Privacy Policy

Last updated: February 2026

Our Commitment to Transparency

We want full honesty and transparency. Daedelus is a suite of tools built to simplify your digital life, and some of those tools use AI to power their automation. We use AI partners such as Anthropic and OpenAI to modernize a lot of that automation. This page explains exactly what data each part of the platform touches, where it goes, and what happens to it, no vague language, no hidden meaning.

What We Collect

Daedelus collects only the minimum data required to provide the service you signed up for:

  • Account identity: your name, email address, and profile picture as provided by Google Sign-In (OAuth). We do not store passwords. These are saved to our database when you create an account and are used to identify you on subsequent visits.
  • Session token: a short-lived JWT stored in a secure, httpOnly cookie in your browser. This token identifies your session and does not contain calendar credentials. It is never written to our database.
  • Calendar connection tokens (optional): if you choose to connect Google Calendar from your Account page, we store your Google OAuth access token and refresh token in our database. These are used exclusively to create calendar events on your behalf when you request it. You can disconnect at any time, which permanently deletes these tokens from our database.
  • Email connection tokens (optional): if you choose to connect Gmail from your Account page, we store your Google OAuth access token and refresh token in our database. These are used exclusively to fetch email metadata when you trigger a Hermes scan. You can disconnect at any time, which permanently deletes these tokens.
  • Hermes scan results (temporary): when you run a Hermes scan, we store the aggregated results — sender names, domains, email counts, and unsubscribe URLs extracted from email headers — in our database for up to 7 days so the results persist across page visits. We do not store email body content, individual message text, or any personally identifiable content from your emails. Scan data is automatically deleted after 7 days, or immediately when you run a new scan.
  • Usage metadata: basic server logs (timestamps, route paths, HTTP status codes) for debugging and uptime monitoring. Logs do not include request bodies or personal content.

We do not run analytics trackers, sell data to third parties, or build advertising profiles.

Authentication & Google Permissions

Daedelus uses Google OAuth 2.0 for authentication. Sign-in and calendar access are intentionally separated into two distinct permission flows:

Sign-In (required)

When you create an account or sign in, Google asks you to grant:

  • openid, email, profile — your identity, so we know who you are. This is the only permission required to use Daedelus.

We do not request access to your Google Calendar or any other Google service during sign-in.

Gmail Connection (optional)

From your Account page, you can optionally connect Gmail for use with Hermes. This is a separate permission grant that allows Hermes to read email metadata. When you connect, Google asks you to grant:

  • gmail.metadata — read-only access to email headers (sender, subject, date, and the List-Unsubscribe header). This scope explicitly prohibits reading email body content, attachments, or full message text. We never see or store the content of your emails.

Gmail connection is entirely optional. If not connected, Hermes will prompt you to connect from its page. You can disconnect at any time from your Account page, which permanently deletes the stored tokens.

Calendar Connection (optional)

From your Account page, you can optionally connect Google Calendar. This is a separate permission grant that allows Kairos to publish events directly to your calendar. When you connect, Google asks you to grant:

  • calendar.calendarlist.readonly & calendar.calendars.readonly — to identify your calendar. We do not read your existing events.
  • calendar.events — to create new events on your behalf. We only write events that you explicitly review and confirm. Events are always published to your primary calendar.

Calendar connection is entirely optional. Kairos works without it, and you can always download a standard .ics file and add the event to any calendar app manually.

Your Google Calendar tokens are stored in our database and used only to fulfill your explicit export requests. You can revoke access at any time from your Account page, which permanently deletes the stored tokens.

AI Partners

Some Daedelus apps send data to third-party AI providers to perform their core function. We currently use:

Anthropic (Claude)

We use Anthropic's Claude API for AI-powered features such as image analysis. Anthropic's Privacy Policy governs how they handle data sent to their API.

Important: Daedelus currently uses a standard (non-enterprise) Anthropic API agreement. This means data you submit, including images, may be used by Anthropic to improve their models, in the same way that using Claude.ai or ChatGPT's image features on a free or standard plan may contribute to model training. If this is a concern, please do not upload sensitive or personally identifiable images. We plan to eventually migrate to enterprise agreements to prevent any AI partners from training on user data.

OpenAI

We may use OpenAI's API for future features. When and if we do, this policy will be updated with specifics about what data is sent, why, and any updates to enterprise-level agreements.

