Privacy Policy

Last updated: March 4, 2026

Birdo ("we," "us," "our") operates the Birdo Chrome extension and related services at birdo.io. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

By using Birdo, you agree to this Privacy Policy. If you do not agree, please uninstall the extension and stop using the Service.

1. What Data We Access

When you use Birdo inside Gmail, we access the following data:

• Email content (temporarily): The body text of the email you are currently viewing. This is sent to our AI provider solely to generate reply suggestions and a drafted reply. It is processed in real-time and immediately discarded. We do not store, log, or retain email content.
• Google account information: Your name, email address, and Google user ID, obtained through Google OAuth when you sign in. This is used to create and authenticate your Birdo account.

2. What Data We Store

• Account information: Your email address, display name, and Google user ID, stored in our database for authentication and account management.
• Usage counts: A daily count of how many AI replies you generate, used solely for rate limiting. No email content is included in this count.
• Subscription status: Your billing tier (free or pro) and Stripe customer ID, if you upgrade to a paid plan.
• Authentication tokens: Hashed refresh tokens stored securely in our database. We never store tokens in plaintext.

3. What We Do NOT Store

• We do not store, log, cache, or retain the content of your emails on our servers.
• We do not read emails in the background. We only process the specific email you are viewing when you interact with Birdo.
• We do not store your Google password or Google OAuth tokens on our servers.
• We do not store your credit card or payment information. All payment processing is handled by Stripe.

4. How We Use Your Data

We use the data we collect for the following purposes only:

• To provide the Service: generating AI reply suggestions when you interact with Birdo.
• To authenticate you and manage your account.
• To enforce usage limits based on your subscription tier.
• To process payments if you upgrade to a paid plan.

We do not use your data for advertising, profiling, or selling to third parties. We do not use your email content to train AI models.

5. Third-Party Services

Birdo uses the following third-party services to operate:

• Groq (AI Provider): Email content is sent to Groq's API to generate reply suggestions. Groq processes this data in real-time and does not retain it for training. See Groq's Privacy Policy.
• Google OAuth: Used for user authentication. We only request the minimum scopes needed (email and profile). See Google's Privacy Policy.
• Stripe: Used for payment processing if you upgrade to Pro. We do not handle or store your credit card information. See Stripe's Privacy Policy.

6. Data Security

We take reasonable measures to protect your data:

• All communication between the extension, our servers, and third-party services is encrypted using HTTPS/TLS.
• Authentication tokens are hashed before storage using SHA-256.
• JWTs are signed with strong secrets using the HS256 algorithm.
• Our API enforces rate limiting, CORS restrictions, and input validation.
• We follow the principle of least privilege in our extension permissions.

7. Data Retention

• Email content: Not retained. Processed in real-time and discarded immediately.
• Account data: Retained for the duration of your account. Deleted upon account deletion request.
• Usage data: Daily counts are retained for billing and rate-limiting purposes.
• Refresh tokens: Expire after 30 days and are periodically purged.

8. Your Rights

You have the following rights regarding your data:

• Access: You can request a copy of the data we hold about you.
• Deletion: You can request deletion of your account and all associated data by emailing us.
• Disable: You can disable Birdo at any time from the extension popup, which stops all email processing immediately.
• Uninstall: You can uninstall the extension at any time, which revokes all access.

To exercise any of these rights, contact us at privacy@birdo.io.

9. Children's Privacy

Birdo is not intended for use by children under the age of 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. By using Birdo, you consent to such transfers. We ensure all transfers comply with applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the extension or by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or concerns:

Email: privacy@birdo.io