Last Updated: September 25, 2025
Untyped BV (“Untyped,” “we,” “us,” or “our”) operates the GetUntyped.ai email assistant (the “Service”), which integrates with Gmail to enhance email productivity using artificial intelligence (“AI”). This Policy explains how we collect, use, share, and protect your data, and your rights and choices.
Untyped BV is the data controller of your account and usage data. For Gmail/email content and data you submit into the Service, Untyped BV acts as a data processor on your behalf.
Account details: General information collected by user input
Gmail email Data (with consent): Email content (subject, body, attachments) and metadata (sender, recipient, dates, labels). May include limited historical backfill to enable features.
Usage Data: Feature usage, actions, timestamps, IP, device/browser info, cookies.
Google Account Information: Your name, email address, and authentication tokens obtained through OAuth.
Google User Data (Gmail): With your explicit consent, we access Gmail data needed to provide the Service. This may include:
Usage Data: Information about how you interact with the Service, such as features used, timestamps, device/browser information, IP address, and cookies.
Communications: Any information you provide when contacting us (e.g., support requests).
We may also create aggregated, de-identified, or anonymized data from your personal data, which no longer identifies you. We may use and share such data indefinitely for lawful business purposes, including analytics and service improvement.
Untyped uses the personal data it collects in several ways:
Operating the Service: Your account details and email data enable us to deliver the main features of the Service. With your consent, we analyze emails to provide AI support such as drafting replies, summarizing conversations, scheduling, and other productivity tasks you request.
Improving the Service: We may rely on anonymized or aggregated data (which cannot be linked back to you) to learn how people interact with the Service and to enhance its functionality. This can include analyzing usage patterns or user feedback to refine our AI accuracy and overall experience. Where AI model improvement uses data, it is strictly in aggregated or de-identified form.
Communications: Contact information is used to reach you with essential updates, including security notifications, Service announcements, or support responses. If you have chosen to receive them, we may also send product news or marketing updates — you are free to opt out whenever you wish.
Legal and Security Compliance: We may also process data to meet legal or regulatory obligations, to respond to valid authority requests, and to ensure protection of the Service. This includes enforcing our Terms of Use, detecting or preventing abuse or fraud, and safeguarding the rights and safety of our users, Untyped, and others.
We integrate with Gmail via OAuth and the Gmail API. We comply with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
Scope Minimization: We request only the minimum scopes needed for stated features.
Use Limitation: Gmail data is used solely to provide user-facing features (drafts, summaries, labels).
No Selling / No Ads: We do not sell Gmail data or use it for advertising.
Human Access: Humans do not read Gmail content except: (i) with your affirmative consent; (ii) for security/abuse, debugging, or to comply with law; or (iii) for internal operations after aggregation/anonymization
Sharing Restrictions: Gmail data is only shared with subprocessors necessary to provide the Service, under confidentiality and data-protection agreements; not shared for independent use.
Revocation: You can revoke access anytime in your Google Account → Security → Third-party access.
Security: Gmail data encrypted in transit and at rest; least-privilege access; audit logging of access; token storage encrypted with rotation.
Retention/Deletion: On account deletion or Gmail disconnection, Gmail data and derivatives (e.g., embeddings) are deleted within 30 days; logs within 90 days; backups purge on their normal cycle.
We apply additional, purpose‑built controls to protect Gmail data obtained via the Google API:
Encryption: TLS 1.2+ in transit and AES‑256 at rest for application data and backups.
Token Security: OAuth tokens are stored encrypted, scoped minimally, and rotated periodically.
Access Controls: Role‑based, least‑privilege access with mandatory MFA for all staff accounts that could access production systems.
Logging and Audit: Access to Google user data is logged and auditable. We monitor for anomalous activity and investigate alerts.
Environment Isolation: Segregated production environment with network controls. Secrets and encryption keys are managed in a hardened key management service.
Data Minimization: Only the minimum necessary message data is processed for requested features. Snippets shared with subprocessors are minimized and, where feasible, redacted.
Secure Development: Code reviews, dependency scanning, vulnerability management, and timely patching SLAs.
Backups: Encrypted backups with regular restore testing. Backup retention follows the same deletion timelines noted above.
Incident Response: Documented incident response procedures, 24×7 monitoring, and breach notifications as required by law.
To provide categorization and draft reply functionalities our Service uses machine learning models from third-party AI providers. These providers may only use your data to deliver the Service and are prohibited from training their general models with it.
The following types of data may be shared:
This data is processed solely for the requested features and is never reused for other purposes.
All infrastructure hosting supporting this processing is provided through Microsoft Azure within the EEA.
We obtain explicit user consent before sharing any data with AI models. At setup or upon material changes to this Policy, users are prompted to grant or renew consent for AI processing.
Our AI providers operate under a Zero Data Retention policy, meaning they do not store customer API data on their servers.
We never sell your data. We share only as needed to operate the Service:
Service Providers: Hosting, storage, auth, email, analytics (Vercel, Supabase, LangSmith, Google Cloud Platform).
AI Partners: To generate requested outputs (Microsoft Azure).
Marketing Site Analytics: We use limited, anonymized or pseudonymized analytics tools (e.g., Google Analytics, Meta Pixel) only on our public marketing website, not within the Service or on Gmail user data.
