Privacy Policy

Effective Date: April 30, 2026 (V2.0 baseline); June 11, 2026 (V2.1 Google § 2A); June 11, 2026 (V2.2 Microsoft + retention + backup + DPA); June 11, 2026 (V2.3 notification scope Option B per CS6)
Last Updated: June 11, 2026

1. Who We Are

Confi Technologies, Inc. ("Confi," "we," "us," or "our") is a Delaware corporation. Confi Technologies, Inc. is a consumer-first commerce platform. Confi's V1 product helps users prevent avoidable loss in their post-purchase activity by analyzing order-related emails to track orders, return windows, refund eligibility, and subscription renewals.

Confi operates the Confi service ("Service"), which includes the Confi mobile application ("App") and supporting backend systems.

This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your data.

Contact:

Confi Technologies, Inc. Principal Office: 513 W Shoreview Drive, San Ramon, CA 94582, United States Delaware Registered Agent: Harvard Business Services, Inc., 16192 Coastal Highway, Lewes, DE 19958, United States Privacy Inquiries: [email protected]

For data subject requests (GDPR, CCPA, and equivalent), see Sections 8 and 9.

2. Supported Email Providers

Confi connects to the following email providers in Version 1:

  • Gmail — via the Google Gmail API (gmail.readonly scope)
  • Personal Outlook.com — via the Microsoft Graph API (Mail.Read scope)

Organizational or work Microsoft 365 accounts are not supported in Version 1. Only personal Outlook.com accounts are supported.

Additionally, organizational or workplace Google Workspace accounts are not supported in Version 1. Only personal Gmail accounts (@gmail.com) are supported. Confi does not access Google Workspace administrative APIs and does not process data subject to Workspace administrator controls.

Additional email providers, if added in future versions, will be declared in an updated version of this Privacy Policy before any such version is released. This is a permanent commitment of the Confi service: no email provider is added silently.

The OAuth scopes above are read-only. Confi does not send, draft, modify, delete, archive, mark as read, or move any email in your account.

2A. Google API Services User Data Policy — Limited Use Compliance

Confi's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, when Confi accesses your Gmail data via the gmail.readonly scope:

  1. Permitted use only. We use Gmail data solely to provide and improve the user-facing features of the Confi service described in this Privacy Policy (Sections 3.2, 3.3, 3.4) — namely, parsing order-related emails to track orders, return windows, refund eligibility, and subscription renewals.

  2. No transfer to third parties for unrelated purposes. We do not transfer Gmail data to any third party except: (a) as necessary to provide the user-facing features described above, including to our sub-processors as listed in Section 6 of this Privacy Policy (including Google Cloud Vertex AI for Gmail parsing and Anthropic API for Outlook parsing); (b) to comply with applicable law or valid legal process; (c) as part of a merger, acquisition, or sale of assets, in which case we will provide notice and obtain consent where required; or (d) for security purposes, such as investigating abuse.

  3. No advertising use. We do not use Gmail data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising. Confi does not operate any advertising surface.

  4. No human reading of your data, except in narrowly defined cases. We do not allow humans to read your Gmail data unless: (a) you have given affirmative consent for specific messages; (b) it is necessary for security purposes, such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data has been aggregated and anonymized, and is used solely for internal operations such as quality auditing, security investigation, or compliance review. Such use is not routine and is bounded by internal controls.

In addition, Confi does not sell, license, or commercialize your Gmail data to retailers, advertisers, or any other third party. This is a permanent non-negotiable commitment of the Confi service.

If you have questions about Confi's Limited Use compliance, contact [email protected].

2A.b. Microsoft Graph API — Data Use Compliance

Confi's use of information received from the Microsoft Graph API is governed by Microsoft's API Terms of Use and the Microsoft Identity Platform consent and data-handling principles, and is disclosed below in line with our transparency obligations under GDPR and equivalent regimes.

Specifically, when Confi accesses your personal Outlook.com data via the Mail.Read scope:

  1. Permitted use only. We use Outlook.com mail data solely to provide and improve the user-facing features of the Confi service described in this Privacy Policy (Sections 3.2, 3.3, 3.4) — namely, parsing order-related emails to track orders, return windows, refund eligibility, and subscription renewals.

  2. No transfer to third parties for unrelated purposes. We do not transfer Outlook.com data to any third party except: (a) as necessary to provide the user-facing features described above, including to our sub-processors as listed in Section 6 of this Privacy Policy (specifically Anthropic API for Outlook parsing); (b) to comply with applicable law or valid legal process; (c) as part of a merger, acquisition, or sale of assets, in which case we will provide notice and obtain consent where required; or (d) for security purposes, such as investigating abuse.

  3. No advertising use. We do not use Outlook.com data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising. Confi does not operate any advertising surface.

