neodrop.ai Privacy Policy
Thank you for using neodrop.ai (the "App", "we", or "us"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information. It pays particular attention to data accessed through Google API services — including Gmail API and YouTube Data API v3 (collectively, "Google APIs") — to Microsoft Graph endpoints (specifically the Outlook mail endpoints) when you choose to connect a Microsoft account, and to the third-party AI service providers we may use to power the App.
By using the App, you acknowledge that you have read, understood, and agreed to this Policy.
1. Information We Collect
1.1 Information you provide directly
- Account information: when you register or sign in, we collect your email address, display name, and avatar.
- Channel configuration: the topics, brand style, source list, and publishing cadence you set up for your channels.
- Content preferences: your feedback on produced content (likes, bookmarks, blocks, etc.).
1.2 Information obtained via third-party authorization
When you authorize neodrop.ai to access third-party platforms (such as Google, YouTube, Microsoft / Outlook, X, RSS feeds, etc.), we obtain data within the scope of your authorization. Each authorization is opt-in, scoped to a single connector, and can be revoked at any time.
-
Google account profile (Sign-In): when you sign in with Google we receive the standard
openid/email/profileclaims (your Google email, name, and avatar URL) to create and identify your neodrop.ai account. -
Gmail API — scope
https://www.googleapis.com/auth/gmail.modify:- What we access: messages and threads matching the search queries you (or, on your behalf, an agent you have configured) specify — including From, To, Subject, Date, body text (or HTML stripped to plain text), labels, and thread relationships. We also list label names so you can pick which labels feed into a channel.
- What we do with it: feed the matching emails into the content production pipeline of the channel you configured (for example, aggregating newsletters you subscribe to into a daily digest), and surface results back to you in the App.
- Why modify instead of readonly:
gmail.modifyis a superset of read that also allows future write actions (e.g. archive, label, or send on your behalf). The App today only reads; the modify scope is requested in advance so that, if and when we add write tools, you do not have to re-consent. We will never perform a write action without your explicit in-app instruction.
-
YouTube Data API v3 — scope
https://www.googleapis.com/auth/youtube.readonly:- What we access: your subscribed channel list, the recent video metadata of channels you select (title, description, publish time, thumbnail, statistics), and your public playlists.
- What we do with it: produce personalized content for you (e.g. summarize your subscriptions into a weekly recap channel). Public-data lookups (keyword search, transcript fetching, single-video stats) are served by our public-data partner and do not use your Google credentials or quota.
-
Microsoft Graph — Outlook mail — scope
Mail.Read+offline_access:- What we access: messages and threads in your Outlook mailbox matching the search queries you (or, on your behalf, an agent you have configured) specify — including From, To, Subject, Received time, body text (HTML stripped to plain text), conversation grouping (Outlook's thread concept), and the names of your mail folders (Inbox, Sent Items, custom folders) so you can pick which folders feed into a channel. We do not request
Mail.ReadWriteorMail.Send; the App today only reads. - What we do with it: feed the matching emails into the content production pipeline of the channel you configured (for example, aggregating newsletters or work briefings into a daily digest), and surface results back to you in the App. Content is not retained beyond the transient cache needed to produce that output.
- Account types supported: both personal Microsoft accounts (
outlook.com/hotmail.com/live.com) and Microsoft 365 work / school accounts.
- What we access: messages and threads in your Outlook mailbox matching the search queries you (or, on your behalf, an agent you have configured) specify — including From, To, Subject, Received time, body text (HTML stripped to plain text), conversation grouping (Outlook's thread concept), and the names of your mail folders (Inbox, Sent Items, custom folders) so you can pick which folders feed into a channel. We do not request
- OAuth tokens: your access token and refresh token (whether issued by Google or by Microsoft) are stored encrypted at rest, used only to call the corresponding API on your behalf, and deleted when you disconnect the connector or delete your account.
1.3 Information collected automatically
- Usage logs: anonymized data such as access time, pages visited, and operation type, used to improve product quality.
- Device information: browser type, operating system, IP address (for security and anti-abuse).
2. How We Use Information
- To run the AI content production pipeline you configured (fetch sources → generate content).
- To deliver content to your web / mobile client at the cadence you set.
- To maintain account security, prevent abuse, and handle technical incidents.
- For aggregated, de-identified statistical analysis and product improvement.
We do not use data obtained via Google APIs (Gmail, YouTube), via Microsoft Graph (Outlook), or via any other third-party authorization for any of the following:
- Advertising or targeted marketing of any kind.
- Selling, renting, or transferring it to data brokers or other parties for non-service purposes.
- Training, retraining, or fine-tuning generalized / foundational AI or machine-learning models — yours or any third party's. Your Gmail, YouTube, and Outlook data is used only to produce content for you personally and is never included in any model-training dataset.
- Credit, insurance, employment, or similar consequential decision-making.
3. Google API Services User Data Policy & Limited Use
Our use of information received from Google APIs (including the Gmail API and YouTube Data API v3) adheres to the Google API Services User Data Policy, including its Limited Use requirements.
3.1 Limited Use commitments
Specifically, neodrop.ai's use and transfer of information received from Google APIs is limited as follows:
- User-facing features only: we use Google user data solely to provide and improve user-facing features that are prominent in the App's user interface (channel production, content delivery, account management).
