Privacy Policy

Last updated: April 7, 2026

Kohlrabi ("we", "our", "us") provides an AI-powered email assistant for service businesses. This policy explains what data we access, how we use it, and how we protect it.

1. Data We Access

When you connect your Google account, we request access to:

• Gmail (modify) — to read inbound emails, create draft replies, send approved responses, and apply labels.
• Google Calendar (events) — to check your availability and create bookings on your behalf.

We access only the data necessary to operate the email agent. We do not access contacts, Drive, or any other Google services.

2. Data We Store

We store the minimum metadata needed to operate:

• OAuth tokens — encrypted with AES-256-GCM before storage. Used to access Gmail and Calendar on your behalf.
• Email metadata — thread IDs, sender addresses, classified intent, confidence scores, and actions taken. We do not store email content or message bodies.
• Client records — names, email addresses, and interaction counts derived from processed emails.
• Booking records — service type, time, and calendar event IDs for bookings created by the agent.
• Account information — your name, email address, and business configuration.

3. Data We Do Not Store

• Email message bodies or content
• Attachments
• Contact lists
• Calendar events not created by Kohlrabi
• Passwords (we use OAuth; account passwords are stored as irreversible bcrypt hashes)

4. How We Use Your Data

Your data is used solely to:

• Classify inbound email intent (booking, cancellation, inquiry, etc.)
• Generate draft or auto-sent replies on your behalf
• Check calendar availability and create bookings
• Display activity summaries in your dashboard

We do not use your data for advertising, sell it to third parties, or use it to train AI models.

5. Third-Party Services

We use the following third-party services to operate:

• Google APIs — Gmail and Calendar access via OAuth 2.0.
• Google Gemini — email classification and response generation. Email content is sent to the Gemini API for processing but is not stored by Google for model training per their API terms.
• Fly.io — application hosting.
• Supabase — database hosting (PostgreSQL).

6. Data Security

• All OAuth tokens are encrypted at rest using AES-256-GCM.
• All connections use HTTPS/TLS.
• Database access is restricted to the application with connection pooling and network-level controls.
• We follow the principle of least privilege for all API scopes and data access.

7. Data Retention and Deletion

You can delete your account at any time from your dashboard settings. Account deletion removes all stored data including OAuth tokens, client records, conversation metadata, and bookings. This action is immediate and irreversible.

You can also revoke Kohlrabi's access to your Google account at any time via Google Account Permissions.

8. Your Rights

You have the right to:

• Access the data we store about you (visible in your dashboard)
• Delete your account and all associated data
• Revoke Google API access at any time
• Export your data by request

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the email address on your account. Continued use of Kohlrabi after changes constitutes acceptance.

10. Contact

For privacy questions or data requests, contact us at privacy@kohlrabi.app.