  4. No human reading of your data, except in narrowly defined cases. We do not allow humans to read your Outlook.com data unless: (a) you have given affirmative consent for specific messages; (b) it is necessary for security purposes, such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data has been aggregated and anonymized, and is used solely for internal operations such as quality auditing, security investigation, or compliance review. Such use is not routine and is bounded by internal controls.

  5. No access to organizational data. Confi accepts personal Outlook.com accounts only. We do not configure or accept the Mail.Read scope under organizational Microsoft 365 tenants. Confi does not invoke administrator consent flows.

In addition, Confi does not sell, license, or commercialize your Outlook.com mail data to retailers, advertisers, or any other third party. This is a permanent non-negotiable commitment of the Confi service.

If you have questions about Confi's Microsoft Graph data handling, contact [email protected].

2C. Restricted Scope Justification

The OAuth scopes Confi requests are classified as Restricted by Google and as delegated permissions requiring user consent by Microsoft:

  • Google gmail.readonly — Restricted Scope per Google API Services User Data Policy. Confi requests this scope because order-related email content is the only data source for parsing retailer orders, return windows, refund eligibility, and subscription renewals (the user-facing features described in Sections 3.2, 3.3, 3.4 of this Privacy Policy).
  • Microsoft Graph Mail.Read — Delegated permission requiring user consent. Confi requests this permission for the same purpose described above, for users connecting personal Outlook.com accounts.

Confi requests these scopes because no narrower scope is sufficient to deliver the loss-prevention service Confi provides. Specifically:

  1. Narrower Gmail scopes (e.g., gmail.metadata, gmail.labels) do not include email body content. Order-related details — order ID, return windows, refund amounts, subscription renewal dates — are in the email body, not headers or labels.
  2. Confi does not write to the user's mailbox; we do not request gmail.modify, gmail.send, gmail.compose, Mail.ReadWrite, Mail.Send, or any administrative scope.
  3. Confi does not access calendars, contacts, files, or any other Google or Microsoft data.

Confi is proceeding through the verification requirements applicable to these scopes (Google's CASA Tier 2 audit framework for the Restricted Gmail scope; Microsoft's standard delegated-permission consent surface for the Mail.Read scope). For questions about verification status, contact [email protected].

3. What Data We Collect and Why

3.1 Account Data

When you create an account, we collect:

  • Email address (from your OAuth provider)
  • Display name (if provided by your OAuth provider)

Purpose: To create and maintain your account and associate your orders with your profile.

3.2 Email Data — Parsing Pipeline

When you connect your email account, our backend server queries your email provider's API using filters that target order-related emails only. We never perform a full mailbox fetch.

For each relevant email, the following process occurs server-side:

  1. The email is fetched from the provider API
  2. HTML is stripped and noise is removed (deterministic processing, no AI)
  3. Structured data is extracted: retailer name, order ID, amounts, dates, tracking numbers, return windows, subscription renewal dates, and order state
  4. The raw email body is discarded. It is never stored.

What we store: Structured extracted data only — retailer, order ID, amounts, dates, tracking numbers, return windows, subscription renewal information, and order state.

What we do not store: Raw email body, email headers, email attachments, non-order emails.

Lawful basis (GDPR): Contractual necessity — processing your emails is necessary to deliver the service you signed up for (Article 6(1)(b) GDPR). You authorize this access through OAuth consent at your email provider.

3.3 Email Data — Viewer Flow

When you tap "View Emails" for a specific order in the App:

  1. A fresh API call is made to your email provider
  2. The email body is fetched and rendered in the App in memory
  3. The content is session-scoped — it is not stored, cached, or retained by Confi

This is an ephemeral, on-demand fetch. No email body content is retained from this flow on Confi systems.

3.4 Subscription Monitoring

Confi monitors subscription renewal emails as part of its order tracking. This includes detecting upcoming renewal dates, price changes, and subscription status changes. Subscription monitoring is performed using the same parsing pipeline described in Section 3.2 and is subject to the same data handling rules. The raw subscription email body is not stored; only the structured renewal information is retained.

Retention boundary — subscription state vs email-derived events. Subscription state (active vs cancelled vs paused, current price tier, renewal date) is retained while the subscription is active in Confi's view of your account. Email-derived events (the individual renewal emails Confi parsed to derive that state) are not retained as separate records — only the structured state is persisted. If you cancel a subscription in the underlying service, Confi's state may continue to reflect the prior status until either (a) a cancellation confirmation email is parsed, or (b) you mark the subscription as cancelled in the App, or (c) the renewal date passes without confirmation, whichever comes first.