- Limited transfers: we transfer Google user data to others only as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets — and never without your explicit consent in any other case.
- No advertising: we do not use Google user data to serve advertisements, including any retargeted, personalized, or interest-based advertising.
- No human reading: we do not allow humans to read your Google user data, except: (a) with your explicit consent for specific messages or threads; (b) where necessary for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized so that it can no longer be associated with any individual user.
3.2 OAuth scopes we request
| Scope | Why we need it |
|---|---|
openid / email / profile |
Sign you in and identify your neodrop.ai account. |
https://www.googleapis.com/auth/gmail.modify |
Read messages, threads, and labels that match the queries you configure for your channels; reserved for future write actions you may explicitly invoke (e.g. archive, label, send) — never used to write without your in-app instruction. |
https://www.googleapis.com/auth/youtube.readonly |
List the channels you subscribe to and read the recent video metadata of channels you select as channel sources. |
3.3 Revocation
You may revoke neodrop.ai's authorization at any time:
- From inside the App: Settings → Connectors → Disconnect.
- From your Google account: Google Account permissions page.
- From your Microsoft account: Microsoft account — Apps and services you've granted access to (personal accounts) or myapps.microsoft.com (work / school accounts).
After revocation, the related access token and refresh token are deleted from our systems within 7 days, along with any cached content from the relevant connector.
3.4 Microsoft Graph — equivalent commitments
"Limited Use" is a term defined by Google for data obtained via Google APIs. Microsoft Graph data (the Outlook connector) is governed by the Microsoft APIs Terms of Use, not by Google's policy. Even so, we apply the same substantive protections to data we receive through the Outlook connector:
- User-facing features only: Outlook mail data is used solely to produce and deliver content within the channels you configure in the App.
- Limited transfers: we transfer Outlook data only as necessary to provide those user-facing features (including transient transfers to AI inference providers for the purpose described in §4.1), to comply with applicable law, or as part of a corporate transaction with equivalent obligations.
- No advertising: we do not use Outlook data to serve any form of advertising.
- No human reading: we do not allow humans to read your Outlook content, except (a) with your explicit consent for specific messages or threads; (b) where necessary for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized so that it can no longer be associated with any individual user.
- No model training: Outlook content is never included in any dataset used to train or fine-tune generalized / foundational AI models, ours or any third party's (this commitment is also stated in the callout above and applies uniformly across all third-party connectors).
The OAuth scope we request from Microsoft is Mail.Read + offline_access. We do not request write or send permissions.
4. Information Sharing
We do not sell your personal information. We may share information only in the following cases:
- Service providers: third parties providing infrastructure (cloud hosting, database, object storage, email delivery, analytics) for the App, bound by confidentiality and data-processing agreements.
- Third-party AI service providers (see §4.1).
- Legal requirements: in response to lawful requests from courts, regulators, or government authorities.
- Business changes: in the event of merger, acquisition, or asset transfer, where the recipient must assume equivalent protection obligations.
4.1 Third-party AI service providers
To power the App's AI features we may transmit content you input or content fetched on your behalf (including Gmail, YouTube, or Outlook content) to the following third-party AI providers, strictly for the purpose of generating the output you requested in the App:
- OpenAI, Anthropic, Google AI — large language model inference.
- FAL.ai — image and video generation.
- MiniMax — voice and music generation.
We have confirmed that these providers offer protections for user data equivalent to those described in this Policy and that, under their API terms, they do not retain Google or Microsoft user data passed via their inference APIs to train their models. Data transmitted to them is the minimum needed to produce your requested output and is not used by neodrop.ai or by these providers to train any generalized AI/ML model.
You can review or withdraw your consent to AI processing at any time at Settings → Privacy → AI data sharing. After withdrawal, AI-driven channel features are paused until you opt back in.
5. Data Storage and Protection
- Data is stored in our or our cloud partners' data centers, with TLS in transit and encryption at rest.
- OAuth refresh tokens are stored with additional application-layer encryption.
- Access follows the principle of least privilege; only authorized personnel may access user data, and only for the limited reasons listed in §3.1.
- We audit security regularly and will notify affected users of any data breach as required by law.
6. Data Retention and Deletion
- Account information is retained for the lifetime of your account; after deletion, we delete or anonymize your personal data within 30 days, except where retention is required by law.
- After you revoke a third-party authorization, the corresponding tokens and cached content are deleted within 7 days.
- Generated content is deleted along with your account upon account closure.
7. Your Rights
You have the right to:
- Access, correct, and delete your personal information.
- Revoke any third-party authorization or delete your account.
- Export a copy of your data.
- Object to processing or file a complaint with a supervisory authority.
To exercise these rights, contact [email protected].
8. Children's Privacy
The App is not intended for children under 13. If we discover that we have inadvertently collected information from a child, we will delete it promptly.
9. Cross-Border Data Transfers
We may process data outside your country or region. Transfers will follow protective measures required by applicable law (such as standard contractual clauses where applicable).
10. Policy Updates
We may update this Policy from time to time. Material changes — particularly any change affecting how we handle Google or Microsoft user data — will be notified via in-app notice or email at least 14 days before they take effect. Continued use of the App after that constitutes acceptance of the updated version.
11. Contact Us
- Privacy inquiries: [email protected]
- General inquiries: [email protected]
Operator: Neodrop AI