Gerendo
← Back

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

Gerendo is operated by Ermina, based in Romania, European Union. For any privacy-related questions, contact us at privacy@gerendo.com.

2. What we collect

We access the data you explicitly connect to Gerendo through OAuth (today: Gmail, Google Drive, and Asana). To answer your queries, we synchronise message and file content from those sources into your isolated workspace database.

Sensitive content - email subjects and senders, file and document content, task names and descriptions, AI-generated summaries, OAuth tokens, and chat history - is encrypted at rest before it is written to the database. A small set of fields needed to look up and join records (source labels, provider message IDs, timestamps, internal IDs) remains as queryable plaintext metadata. Section 6 has the full breakdown.

We also collect basic account information (name, email address) when you sign up, and standard usage logs for security and performance purposes.

3. Legal basis for processing

We process your data under the following legal bases as defined by the GDPR:

  • Contract performance - to provide the Gerendo service you signed up for.
  • Legitimate interest - to maintain security, prevent abuse, and improve the product.
  • Consent - for any optional data uses, such as product updates or feedback requests. You may withdraw consent at any time.

4. How we use it

Your data is used solely to power your team's queries inside Gerendo. We never sell, share, or expose your data to third parties for marketing or advertising purposes.

5. AI processing

We never train AI models on your data. Gerendo uses two AI services to power search and chat:

  • Voyage AI generates the vector embeddings that make semantic search work. Text from your synced Gmail, Drive, and Asana content is sent to Voyage over TLS to produce embeddings; Voyage does not retain inputs or train on them per their commercial terms.
  • Anthropic (Claude) answers your questions. When you ask Gerendo something, relevant snippets are decrypted in our application and sent over TLS to Anthropic for inference. Anthropic does not train models on inputs sent through its API. Per Anthropic's standard commercial terms, prompts may be retained for up to 30 days for abuse monitoring and are then deleted.

Bring-your-own-key support and additional model providers (OpenAI, Gemini, Mistral) are on the roadmap and are not yet available. When they ship, this section will be updated and existing customers will be notified.

6. Encryption & security

What is encrypted with a key only Gerendo holds

  • Email subjects, senders, thread IDs, and indexed body keywords (after sync from Gmail)
  • Google Drive file names and indexed document content (after sync)
  • Asana task names, project names, assignees, descriptions, due dates, and links (after sync)
  • AI-generated summaries derived from your data
  • Extracted facts (e.g., "Acme decided to launch May 25")
  • Decision findings and AI-drafted updates surfaced by Gerendo
  • Workspace names and chat history (conversation titles and messages)
  • OAuth tokens for your connected tools

These columns are encrypted with AES-256-GCM. The master key lives in our application's environment (Vercel), separate from the database. A Supabase staff member, a leaked database snapshot, or a compromised service-role token sees only ciphertext. We hold the key.

What is stored as queryable plaintext metadata

  • Source labels (e.g., "gmail", "drive", "asana") and item type or status (e.g., "inbox", "task", "open")
  • Provider message and file IDs (Gmail message IDs, Drive file IDs, Asana task IDs) so we can fetch fresh content on demand
  • Drive file MIME type and modified timestamp
  • Internal IDs, foreign keys (workspace ID, user ID), and audit timestamps

These fields are needed to look up and join records before any decryption happens. They do not include message bodies, file contents, subjects, names, or any other free-form user content. We will revisit as customers and threat model evolve.

How chat queries actually work

When you ask Gerendo a question, relevant snippets are decrypted in our application server (Vercel) and sent over TLS to our LLM provider (Anthropic Claude) for inference. Anthropic processes the prompt and returns an answer. Per Anthropic's standard commercial terms, prompts may be retained for up to 30 days for abuse monitoring. Anthropic does not train models on your data.

Three-layer summary

LayerWhatEncryption
At rest in SupabaseBody content, summaries, facts, OAuth tokensAES-256-GCM, key held by Gerendo
In transitAll API trafficTLS 1.3
During Claude inferenceDecrypted snippets sent to AnthropicTLS 1.3, retained per Anthropic ToS up to 30 days

What we deliberately do not claim

  • We do not claim "zero-knowledge", we hold the encryption key.
  • We do not claim "end-to-end encryption", that means only sender and recipient hold keys, which does not apply to a RAG product.
  • We do not claim "even our engineers cannot read your messages" without context. During a chat query, the data is decrypted briefly in process memory. We claim operator-level isolation (the database operator cannot read it), not absolute isolation.

Each workspace's data is also isolated at the database level via Postgres Row Level Security, so tenants cannot read each other's rows. RLS enforces tenant isolation. Encryption enforces operator isolation.

7. Google API Services & Limited Use

Gerendo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use the Google data we receive only to provide and improve user-facing features that are visible inside Gerendo.
  • We do not transfer the data to third parties except where necessary to provide those features (for example, AI inference at request time, and the infrastructure providers listed in Section 8), to comply with applicable law, or as part of a merger or acquisition where the data continues to be protected by this policy.
  • We do not use the data for advertising, including personalised, retargeted, or interest-based advertising.
  • We do not allow humans to read the data unless you have given specific affirmative consent, it is necessary for security (for example, investigating abuse), it is required by law, or the data has been aggregated and de-identified for usage analytics.

Scopes Gerendo currently requests

  • https://www.googleapis.com/auth/gmail.readonly - read your Gmail messages so Gerendo can answer questions across your mail. Read-only: we never send, modify, label, or delete messages.
  • https://www.googleapis.com/auth/drive.readonly - read your Google Drive files so Gerendo can answer questions across your documents. Read-only: we never modify, share, or delete files.
  • openid, userinfo.email, userinfo.profile - sign you in and identify your account so workspace membership and permissions are consistent.

Revoking access

You can revoke Gerendo's access to your Google account at any time at myaccount.google.com/permissions, or from the Settings page inside Gerendo. Revoking access stops further synchronisation. To also delete data already indexed, use "Delete data" in Settings or email privacy@gerendo.com.

8. Third-party processors

To deliver the service, we work with the following trusted sub-processors:

  • Supabase - managed Postgres database (EU region) and authentication infrastructure.
  • Vercel - application hosting and deployment for the product app.
  • Cloudflare - DNS, security, content delivery, and web analytics (anonymised, no cookies).
  • Anthropic - AI inference for chat and decision detection (Claude). Inputs not used for training; see Section 5.
  • Voyage AI - vector embeddings for semantic search. Inputs not used for training; see Section 5.
  • Resend - transactional email delivery (sign-in links, notifications).
  • Google APIs - reading your connected Gmail and Drive content under the scopes you authorise. Use is governed by the Google API Services User Data Policy; see Section 7.
  • Asana API - reading your connected Asana workspace under the scopes you authorise.

All processors are required to handle your data in compliance with GDPR.

9. Data retention

We retain your metadata for as long as your account is active. If you delete your workspace, all associated data is permanently removed within 30 days. Anonymised usage logs may be retained for up to 12 months for security purposes.

10. Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Access - request a copy of the data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - request permanent deletion of your data.
  • Portability - receive your data in a structured, machine-readable format.
  • Objection - object to processing based on legitimate interest.
  • Restriction - ask us to limit how we use your data.
  • Withdraw consent - at any time, for processing based on consent.

You can exercise most of these rights directly from your workspace settings. For anything else, email us at privacy@gerendo.com and we will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

11. Contact

Questions or requests? Reach us at privacy@gerendo.com. We aim to respond to all privacy enquiries within 5 business days.