3.5 Device and Usage Data

We collect limited analytics and diagnostic data:

  • Analytics (PostHog, EU region): Event names and non-personally-identifiable properties only. No order content, no email metadata, and no personally identifiable information ("PII") is included in any analytics event.
  • Crash reporting (Sentry): Screen names in breadcrumbs, crash stack traces, and device information. Order IDs, email addresses, and order content are scrubbed before transmission via a beforeSend hook.
  • Push notifications (Firebase Cloud Messaging): Notification payloads contain no order content. Notifications are limited to post-purchase support — specifically: return-window expiration, refund-eligibility, subscription renewal approaching, journey staleness (delivery delays, exceeded carrier window), watchlist confirmation prompts (where you previously set a watch state), and refund-overdue alerts. Notifications are NOT used for marketing, deal alerts, price drops on items you do not track, restock alerts on items you do not watch, engagement nudges, streaks, badges, or feed-pattern signals. The notification triggers the App to open; the App then fetches relevant context from our backend independently.

3.6 Customer Support Data

If you contact us through in-app support (Crisp), we collect the content of your support conversations and any information you voluntarily provide during those interactions.

4. How Email Data Is Processed — AI/LLM Disclosure

When our deterministic parsing (Layers 1–3 of our pipeline) cannot extract structured data with sufficient confidence, a limited excerpt of the email (600–800 characters, structured content only — not the full email body) is sent to a large language model ("LLM") for extraction.

The LLM endpoint depends on the email source:

Email Source LLM Provider Why
Gmail Google Cloud Vertex AI (Gemini) Data stays within Google infrastructure. Google's Cloud Data Processing Addendum (CDPA), Section 17, prohibits training on customer data. Zero Data Retention is configured.
Personal Outlook.com Anthropic API Processing under signed Data Processing Agreement ("DPA"). Anthropic is prohibited from training on customer data under the DPA terms.

Key protections:

  • Only a short excerpt (not the full email) is sent to the LLM
  • The raw email body is never sent to any LLM provider
  • Vertex AI is configured with Zero Data Retention (no caching, no logging, and no Grounding with Google Search)
  • Neither LLM provider trains on your data
  • The LLM returns only structured fields (retailer, order ID, amounts, dates, tracking numbers, return windows) — no email content is returned or stored by the LLM

4A. Backup Retention and Deletion Propagation

Confi maintains backups of its production databases for disaster recovery and operational integrity.

Backup retention period. Backups are retained for 30 days from the time they are created. Backups older than 30 days are deleted automatically.

Deletion propagation. When you delete data using the in-app data deletion flow or delete your account:

  1. Data is deleted from Confi's production databases immediately
  2. Data is purged from Confi's backups within 30 days, as the backups containing the deleted data age out of the retention window
  3. Account-level deletion follows the same propagation timeline

Confi does not maintain backups beyond the 30-day window. Confi does not preserve copies of deleted data for any purpose except as required by applicable law or to investigate abuse (see Section 4 paragraph on LLM processing for related security carve-outs).

This 30-day backup TTL is a permanent commitment of the Confi service. Any material change to backup retention will require a Privacy Policy update before such change is released.

5. Data Retention

Data Type Retention Period Deletion Method
Structured order data Until you delete it or delete your account User-initiated in-app deletion or account deletion
Raw email body (parsing) Not retained — discarded immediately after extraction Automatic — never stored
Email body (viewer flow) Not retained — session-scoped, in memory only Automatic — cleared when the session ends
Account data Until account deletion User-initiated account deletion
Backups 30 days Automatic per Section 4A
Analytics events Per PostHog retention policy (EU region) Automatic per PostHog policy
Crash reports Per Sentry retention policy Automatic per Sentry policy
Support conversations Per Crisp retention policy Request via [email protected]

6. Data Sharing and Sub-Processors

Confi does not sell, rent, or share your personal information with third parties for their own purposes.

We use the following sub-processors to operate the Service:

Sub-Processor Purpose Data Processed DPA in Place
PostHog (EU region) Analytics Event names and non-PII properties only Yes
Sentry Crash reporting Crash data with PII scrubbed Yes
Crisp Customer support Support conversation content Yes
Firebase Cloud Messaging (FCM) Push notifications Device tokens; no order content in payloads Google first-party service — no third-party DPA required
Google Cloud Vertex AI (Gemini) Gmail email parsing (Layer 4 of parsing pipeline) Short email excerpts (600–800 characters) from Gmail only Yes (Google CDPA)
Anthropic API Outlook email parsing (Layer 4 of parsing pipeline) Short email excerpts (600–800 characters) from Outlook only Yes

Sub-processor data processing terms. Each sub-processor listed above operates under data processing terms that bind that sub-processor to GDPR Article 28 obligations or equivalent:

