← BlogSecurity

How we handle your email data (and why we don't store it)

Email contains some of the most sensitive data you produce. Here is exactly what xNord reads, processes, stores, and never touches.

XN
The xNord Team··5 min read

In this article

We are building an AI product that reads people's email. That is an unusual level of trust for users to extend to a product they have just signed up for. We think we have an obligation to be completely transparent about what we do with that access.

This is not the privacy policy (that is at xnord.co.uk/privacy). This is a plain English explanation of our data practices, written the way we would explain it to a friend asking "wait, does this thing read all my email?"

What we access

When you connect your Gmail account, xNord requests three OAuth scopes:

  • gmail.readonly — to read your emails
  • gmail.send — to send draft replies you have approved
  • gmail.modify — to archive emails and apply labels

We do not request access to your Google Drive, Calendar, Contacts, or any other Google service. We cannot access those things even if we wanted to.

What we read

When an agent run executes, xNord fetches emails from your inbox via the Gmail API. For each email we retrieve: sender name, sender email address, subject line, the full email body text, and the thread history.

We read the full body because triage and draft generation require understanding the content of the email, not just the subject line.

What we store

Here is where we differ from most email products: we do not store your email body text.

The email body is sent to our AI model for processing. The model returns a structured response: urgency classification, a summary, a suggested action, and a draft reply. We store that response — the output of the analysis — not the input.

What we store per email in our database:

  • Sender name and email address
  • Subject line
  • A preview snippet (first ~200 characters)
  • The AI-generated summary
  • Urgency score and reason
  • Draft reply text
  • Email metadata: timestamp, Gmail ID, thread ID

What we do not store:

  • Full email body text
  • Email attachments
  • Your Google password (we never see this)
  • Any other Google account data

The AI processing step

The email body is sent to our AI model to generate the triage output. No xNord employee reads your emails. The processing is automated end-to-end.

Our AI model processes data under a data processing agreement that prohibits using your content for any purpose other than returning the analysis result to xNord. Your emails are not used to train AI models.

Data retention

Email metadata and AI analysis is retained for 90 days from processing. After 90 days it is permanently deleted. Your run log is retained for 90 days on the Solo plan and indefinitely on Founder and Team plans unless you delete it manually.

When you delete your xNord account, all your data is permanently deleted within 30 days.

The short version

xNord reads your email to process it. The processing output is stored. The email body is not stored. No human reads your email. You can revoke access at any time.

If you have questions about our data practices that this post does not answer, email us at legal@xnord.co.uk. We will respond.