount bucket, contact lifecycle stage, company industry.
• Salesforce (OAuth via MCP, per-org server URL) — account stage and size bucket, opportunity stage and amount bucket.
• Notion (OAuth via MCP) — for pages classified as contact notes, a 280-character summary keyed to the contact email. Pages classified as KB go through the existing knowledge-base pipeline.
• Attio (OAuth via MCP) — deal stage and name, company industry.
• Apollo (BYO API key) — person title, company industry and size bucket.
• Hunter (BYO API key) — sender email deliverability verification only. Used as internal telemetry; never appears in drafts.

What we do NOT cache from connectors. Free-text notes, internal CRM notes, intent or signal scores, LinkedIn URLs, phone numbers, personal email addresses, bank or financial details, and anything else not in the per-connector allowlist above. The two-tier allowlist (ingest → prompt-injection) is the technical control that enforces this.

Notion scope minimization. Connecting Notion requires you to explicitly select which top-level pages Tacitry can read after the OAuth grant. The default selection is empty — Tacitry reads nothing until you choose.

BYO API key custody. Apollo and Hunter use your own API key. Tacitry encrypts the key at rest with libsodium SecretBox, in the same key vault as your Google OAuth tokens, and calls the vendor on your behalf with it. Per-call costs are billed by Apollo or Hunter directly to you, not to Tacitry.

Disconnect. Disconnecting a connector revokes the OAuth grant or key with the vendor (where supported), purges all cached contact-fact rows for that provider in your workspace, and deletes the account row. The audit log retains the disconnect event.

Tacitry uses third-party LLM providers (Anthropic, configured for zero-retention) to draft replies. If you'd rather have a fully on-device experience with no third-party model calls, install the Tacitry Extension instead — it's a separate, free product that runs entirely in your browser.

• Bootstrap message bodies: discarded within 7 days of being processed (enforced via scheduled job).
• Action payloads (drafts, proposed schedule changes): retained for 90 days, then purged.
• Style patterns and corrections: retained for as long as you use the service, since they are how the agent learns your judgment.
• Knowledge base documents: retained until you delete them. Deletion from Settings → Knowledge base removes the file from storage and all derived chunks and embeddings immediately.
• Connector contact-fact rows: any row untouched for 30 days is purged via pg_cron daily.
• Connector domain enrichment rows: 90 days.
• Connector person enrichment rows: 30 days.
• Audit log rows: kept for the lifetime of the workspace.
• Account deletion: when you delete your account, every row tied to your workspace is removed within 7 days, including any knowledge-base documents.

• We do not train any model on your email content.
• We do not share your data with advertisers.
• We do not read messages from other users to inform what we generate for you, and vice versa.
• We do not use the gmail.readonly scope. Only gmail.modify, gmail.send, and gmail.settings.basic.

Tacitry-controlled subprocessors handle the core service. Connector providers are user-initiated — you authorize each one individually, and Tacitry only calls them while the connector is active.

Tacitry-controlled.

• Anthropic — drafting and classification calls; also generates short situating summaries for knowledge-base chunks. Configured for zero-retention.
• Voyage AI — embedding model for knowledge-base documents and queries. Document text is sent only to compute the embedding vector and is not retained by the provider.
• Cohere — reranking of knowledge-base search results. Query and candidate passages are sent only to compute relevance scores.
• Supabase — Postgres database (US region), authentication, and Storage for uploaded knowledge-base files.
• Fly.io — application hosting (US region).
• Cloudflare — landing page and CDN.
• Stripe — payment processing.
• Sentry — error reporting.

Connector providers (user-initiated). Used only when you connect the integration. Each is governed by the vendor's own privacy terms.

• HubSpot — CRM read access for the allowlisted fields above.
• Salesforce — CRM read access for the allowlisted fields above.
• Notion — read access scoped to pages you select after OAuth.
• Attio — CRM read access for the allowlisted fields above.
• Apollo — person and company enrichment, called with your own API key.
• Hunter — email deliverability verification, called with your own API key.

You can export everything Tacitry holds about you, or delete it entirely, at any time. Email privacy@tacitry.app and we will respond within 7 days.

You can revoke Tacitry's access to your Google account at any time from your Google account permissions page.

Questions: privacy@tacitry.app.