Privacy Policy

Last updated: June 6, 2026

This Privacy Policy explains how [[LEGAL ENTITY NAME]](“tonebase”, “we”, “us”) collects, uses, and shares information when you use the tonebase browser extension and the tonebase web application at tonebase.ai (together, the “Service”).

tonebase helps customer-support teams draft on-brand replies. The extension works inside Gmail to generate a grounded reply suggestion from your team’s curated knowledge base.

1. Summary

  • The extension reads the content of a Gmail conversation only when you ask it to draft a reply — it does not silently monitor, read, or transmit your inbox in the background.
  • We use that conversation, plus your team’s curated knowledge base, to generate a suggested reply. We send the relevant text to our AI provider (OpenAI, via Vercel AI Gateway) to do so.
  • We do not sell your data, and we do not use your emails or messages to train AI models.
  • We use a small number of trusted service providers (“sub-processors”, listed in section 7) to run the Service.

2. Information we collect

a. Account and profile information

When you sign in (with email/password or “Sign in with Google”), we collect and store your name, email address, and profile picture URL. If you sign in with Google, we receive only your basic profile and email (the openid, email, and profile scopes). We do not request access to the Gmail API and cannot read your mailbox through Google.

b. Email conversation content (only on your action)

When you invoke tonebase on a Gmail thread to generate a reply, the extension reads the currently visible conversation from the page and sends a snapshot to our backend. This snapshot may include:

  • the thread subject and Gmail thread identifier and URL,
  • the body text of up to the 25 most recent visible messages (quoted/forwarded text is stripped before sending),
  • the display names and email addresses of the people in the conversation, and
  • message timestamps.

This content is stored in your workspace (in our database) so the draft can be generated and so your team can review why a reply was suggested. It is associated with your workspace and protected by row-level access controls.

c. Curated knowledge base

Content your team adds to tonebase (examples, templates, facts, imported FAQ/help content) and the search embeddings derived from it.

d. Generated drafts and quality signals

The reply drafts we generate, the sources cited in each draft, your edits to drafts, and retrieval/observability logs (which knowledge was retrieved and used, model used, and token usage/cost per request) so you can audit “why did the AI say this?”.

e. Billing information

If you subscribe to a paid plan, payments are processed by Stripe. We store a Stripe customer/subscription identifier and your plan and usage counts. We do not store your full card number — Stripe handles payment details directly.

f. Local storage on your device

The extension stores your authenticated session (a Supabase access/refresh token) and your selected workspace in the browser’s local extension storage (chrome.storage.local) so you stay signed in. This stays on your device and is sent to our servers only as a bearer token to authenticate your API requests.

3. How we use information

We use the information above to:

  • authenticate you and keep you signed in;
  • generate grounded reply suggestions from your knowledge base;
  • store and display your conversations, drafts, and citations to your team;
  • provide observability/auditing of AI output quality;
  • meter usage and process subscriptions and payments;
  • send transactional email (e.g. sign-up confirmation, password reset, team invites) via Resend;
  • secure, maintain, debug, and improve the Service.

4. Chrome extension permissions

The extension requests the minimum permissions needed to function:

PermissionWhy we need it
Host access to mail.google.comTo read the visible conversation when you request a draft and to show the reply suggestion inside Gmail.
Host access to tonebase.ai and our Supabase backendTo send the conversation snapshot and receive the generated draft over an authenticated connection.
identityTo complete “Sign in with Google” using Chrome’s secure auth flow.
storageTo keep you signed in (store your session and selected workspace locally).

5. Google API Services / Limited Use disclosure

tonebase’s use of information received from Google APIs (the basic profile and email obtained through “Sign in with Google”) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use this information solely to authenticate you and operate the Service, and we do not transfer or use it for advertising, or sell it.

Note: tonebase reads Gmail message content from the page you are viewing (via the browser extension), not through the Gmail API. We only access this content when you actively request a reply draft.

6. AI processing and training

To generate a draft, we send the relevant conversation text and retrieved knowledge to our AI provider, OpenAI, routed through Vercel AI Gateway, for text generation and embeddings.

  • We do not use your content to train our own models.
  • We use the AI provider via its API; under those API terms, your inputs and outputs are not used to train the provider’s models.

7. How we share information (sub-processors)

We do not sell your personal information. We share data only with service providers who process it on our behalf to run the Service:

Sub-processorPurposeData involved
SupabaseAuthentication and database hostingAccount info, conversations, knowledge base, drafts, logs
VercelApplication hosting and AI Gateway routingRequests to the Service; AI prompts routed to the model provider
OpenAIAI text generation and embeddings (via Vercel AI Gateway)Conversation text and knowledge sent for draft generation
StripeSubscription billing and paymentsBilling identifiers, plan, payment details (handled by Stripe)
ResendTransactional email deliveryRecipient email address and message content

We may also disclose information if required by law, to protect our rights or users’ safety, or in connection with a merger or acquisition.

8. Data retention

We retain account, conversation, knowledge base, draft, and log data for as long as your workspace is active or as needed to provide the Service. You can delete individual conversations and knowledge base items at any time, and you can request deletion of your account and associated data (see section 10). We may retain limited records as required for legal, accounting, or security purposes.

9. Data security

Data is encrypted in transit (HTTPS/TLS). Access to workspace data is restricted by row-level security so members can only access their own workspace’s data. API requests from the extension are authenticated with a bearer token and never rely on shared cookies.

10. Your rights and choices

Depending on your location, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can:

  • update or delete knowledge base content and conversations in the app,
  • sign out to remove the stored session from your device,
  • request access to or deletion of your account data by contacting us at privacy@tonebase.ai.

We will respond to verified requests as required by applicable law (e.g. GDPR, CCPA/CPRA).

11. International data transfers

We and our sub-processors may process and store information in countries other than yours, including the United States. Where required, we rely on appropriate safeguards for such transfers.

12. Children's privacy

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal information from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, for material changes, provide notice through the Service.

14. Contact us

[[LEGAL ENTITY NAME]] [[BUSINESS ADDRESS — optional but recommended]] Email: privacy@tonebase.ai

Governing law: [[STATE/COUNTRY]].