Last updated: May 26, 2026 · Effective: May 26, 2026
RAI Inbox ("the App", Google Play package com.aermob.raiemail) is developed and operated by Aerendir Mobile Inc. ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the App.
1. Scope of This Policy
This Privacy Policy applies exclusively to the RAI Inbox Android application (package com.aermob.raiemail). For Aerendir Mobile Inc.'s corporate privacy policy covering our other products and services, see our Global Privacy Policy.
2. Information We Collect
Account information. When you sign in with Google, we receive your email address, name, and profile picture from Google's authentication service. For IMAP/Exchange accounts, server credentials are stored locally on your device only.
Email content and metadata. The App accesses the contents and metadata of messages in your Gmail mailbox (and any IMAP/Exchange accounts you connect) via the Gmail API under the OAuth scopes you grant during sign-in. This includes message bodies, attachments, sender and recipient addresses, subject lines, labels, thread structure, and timestamps. Email content is stored locally on your device and is transmitted off-device only when you invoke an AI feature (see Section 6).
Voice data. When you use voice commands or the "Hey RAI" wake word, audio is processed in real time and is not stored after processing.
Device-level context. Device model, OS version, locale, timezone, network type, battery level, and motion state, used only on-device to enable context-aware AI features.
Usage telemetry. On our relay server, we maintain per-user counters of AI request count, token consumption, and timestamps for billing, quota enforcement, and abuse prevention. We do not log or store the contents of messages or prompts.
We do not collect: your contact list (beyond what you authorize for smart recipient suggestions), your location (GPS or coarse), browsing history, SMS messages, call logs, or data from apps other than your email accounts.
3. Google API Services User Data — Limited Use Disclosure
RAI Inbox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
No advertising. We do not use Gmail data for serving advertisements, including personalized, retargeted, or interest-based advertisements. RAI Inbox contains no advertising.
No third-party transfers except as permitted. We do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features that are prominent in the App's user interface, or as required for security purposes (such as investigating abuse), or to comply with applicable law.
No human reading of Gmail data. We do not allow humans to read Gmail data, except (a) with your affirmative agreement for specific messages, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.
No sale of Gmail data. We do not sell Gmail data under any circumstances.
4. Gmail OAuth Scope Requested and Why
RAI Inbox requests a single Gmail OAuth scope: https://www.googleapis.com/auth/gmail.modify. On the Google consent screen this scope is presented to users as "Read, compose, and send emails from your Gmail account." RAI Inbox exercises only the capabilities described below, and only for the user-facing functionality described.
Read messages — display the inbox
What the App does: Reads messages, threads, labels, and metadata from your Gmail mailbox to display them in the App's inbox UI, organize them into threads, render attachments, and feed them into on-device AI features (triage, summarization, semantic search, draft generation).
Mutate labels — mark as read / unread, archive
What the App does: When you open an unread email in the App, the App can remove the UNREAD label on Gmail's server so the message is also marked read in the Gmail web client and on other devices. This auto-sync behavior is controlled by the "Sync read state to Gmail" setting in the App's Email settings (default on, mirroring Gmail's own auto-mark-as-read behavior). An explicit Mark as Read menu item is also available in the email detail view, alongside Mark as Unread and archive/unarchive actions (which add or remove the INBOX label).
Send messages — outgoing mail
What the App does: Sends emails the user composes, including AI-assisted replies that the user reviews and approves before sending. The final outgoing message is always shown to the user and must be explicitly approved before transmission.
Why gmail.modify rather than narrower scopes
RAI Inbox is a full-featured Gmail client. We have chosen gmail.modify as the minimum-privilege scope that enables all three operations above; lesser scopes are individually insufficient:
gmail.readonly cannot modify labels and therefore cannot mark messages as read on Gmail's server — opening an email in RAI Inbox would not be reflected in the Gmail web client or on other devices, which is inconsistent with how users expect a Gmail client to behave.
gmail.metadata cannot read message bodies or subjects, which are required to display email content in the inbox and to power AI features.
gmail.send only covers outbound mail; it cannot read inbound messages or mutate labels.
What we do NOT exercise under gmail.modify
Although gmail.modify permits permanent deletion and trash operations, RAI Inbox does not exercise those capabilities. The App never permanently deletes messages from your Gmail account. Removing a message from view in RAI Inbox archives it (removes the INBOX label) but leaves the message intact on Gmail's server.