Kairos — App-Specific Privacy

Kairos converts images and screenshots into calendar events. Here is exactly what happens to your data at each step:

Image Uploads

  • When you select or drop an image (including HEIC photos from iPhone and other mobile devices), it is read into your browser's memory and converted to a base64 string entirely on your device.
  • That base64 string is sent over an encrypted HTTPS connection to our server. If the image is in HEIC/HEIF format, it is converted to JPEG on our server before being forwarded. The converted image is immediately forwarded to Anthropic's Claude API for event extraction.
  • We do not store your image. The image data is never written to a database, file system, or any persistent storage on our infrastructure. It exists only in memory for the duration of the API call and is discarded once the response is returned.
  • As noted above, because we use a standard Anthropic API plan, the image may be retained and used by Anthropic for model training purposes.

Extracted Event Details

  • Claude returns a structured JSON object (title, date, time, location, description). This is sent to your browser for you to review and edit.
  • We do not store extracted event details. The event data lives only in your browser until you export it, at which point it is either packaged into a downloadable .ics file or sent to Google Calendar via the Calendar API. The in-memory copy is discarded immediately after.

Calendar Export Options

  • Download .ics: Daedelus generates a standard iCalendar (.ics) file in your browser and prompts a download. The file is created on our server and streamed directly to you — it is not stored on our infrastructure.
  • Publish to Google Calendar (requires calendar connection): the event is sent directly to your Google primary calendar using your stored access token. Events are always published to your primary calendar. We do not read, copy, or store any of your existing calendar data.
  • Once an event is published to Google Calendar, we have no ongoing access to it. The event belongs entirely to your Google account.

Location Search

  • When you type in the location field, your query is sent to the Google Places Autocomplete API to suggest real-world addresses. Queries are proxied through our server to keep the API key off the client.
  • We do not log or store location queries. Google's Privacy Policy applies to data sent to their APIs.

Hermes — App-Specific Privacy

Hermes scans your Gmail inbox for emails containing unsubscribe links, groups them by sender, and lets you open the sender's own unsubscribe page in one click. Here is exactly what happens to your data:

What We Read

  • Hermes reads only email headers, specifically: the From, Subject, Date, and List-Unsubscribe headers from emails in your inbox.
  • We never read email body content. The gmail.metadata scope we use is technically restricted by Google's API to headers only, reading the message body is not possible with this permission level.
  • No AI provider is involved. Hermes does not send any email data to Anthropic, OpenAI, or any other third-party AI service.

What We Store

  • After a scan, we store aggregated results in our database: sender name, sender email address, domain, number of emails received, the most recent subject line, and the unsubscribe URL or email address extracted from the List-Unsubscribe header.
  • Scan results are retained for 7 days, then automatically deleted. Running a new scan immediately replaces the previous one.
  • We do not store individual email messages, email body text, attachments, or any content beyond the aggregated header data described above.

Unsubscribe Actions

  • When you click "Unsubscribe" on a sender card, Daedelus opens the sender's own unsubscribe URL in a new tab. We do not make any unsubscribe requests on your behalf. The action is taken by you directly on the sender's website or email system.
  • We have no visibility into whether an unsubscribe was completed, confirmed, or acted upon by the sender.

Data Retention

The following data is retained persistently in our database:

  • User account records (name, email, profile picture, internal ID) are retained for as long as your account exists. You can request deletion by contacting us.
  • Calendar connection tokens are retained until you disconnect Google Calendar from your Account page, at which point they are permanently deleted. You can also revoke access directly from your Google account permissions.
  • Gmail connection tokens are retained until you disconnect Gmail from your Account page, at which point they are permanently deleted. You can also revoke access directly from your Google account permissions.
  • Hermes scan results are retained for up to 7 days and then automatically deleted. Running a new scan immediately replaces any previous results.

Session cookies (JWTs) are retained for the duration of your browser session. If you sign out, the session cookie is invalidated. Session cookies do not contain calendar tokens, email tokens, or other sensitive credentials.

We do not retain images you upload, extracted event details, location queries, or email body content.

Changes to This Policy

We will update this page when our data practices change. Material changes, particularly around what is sent to AI providers or what is stored in our database, will be called out clearly at the top of this page with a summary of what changed and when.

Contact

Questions or concerns about this policy? Reach out at andrew@daedelus.ai.