Your data stays yours
OpenReply is built with privacy and security at its core. We process your emails in real-time and never store them. Here's how we keep your data safe.
Zero Storage
Email content is processed in memory and immediately discarded. We never store your emails.
Encrypted Transit
All data is encrypted with TLS 1.3 in transit between your browser and our servers.
Minimal Data
We only collect what's essential: your email address and usage metrics. Nothing more.
Email Content Handling
When you use OpenReply to generate a reply, here's exactly what happens:
- Step 1: The extension reads the email thread from your Gmail tab (client-side only)
- Step 2: Thread content is sent to our API over an encrypted HTTPS connection
- Step 3: We forward the content to your chosen AI model via our OpenReply API
- Step 4: The AI generates a response, which we return to your browser
- Step 5: All email content is immediately discarded from memory
Key point: Your email content never touches a database. It exists only in memory during the few seconds needed to generate a reply, then it's gone. We have no way to retrieve, review, or share your email content because we simply don't keep it.
Data We Store
We believe in data minimization. Here's the complete list of data we store:
| Data Type | Purpose | Stored |
|---|---|---|
| Email address | Account identification & login | |
| Password hash | Secure authentication | |
| Credit balance | Billing & usage tracking | |
| Model preferences | Remember your AI model choice | |
| Email content | — | ✗ Never stored |
| AI responses | — | ✗ Never stored |
Infrastructure Security
- Hosting: Our API runs on Fly.io with automatic TLS certificates and DDoS protection
- Database: PostgreSQL with encrypted connections and automatic backups
- Authentication: JWT tokens with secure generation and expiration policies
- Passwords: Hashed using bcrypt with appropriate cost factors (never stored in plain text)
- Payments: Processed by Stripe—we never see or store your card details
Third-Party Services
We integrate with trusted third-party services. Here's how data flows:
| Service | What We Share | Their Role |
|---|---|---|
| OpenReply API | Email content (for AI processing) | Routes requests to AI models (OpenAI, Anthropic, Google, etc.) |
| Stripe | Email (for receipts) | Payment processing—handles all card data |
| Google OAuth | OAuth tokens | Optional sign-in method |
Note: When your email content is sent to AI providers via our OpenReply API, it's processed according to their privacy policies. We do not share your identity (name, email address) with AI providers—only the email thread content needed for generation.
Chrome Extension Permissions
OpenReply requests only the permissions necessary to function. Here's why we need each one:
| Permission | Why It's Needed |
|---|---|
| storage | Save your login state and preferences locally in your browser |
| activeTab | Access the current Gmail tab when you click the extension |
| scripting | Inject the AI button into Gmail's interface |
| identity | Enable Google Sign-In (optional) |
| Host: mail.google.com | Read email threads to provide context for AI replies |
We do not request broad permissions like "Read and change all your data on all websites." Our access is limited strictly to Gmail.
Your Rights
You have full control over your data:
- Access: Request a copy of all data we have about you
- Correction: Update your account information anytime
- Deletion: Delete your account and all associated data
- Portability: Export your data in a standard format
To exercise any of these rights, email us at privacy@openreply.ai.
Security Questions?
If you have security concerns or want to report a vulnerability, we want to hear from you.