5. How We Use Your Information
To provide and maintain email management features (read, send, mark as read / unread, archive, organize, search)
To power AI-assisted email composition, summarization, and conversational chat about messages
To process voice commands and wake word detection
To sync emails across your connected accounts
To provide smart contact suggestions when composing
To improve the App through anonymous, aggregated analytics
6. Third-Party Data Processing
OpenAI (AI Features)
When you invoke an AI feature (AI-assisted reply, summarization, conversational chat about an email or thread), the relevant email content is sent from the App, through Aerendir's relay server, to OpenAI for inference.
Relay role. Aerendir's relay server acts only as an authenticated proxy. It forwards the request to OpenAI and returns the response. The relay does not log or store the contents of email messages, prompts, or AI responses.
OpenAI processing. Email content sent for inference is subject to OpenAI's API data usage terms, available at openai.com/policies/api-data-usage-policies. Under OpenAI's API terms, OpenAI does not use API inputs or outputs to train its models by default.
What the relay does store. Only per-user usage counters (request count, token count, timestamps, account identifier) for billing, quota enforcement, and abuse prevention. Never message bodies, prompts, or responses.
User control. AI features are opt-in. You can disable them in the App's Settings, in which case no email content is transmitted off-device for AI processing. Non-AI email functionality continues to work entirely on-device.
Stripe: Subscription payment processing, governed by Stripe's Privacy Policy. Stripe does not receive any of your email content.
7. On-Device Processing
All Gmail messages, attachments, and metadata synced to the App are stored locally on your device in a private, app-sandboxed SQLite database not accessible to other applications.
Vector embeddings used for on-device semantic search are computed locally on the device and stored encrypted at rest using AES-256-GCM with keys held in the Android Keystore.
Aerendir does not store your Gmail messages, attachments, or metadata on its servers. Your inbox data does not transit Aerendir's infrastructure except as a transient payload to OpenAI when you invoke an AI feature (see Section 6).
8. Data Storage and Security
We protect your data on the device and in transit using the following technical controls:
Device storage. Android File-Based Encryption (FBE), AES-256-XTS, hardware-backed via the device's Keystore and Trusted Execution Environment, applied to all app-private storage including the local SQLite database.
Credentials and OAuth tokens. Stored in Android EncryptedSharedPreferences using AES-256-SIV for keys and AES-256-GCM for values, with the master key managed by the Android Keystore.
Vector embeddings. Encrypted with AES-256-GCM; key managed by the Android Keystore.
User-initiated backups. Encrypted with AES-256-GCM, using a key derived from a user-supplied password via PBKDF2-HMAC-SHA256 (100,000 iterations, 256-bit key, 256-bit salt).
Network transport. All traffic between the App, the Aerendir relay, the Gmail API, and OpenAI is transmitted over TLS 1.2 or higher.
Independent security assessment. RAI Inbox is undergoing an independent CASA Tier 2 security assessment, conducted by TAC Security (Assessment ID: RAIInboxv123CASATie). Static security scanning and the self-assessment questionnaire (SAQ) have completed with clean results; the full assessment is in progress.
Although we take appropriate measures to safeguard against unauthorized disclosure of information, no system of electronic storage or transmission can be guaranteed to be 100% secure.
9. Permissions
The App requests the following Android permissions:
Internet: To sync emails and connect to AI services
Microphone: For voice commands and wake word detection
Contacts: For smart recipient suggestions when composing emails
Accounts: For Google Sign-In and multi-account management
Foreground Service: For background email sync
10. Data Retention and Deletion
On-device data. Gmail data stored locally on your device persists until you sign out, clear the App's storage, or uninstall the App. Signing out triggers a wipe of the local Gmail database and cached credentials.
Relay-side usage counters. Aerendir retains per-user usage counters for up to twelve (12) months for billing and quota enforcement, after which they are deleted. No message content is retained at any time.
Revoking access. Revoke RAI Inbox's access to your Gmail account at any time at myaccount.google.com/permissions. Revocation immediately prevents the App from making further Gmail API calls on your behalf.
Deletion requests. Email info@aermob.com with subject line "RAI Inbox Data Deletion Request". Verified requests are actioned within 30 days.
11. Your Rights
Remove your account and all local data from the App at any time
Delete your account and all associated server-side data using the Delete Account button in the App's settings
Disable AI features in Settings to prevent any email content from being transmitted off-device
12. Children's Privacy
The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Material changes will be communicated via an in-App notice prior to taking effect. Continued use of the App after changes constitutes acceptance of the revised policy.