Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account – the Vern account you create to access the Services.

• AI Models – machine-learning models used by Vern to provide and power AI features.

• Content – any text, files, messages, emails, documents, calendar data, or other information you submit to, generate through, or authorize Vern to process.

• Personal Data – information that identifies or can reasonably be linked to an individual.

• Services – Vern’s websites, applications, extensions, integrations, APIs, and related products.

• Third-Party Services – services not operated by Vern that you connect to the Services (e.g., Google, Microsoft).

• You / User – an individual using the Services, personally or on behalf of an organization.

1. What This Privacy Policy Covers

This policy applies when you:

• Create or use a Vern account

• Use Vern’s web, desktop, or mobile apps

• Connect email or calendar providers

• Use extensions, APIs, or integrations

• Interact with Vern-powered experiences via third parties

If you use Vern on behalf of an organization, that organization may control certain settings and data rights, subject to law.

2. Information We Collect

   
   

Information You Provide

When you interact with Vern, you may voluntarily provide:

• Account Data: name, email address, username, profile details

• Content: emails, drafts, documents, tasks, calendar entries you process with Vern

• Support Communications: information you share with support

• Billing Information: processed by third-party payment processors (Vern does not store full card numbers)

Information Collected Automatically

We automatically collect certain information, including::

• Device & Technical Data: IP address, browser type, operating system, device identifiers

• Usage Data: feature interactions, performance metrics, error logs, timestamps

• Approximate Location Data: inferred from IP address

• Cookies & Similar Technologies: used for authentication, security, analytics, and preferences

Information from Connected Services (Google & Microsoft)

When you connect third-party services, Vern accesses only the scopes you explicitly authorize via OAuth consent screens and only to provide the features you enable.

1) Data Accessed Through Google Services (Gmail, Google Sign-In)

With your consent, Vern may access:

• Profile & Identity: name, email address, profile photo

• Email Data (Gmail): message content and attachments (if enabled), metadata (sender, recipients, subject, timestamps), labels, threads, message IDs

• OAuth Tokens: to maintain secure access

We request the minimum Google API scopes necessary for the functionality you choose and comply with Google’s Limited Use requirements.

2) Data Accessed Through Microsoft Outlook (Microsoft Graph API)

With your explicit consent, Vern may access:

• Mail Data: email content and attachments (if enabled), metadata (sender/recipient, subject, timestamps), folders, message IDs

• Account Identity: Microsoft account identifier and basic profile info

• OAuth Tokens: for secure authentication

Access is governed by Microsoft Graph permissions (e.g., Mail.Read, Mail.ReadWrite) granted by you or your administrator. We request least-privilege scopes only.

3) Non-Service Personal Data

• Usage & Diagnostics: logs and metrics to improve reliability and performance

• Support Requests & Feedback

3. How We Use Your Information

We use data solely to provide Vern’s services and only with your consent:

• Inbox Monitoring & Prioritization: score importance using sender history, relevance, broadcast vs. direct, and your past behavior

• Contextual AI: reference your knowledge base (prior replies, notes you authorize) to decide next actions

• Draft Replies: generate drafts for your review (no auto-send without explicit action)

• Labeling, Filing, Archiving: organize low-priority messages

• Summaries: provide digests of lower-priority messages

• Security & Threat Detection: detect phishing, scams, malware, and BEC attempts; alert on critical messages

Authentication & Account Management

• Secure sign-in and account linking with Google/Microsoft

Product & Service Improvement

• Aggregated and anonymized metrics to improve reliability and features

• Improve product quality — debugging, performance analysis, feature development

• Ensure security & integrity — fraud prevention, abuse detection

• Communicate with you — account notices, updates, support

• Process payments and subscriptions

• Comply with legal obligations

• Link Click Safety & Phishing Detection: We may monitor and analyze link clicks within emails to help detect malicious URLs, phishing attempts, and account compromise patterns, and to protect users—especially for family plans and vulnerable users. This link click data is used strictly for security and safety purposes. It is not used for advertising, profiling, or marketing, and is not sold to third parties.

We do not use mailbox data for advertising, ad targeting, resale, or unrelated analytics.

