Security

Last updated: May 2026

Security is a first-class concern at Get Pro Tools. This page explains the technical and organisational measures we take to protect your data and your Gmail access.

Gmail access

Least-privilege scope

Get Pro Tools requests only the https://www.googleapis.com/auth/gmail.modify scope. This covers reading emails, creating drafts, sending approved replies, and soft deleting (trashing) messages when requested.

We do not request https://mail.google.com/, which would grant IMAP-level access including permanent deletion. Get Pro Tools never permanently deletes Gmail messages.

Separated login and Gmail flows

Signing into Get Pro Tools uses identity scopes only (openid, email, profile). Gmail access is a separate, explicit step where you choose to connect your inbox. The two flows are technically isolated.

Token encryption at rest

Gmail OAuth tokens (access token and refresh token) are encrypted using AES-256-GCM before being stored in our database. Each token is encrypted with a unique initialisation vector. The encryption key is stored separately from the token data and is never written to logs or committed to source code.

User approval required for sending

No email is sent without your explicit approval. The AI generates a draft; you review it inside the dashboard and choose to send or discard it. This is enforced at the API level — the send endpoint requires a confirmed user action.

Infrastructure

HTTPS everywhere

All traffic between your browser, our application, and external APIs is encrypted using HTTPS/TLS. HTTP is redirected to HTTPS automatically.

EU data storage

Our primary database runs on Supabase in the Frankfurt (eu-central-1) region. Our application is deployed on Vercel. All personally identifiable data is stored in the European Union.

Multi-tenant isolation

Each user account is isolated. Row-level security policies in the database ensure that users can only access their own data. Server-side API routes verify session identity on every request.

Data handling

OpenAI

Email content is sent to OpenAI transiently to generate draft replies. OpenAI processes this data under their API terms, which prohibit using API data to train models. Email content is not stored by OpenAI beyond the duration of the API call.

No permanent Gmail deletion

The Gmail API is never used to permanently delete messages. Any “delete” action moves messages to Gmail’s Trash only. Permanent deletion from Trash follows Gmail’s own 30-day retention policy and is outside our control.

No data sales or advertising

We do not sell user data. We do not use Gmail data for advertising. We do not share Gmail data with third parties except as described in our Subprocessors page.

Reporting a vulnerability

If you discover a security vulnerability in Get Pro Tools, please report it responsibly by emailing info@getpro.tools with the subject line “Security Disclosure”. We will acknowledge your report within 48 hours and aim to resolve confirmed issues promptly.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Disconnecting Gmail

You can revoke Gmail access at any time from Account settings inside the dashboard. This immediately deletes your OAuth tokens from our database and stops all Gmail API access. You can also revoke access directly at myaccount.google.com/permissions.

Privacy PolicyTerms of ServiceSubprocessors