  • PostHog — Data Processing Agreement signed 2026-06-11 (self-serve)
  • Sentry — Data Processing Agreement v5.1.0 signed 2026-06-11 (self-serve; supported by ISO 27001 certification + SOC 2 Type 2 + DPF certification)
  • Crisp — GDPR Data Processing Agreement signed 2026-06-11 (self-serve)
  • Firebase Cloud Messaging — governed by Google's Cloud Data Processing Addendum (auto-incorporated per Google Cloud Terms; see below)
  • Google Cloud Vertex AI — governed by Google's Cloud Data Processing Addendum (CDPA), auto-incorporated into Google Cloud Terms of Service at billing account acceptance; covers Vertex AI services. The CDPA text is available at https://cloud.google.com/terms/data-processing-addendum. Confi confirms acceptance of these terms via its Google Cloud billing account in good standing.
  • Anthropic API — governed by Anthropic's Data Processing Addendum, auto-incorporated into Anthropic's Commercial Terms of Service at API account acceptance. The DPA text is available at https://www.anthropic.com/legal/data-processing-addendum. Confi confirms acceptance of these terms via its Anthropic API account in good standing.

Confi has reviewed each sub-processor's published security and compliance posture and confirms each sub-processor meets the security requirements appropriate to the data each processes.

We will update this sub-processor list before releasing any version of the App that adds or removes a sub-processor.

7. International Data Transfer

Confi's backend infrastructure is hosted in the United States. If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, your data is transferred to and processed in the United States.

We rely on Standard Contractual Clauses ("SCCs") as approved by the European Commission for international data transfers. These SCCs are executed with each sub-processor that processes personal data of EU users.

8. Your Rights Under GDPR

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:

  • Right to Know / Access: Request a copy of your personal data. Submit a request via in-app support (Crisp) or by emailing [email protected].
  • Right to Delete / Erasure: Delete all your data using the in-app data deletion flow. This is a functional, self-service feature — not a support request.
  • Right to Correct / Rectification: Request correction of inaccurate data via in-app support (Crisp) or by emailing [email protected].
  • Right to Data Portability: Request an export of your data via in-app support (Crisp) or by emailing [email protected].
  • Right to Object: You may object to processing by disconnecting your email account or by deleting your account.
  • Right to Withdraw Consent: You may revoke OAuth access to your email at any time through your email provider's settings (Google Account → Security → Third-party apps, or Microsoft Account → Apps and services).

We will respond to all data rights requests within 30 days.

9. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act ("CCPA"):

  • Right to Know: Request what personal information we collect, use, and disclose.
  • Right to Delete: Request deletion of your personal information. Use the in-app data deletion flow for immediate self-service deletion.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: Confi does not sell or share your personal information. There is nothing to opt out of.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your rights, use the in-app data deletion flow (for deletion) or contact us at [email protected].

Do Not Sell or Share My Personal Information: Confi does not sell or share your personal information as defined under the CCPA. We do not sell your data to third parties. We do not share your data with third parties for cross-context behavioral advertising.

10. Token Revocation

You may revoke Confi's access to your email at any time:

  • Gmail: Go to your Google Account → Security → Third-party apps with account access → Remove Confi
  • Outlook: Go to your Microsoft Account → Privacy → Apps and services → Remove Confi

When your OAuth token is revoked (either by you or by your email provider):

  1. Our backend detects the revocation and immediately stops making API calls to your email provider
  2. Your structured order data remains in your account until you choose to delete it
  3. No new emails will be fetched or processed
  4. You may reconnect at any time by re-authorizing through OAuth

If you want your stored data deleted after revoking access, use the in-app data deletion flow or contact [email protected].

11. Data Deletion

Confi provides a functional, in-app data deletion flow. This is not a policy statement or a support email — it is a working feature in the App.

When you request deletion:

  • All structured order data associated with your account is permanently deleted
  • Your account information is permanently deleted
  • Analytics and crash data are handled per the retention policies of PostHog and Sentry respectively
  • Support conversations are handled per Crisp's retention policy

Deletion is irreversible. We recommend revoking OAuth access before deleting your account if you do not wish to reconnect.

12. Children's Privacy

Confi is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete the data.

Users must confirm they are 13 or older during onboarding before accessing the App.

13. Security

We implement industry-standard security measures to protect your data, including:

  • All data transmitted between the App, our backend, and third-party services is encrypted in transit (TLS)
  • Structured data at rest is encrypted
  • OAuth tokens are stored securely on our backend and are never exposed to the client
  • Access to production systems is restricted

14. Changes to This Privacy Policy

We will update this Privacy Policy if our data practices change. Material changes will be communicated through the App. The "Last Updated" date at the top of this policy reflects the most recent revision.

We will update the sub-processor list in Section 6 before any version of the App is released that adds or removes a sub-processor.

15. Contact Us

For any questions, concerns, or data rights requests:

Confi Technologies, Inc. Privacy Inquiries: [email protected] Principal Office (mailing): 513 W Shoreview Drive, San Ramon, CA 94582, United States Delaware Registered Agent: Harvard Business Services, Inc., 16192 Coastal Highway, Lewes, DE 19958, United States