Effective 2026-04-20 · short version

Privacy note

Mezaam is a mail companion. It reads your mailbox, distills what matters, and speaks it back to you. This page explains what we do with what we read.

Where your data lives

• On your device — message envelopes, full-text search index, attachment cache (up to 20 MB), relationship graph, and triage verdicts. All in an encrypted SQLite database managed by the app.
• On our servers — temporarily, while processing. The Mezaam gateway runs triage, digest composition, and (when enabled) LLM summarisation. We keep OAuth refresh tokens only for the duration of a request; we do not persist them.
• Never on anyone else's servers — the companion does not call third-party advertising or analytics services from your device. No Facebook SDK, no AppsFlyer, no Mixpanel.

Your OAuth tokens

Gmail and Outlook connections use the Authorization Code + PKCE flow. Your access_token and refresh_token live on your device. The matching client_secret lives on our server and is required by Google to refresh tokens — we act as a proxy for that one call, never a custodian.

What we share with the LLM

When the gateway sends a message to a language model for summarisation or reply drafting, we redact personally identifying details (phone numbers, account numbers, addresses, secondary email addresses) on-device first. The LLM sees a cleaned subject, sender display name, and a body truncated to 2,000 characters.

Export and delete

/v1/compliance/export returns everything Mezaam stores about you in a single JSON. /v1/compliance/delete wipes it. Both are first-class endpoints, not a settings dark-pattern.

Contact

Questions or a deletion request: hello@brainpad.me.