4. AI, Machine Learning & Training

AI Inference

Your Content is processed by AI models to provide real-time features such as summaries, prioritization, and drafting.

AI Training

Your Content is not used to train global AI models unless you explicitly opt in.

Human Review

We do not allow humans to review your private Content except:

• With your explicit permission, or

• When required for security, abuse prevention, or legal compliance.

5. What We Do Not Do

To be explicit:

• We do not sell your Personal Data

• We do not use your Content for advertising

• We do not scan emails to target ads

• We do not allow third parties to use your data for their own purposes

• We do not retain Content longer than necessary

6. Legal Bases for Processing (GDPR)

Where applicable, we rely on:

• Contractual necessity (providing the Services)

• Legitimate interests (security, reliability, improvement)

• Consent (marketing, AI training, optional features)

• Legal obligations

7. How We Share Information

We may share information with:

• A. Service Providers & Partners (Including AI Sub-Processors)

  We may share limited data with trusted third-party service providers that support Vern’s functionality, such as cloud hosting, monitoring, analytics, security infrastructure, and AI inference providers used to power features like spam/phishing detection, summarization, prioritization, and draft generation.

  This may include third-party AI inference providers (e.g., Groq) that process email content on our behalf solely to provide real-time AI features. These providers are contractually restricted from using customer data for any purpose other than providing services to Vern.

  We maintain Data Processing Agreements (DPAs) with our subprocessors. Our AI inference providers contractually agree not to train their models on customer data submitted via API and not to retain such data beyond what is necessary to provide the service.

  We review and update our list of subprocessors periodically and require them to meet strict security and confidentiality obligations.

• B. Legal & Safety

  When required by law or to protect users, rights, or safety.

• C. Third-Party Integrations You Enable

  Only to provide the specific functionality you turn on.

• D. Corporate Transactions

  If Vern undergoes a merger, acquisition, or asset sale, subject to this policy.

• E. Google & Microsoft API Requirements

• F. Payment Processors

• G. Affiliates within the Vern corporate group

• H. Third-Party Integrations you enable

• I. Authorities when legally required

• J. Successors in a merger, acquisition, or asset sale

We comply with Google and Microsoft policies and do not use mailbox data for advertising, resale, or unrelated analytics.

8. Data Storage & Retention

We use industry-standard safeguards:

• Encryption in transit (TLS) and at rest

• Role-based access controls and audit logs

• Least-privilege permissions for APIs

• Continuous monitoring and incident response

• Regular security reviews

No system is 100% secure, but we design for defense-in-depth.

You may delete your Content or close your account at any time.

9. Data Rentention & Deletion

We retain data only as long as necessary to:

• Provide the Services

• Comply with law

• Resolve disputes and enforce agreements

User-Initiated Deletion

You may delete Content or close your account at any time:

• In-app (where available), or

• Email privacy@vern.email

Upon verified request:

• Active data is deleted within a reasonable timeframe (e.g., 30 days)

• Backups are purged on a rolling schedule unless legally required

Revoking Google/Microsoft Access

If you revoke OAuth access:

• Vern immediately stops accessing your data

• Stored provider data is deleted unless required for legal or billing purposes.

Legal Bases for Processing (GDPR)

Where applicable, we rely on:

• Contract (to provide Services)

• Legitimate interests (security, reliability)

• Consent (optional features, AI training opt-in)

• Legal obligations

10. Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

• Access, correct, or delete your Personal Data;

• Object to or restrict certain processing activities;

• Control AI training preferences;

• Opt out of marketing communications;

• Manage cookies and tracking technologies.

  
  

You can exercise these rights through your account settings or by contacting privacy@vern.email.

11. U.S. State Privacy Rights

Residents of certain U.S. states (e.g., California) may have additional rights under applicable laws, including the right to opt out of certain data uses.

12. International Data Transfers

We may process data outside your country of residence. Where required, we rely on appropriate safeguards such as standard contractual clauses.

13. Children’s Privacy

Vern is not intended for children under 13 (or the minimum age required by law). We do not knowingly collect data from children.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the Services or via email.

15. Contact Us

If you have any questions about this Privacy Policy, You can contact us:

• privacy@vern.email