# Privacy Policy — OP Links Agent **Effective date:** April 25, 2026 **Last updated:** April 25, 2026 This Privacy Policy describes how the **OP Links Agent** application ("the App") handles data accessed through Google APIs. The App is a private, single-user automation tool operated by Darren Herman and used only to assist with editorial work for The Operating Partner newsletter at [opletter.com](https://www.opletter.com). ## 1. Who operates the App The App is operated by: **Darren Herman** Email: **[email protected]** ## 2. What Google data the App accesses The App requests the following Google OAuth scopes, and only these: ### `https://www.googleapis.com/auth/gmail.send` This scope grants permission to **send** email on behalf of the authorized user. The App uses this scope exclusively to send curated news briefings to the authorized user's own Gmail inbox. The App does **not**: - Read any email - List, search, or download messages - Modify or delete any email - Forward email to third parties - Send email to anyone other than the authorized user ### `https://www.googleapis.com/auth/drive.file` This scope grants permission to access **only files that the App itself creates** — it cannot see, modify, or download any other files in the user's Google Drive. The App uses this scope exclusively to create new Google Docs containing the weekly editorial digest, which is shared back to the authorized user. The App does **not**: - Access any pre-existing Drive files - Read, list, modify, or delete files outside the ones it created - Share files with anyone other than the authorized user ## 3. How the App uses Google data Data accessed via the above scopes is used solely to: 1. Deliver curated article briefings to the authorized user's inbox 2. Produce a weekly editorial digest as a Google Doc shared back to the authorized user The data is **not** used for advertising, profiling, training machine learning models, market research, or any purpose beyond delivering the briefing to the authorized user. ## 4. How the App stores Google data - **OAuth tokens** (refresh and access tokens) are stored on a Fly.io persistent volume in an encrypted region (Newark, NJ, USA), used only to authenticate the App's API requests on behalf of the authorized user. - **No Gmail content is stored**, ever — the App only sends, it does not read. - **No Drive content is stored** beyond the files the App itself creates, which are owned by the authorized user. ## 5. Sharing of Google data The App does **not** share any Google data with any third party. Data flows are limited to: (a) Google's own APIs (Gmail, Drive), (b) the authorized user's email inbox, and (c) the authorized user's Google Drive. No other recipient receives Google user data. ## 6. Limited Use compliance The App's use of information received from Google APIs adheres to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: - The App uses Google user data only to provide or improve user-facing features that are prominent in the App's user experience. - The App does not transfer Google user data to third parties except as necessary to provide or improve the user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users. - The App does not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising. - The App does not allow humans to read Google user data unless the authorized user has given explicit consent to read specific messages, the App requires it for security purposes, the data has been aggregated and anonymized, or it is necessary for compliance with applicable law. ## 7. Data retention and deletion OAuth tokens are retained only as long as needed to operate the App. The authorized user can revoke the App's access at any time via [Google Account Permissions](https://myaccount.google.com/permissions), which immediately invalidates all tokens held by the App. There is no other Google user data to delete; the App does not maintain copies of email content or Drive content. ## 8. Children's privacy The App is not directed to children under 13 and does not knowingly collect personal information from anyone under 13. ## 9. Changes to this policy If material changes are made to this policy, the "Last updated" date above will be revised. Because the App is single-user, any policy changes will be reflected immediately upon update. ## 10. Contact For questions about this policy or the App's data practices, contact **[email protected]**.