Privacy Policy

Pendingly (“we”, “our”, “us”) operates the email follow-up and relationship-management service known as Pendingly. This Privacy Policy explains what we collect, how we use it, and the choices you have. Questions? support@pendingly.com.

Account information

When you sign in with Google, we receive your name, email address, and profile picture to identify your account.

Email data

With read-only access to the inbox(es) you connect, we process:

• Metadata: sender, recipient, subject, timestamp, and thread identifiers;
• Message text: passed to an AI model for classification, drafting, and summaries.

We store excerpts and short snippets needed to render your queue and summaries — not full archived message bodies.

Derived relationship data

From the timing and pattern of messages already in your accounts, we compute per-contact signals such as typical reply time, “cooling” status, and VIP scores. These are generated for your use within your account.

Integration & notification data

If you enable connectors, we store what is needed to operate them: calendar events/tasks we create at your request, a saved phone number (for WhatsApp digests), and webhook URLs you provide (for Slack/Teams digests). Push-notification subscriptions are stored to deliver reminders.

Usage data

Standard server logs (IP address, browser type, timestamps) for security and performance. We do not use third-party advertising or analytics trackers.

Payment information

Payments are handled by our payment processor. We do not store card details — only your subscription status and plan.

AI API keys

If you provide a Bring-Your-Own-Key API key, it is encrypted at rest, never returned to the browser, and never logged in plain text.

• Core service: classifying your inbox, building your action queue, summaries, and relationship insights;
• Notifications: email, push, and the digest channels you configure;
• Sending you authorise: replies, approved follow-up sequences, and scheduled sends;
• Billing: managing your subscription;
• Security: detecting and preventing fraud, abuse, and unauthorised access;
• Product improvement: aggregate, anonymised metrics (e.g. scan completion rates) — never individual email content.

We do not sell, rent, or trade your personal data or email content, and we do not use your email content to train our own models.

Classification, drafting, and summaries use large language models. By default we use a Pendingly-managed provider. If you supply your own key, requests go directly to your chosen provider (Gemini, Anthropic, or OpenAI) under their privacy terms. Under our current provider agreements, content sent for processing is not used to train their models.

We share information only as needed to run the Service:

• Infrastructure: hosting and database providers that process data on our behalf under confidentiality terms;
• Email & calendar providers: Google and Microsoft, for the accounts you connect;
• AI providers: for classification/drafting (see Section 4);
• Notification channels: a messaging provider for WhatsApp, and the Slack/Teams webhooks you configure;
• Payment processor: for subscription billing;
• Legal: where required by law or to protect users;
• Business transfers: under the same protections, in a merger or acquisition.

Pendingly’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Gmail data only to provide and improve user-facing features within Pendingly, do not transfer it except as necessary to provide those features or as required by law, do not use it for advertising, and do not allow humans to read it except with your consent, for security, or where required by law.

• Action items, derived insights, and thread metadata are retained while your account is active.
• Deleting your account permanently purges your stored data within 30 days.
• Disconnecting an inbox immediately revokes the access token; cached data for that inbox is deleted within 7 days.
• Server logs are retained for up to 90 days for security.

Security is built in from the database to the browser:

• OAuth tokens, mailbox passwords, and AI keys are encrypted at rest with AES-256-GCM; encryption keys stay on the server.
• All traffic is served over TLS, with HSTS, a strict Content-Security-Policy, and locked-down response headers.
• Every database query is scoped to your account, enforcing strict tenant isolation.
• No secrets or source maps are shipped to the browser; no third-party trackers run on the app.
• Sessions expire after 7 days, and you can revoke access or delete your data at any time.

No system is perfectly secure — please use a strong password and two-factor authentication on your Google/Microsoft account.

Depending on your location (including under GDPR and India’s DPDP Act), you may:

• Access a copy of the data we hold about you;
• Correct inaccurate information;
• Delete your account and all data via Settings → Account → Danger Zone, or by email;
• Export your action items in a machine-readable format;
• Object to processing based on legitimate interests;
• Revoke email access by disconnecting any inbox at any time.

To exercise a right, email support@pendingly.com. We respond within 30 days.

We use a single session cookie to keep you signed in. No advertising cookies or third-party tracking pixels. Blocking cookies will prevent you from staying logged in.

The Service is not directed at children under 16, and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it promptly.

Our infrastructure may process data outside your country. Where you are in the EU, UK, India, or another region with transfer restrictions, by using the Service you consent to such transfers under appropriate safeguards.

We may update this Policy from time to time. Material changes will be communicated by email or a notice on the Service at least 14 days in advance. Continued use after changes take effect constitutes acceptance.

For privacy questions or data requests: support@pendingly.com. For team/enterprise data-processing agreements: sales@pendingly.com.