Legal/Business: When required by law, or if our business is sold, merged, or reorganized, your personal data may be transferred to the new owner, who will continue to use it under this Privacy Policy.
No Third-Party Transfers for Non-Service Purposes
Untyped does not transfer any user data to third parties for advertising, resale, credit evaluation, or any purpose other than providing or improving the functionality of our Service.
Use of Google user data
Untyped strictly prohibits the use of Google user data for any purpose other than providing or improving user-facing features of the Service. Specifically, Google user data is never used or transferred for, including but not limited to: Targeted advertising, selling to data brokers, providing to information resellers, determining credit-worthiness or lending purposes, user or personalized advertisements, retargeted or interest-based ads, creating standalone databases or training AI or ML models.
All data is stored and processed within the EEA. For international transfers, we use appropriate safeguards (e.g., SCCs). We encrypt data in transit/at rest, limit access on a need-to-know basis, and review controls regularly.
We also maintain protocols for detecting and responding to potential security incidents. If a personal data breach occurs, we will notify affected users and relevant regulators as legally required.
We retain personal data only as long as necessary for the purposes described, considering the type of data, sensitivity, risk of harm, and applicable legal obligations. Specific timelines include:
Account & Email Data: Retained while your account is active; deleted within 30 days after account closure or Gmail disconnection.
Derived Data (e.g., embeddings): Deleted with underlying email data.
Analytics: Aggregated/de-identified up to 12 months.
Backups/Logs: Backups purge on normal cycles; access logs within 90 days.
We have a Zero Data Retention agreement with our AI service provider in which our provider does not store customer API data on their servers.
You may access, correct, delete, or export your data; withdraw consent; and opt out of marketing/analytics. EEA/UK users may object/restrict processing and complain to a supervisory authority. Contact hi@getuntyped.ai.
Access and Correction: You may access the personal data we hold about you and request corrections if it is inaccurate or incomplete. Most account details can be updated directly within the app, but for other data you can contact us to request access or correction.
Deletion (Right to be Forgotten): You may request deletion of your personal data, including emails and related data collected through the Service, by contacting us at hi@getuntyped.ai. Verified requests will be acted on within a reasonable timeframe and always within the limits required by law. As noted in Data Retention, full removal (including from backups) may take the maximum time permitted by law. If you disconnect Untyped from your Gmail account via your Google account settings, we will stop collecting new data immediately. You can then contact us to ensure previously stored data is removed.
Withdrawal of Consent: If we process your data based on consent (for example, the connection to your Gmail account via OAuth), you can withdraw that consent at any time. Disconnecting the Service through your Google account permissions stops any new data collection. You may also request deletion of previously collected data as described above.
Opt-Out of Marketing Communications: If you subscribed to optional updates or marketing messages, you may opt out at any time via the “unsubscribe” link in those messages or by contacting us. Essential transactional or security communications will continue, as they are necessary for Service operation.
Opt-Out of Analytics/Tracking: You can opt out of analytics tracking by enabling “Do Not Track” in your browser or by contacting us directly. Most browsers also allow cookies to be blocked or deleted, though this may reduce Service functionality (such as maintaining login sessions).
Authorized Agents: In certain jurisdictions (such as the EU, UK, or California), you may designate an authorized agent to submit requests on your behalf. We will verify both the identity of the requester and their authority to act for you in line with applicable law.
Additional Rights for EEA/UK Users (GDPR): If you are located in the European Economic Area or the UK, you have additional rights under GDPR/UK GDPR, including the right to object to some processing, restrict processing, and request portability of your data (in a commonly used machine-readable format). You may also lodge a complaint with your local Data Protection Authority. We encourage you to contact us first, and we will make every effort to resolve your concerns.
California Privacy Rights (CCPA): If you are a California resident, you have rights under the California Consumer Privacy Act, including the right to access and delete your personal data. Untyped does not sell your personal information as defined by CCPA.
Not for users under 16 (or 13 where applicable). If collected inadvertently, we will delete promptly.
We comply with GDPR/UK GDPR and applicable laws. Where required, we implement transfer mechanisms (e.g., SCCs).
We may update this Policy. Material changes will be notified in-app or by email. See “Last Updated” date above.
All Untyped employees, contractors, and agents with potential access to Gmail user data are bound by confidentiality and data protection obligations consistent with this policy and Google API Services User Data Policy.
Legal Bases for Processing
We process your personal data on the following grounds:
Methods of Data Collection
We collect personal data through:
International Transfers
Where data is transferred outside the EEA, we use safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission or rely on providers certified under the EU–US Data Privacy Framework.
Data Retention Factors
In setting retention periods, we consider: the nature and sensitivity of the data, the risk of harm from unauthorized use or disclosure, the purposes for which we process it, whether those purposes can be achieved by other means, and applicable legal requirements.
Identity Verification & Fees
When exercising your data rights, we may request specific information to verify your identity. This helps ensure personal data is not disclosed to anyone who has no right to access it. You will not have to pay a fee to exercise your rights unless your request is clearly unfounded, repetitive, or excessive.
Supervisory Authority
You have the right to lodge a complaint with your local Data Protection Authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl). We encourage you to contact us first so we can address your concerns.
Untyped BV
Kapitein Rondairestraat 8, 5015 BC Tilburg, Netherlands
Email: hi@getuntyped.ai
