Google API Limited Use Compliance

Last updated: July 17, 2026

BusinessMailer's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Affirmative statement

BusinessMailer does not use Google Workspace APIs or Google user data to develop, improve, or train generalized or foundational artificial intelligence or machine learning models. The use of raw or derived user data received from Google Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

What Google user data we access

When you optionally connect a Gmail account through OAuth, BusinessMailer requests only the following scopes:

  • https://www.googleapis.com/auth/gmail.send — send email on your behalf from your own Gmail address.
  • openid, email, profile — read your email address and name so we can display which account is connected.

We never request permission to read, list, modify, or delete messages in your mailbox. We do not access contacts, drive files, calendar, photos, or any other Google Workspace surface.

How we use Google user data

Google user data received through the Gmail API is used solely to deliver a message that you, the signed-in user, explicitly composed and submitted inside BusinessMailer. Specifically:

  • We use the gmail.send scope to transmit a single outbound email you authored.
  • We use your email address and display name only to label the connected account inside your dashboard.
  • We do not read your inbox, sent folder, drafts, labels, or any other Gmail data.

Limited Use — what we do NOT do

  • We do not use Google user data to develop, improve, or train generalized or foundational AI/ML models.
  • We do not transfer Google user data to third-party AI/ML providers for model training or improvement.
  • We do not sell Google user data.
  • We do not use Google user data for advertising, profiling, or any purpose unrelated to sending the email you initiated.
  • We do not allow humans to read Google user data except (a) with your explicit consent, (b) as necessary for security investigations or to comply with applicable law, or (c) in aggregated and anonymized form for internal operations.

AI features and Google data

BusinessMailer offers optional AI-assisted features (subject/message refinement and a deliverability optimizer) powered by the Lovable AI Gateway. These features operate only on content you type into the BusinessMailer composer. They never receive, process, or train on data returned by Google APIs. When you send a composed message through a connected Gmail account, only the finished message is passed to the Gmail API — no Google-sourced data is ever fed back into any AI model.

Storage, encryption, and retention

The Google OAuth refresh token issued to BusinessMailer is encrypted at rest with AES-GCM using a server-only key and is decrypted server-side only at the moment we send a message you initiated. You can disconnect your Google account at any time from the Connected Email Accounts page, which permanently deletes the stored token. You can also revoke access directly at myaccount.google.com/permissions.

Contact

Questions about our Limited Use compliance or Google data handling: inbox@businessmailer.org.