Privacy Policy
Last updated: March 29, 2026
1. Introduction
Loqito (“we”, “us”) is committed to protecting your privacy. This policy describes what data we collect, how we use it, and your rights as a user.
If you have questions about this policy, contact us at privacy@loqito.com.
2. Data We Collect
We collect the following data when you use Loqito:
| Data | Source | Why |
|---|---|---|
| Email address | Google OAuth sign-in | Account identity |
| Display name, profile photo | Google OAuth | Dashboard personalisation |
| Email subject lines | Gmail API (you authorise this) | AI briefing generation |
| Sender names and email addresses | Gmail API | Briefing attribution, sender filtering |
| Email snippet (first ~100 characters) | Gmail API | AI briefing generation — always included with headers |
| Email timestamps | Gmail API | Scheduling context |
| Email body (up to 2,000 characters) | Gmail API | Only when you explicitly enable “Full email body” in Settings and give separate consent — Pro tier only |
| Briefing content (AI-generated) | OpenAI API | Stored and displayed to you |
| Audio files (MP3) | OpenAI TTS | Stored in Vercel Blob, playable by you |
What we do NOT collect:
- Email body content beyond the brief snippet Gmail returns — unless you explicitly opt in (Pro tier only)
- Email attachments
- Contacts or calendar data (calendar scope requested only to propose events, never stored)
- Payment card details (handled entirely by Stripe)
Important: email content sent to third-party AI
Email subjects, sender names, and snippets are sent to third-party AI providers (see Section 4) to generate your briefing. Before leaving Loqito's servers, all free-text fields are automatically scanned and common sensitive patterns (financial account numbers, card numbers, phone numbers, email addresses, SSNs) are replaced with placeholder tokens. No raw email data is stored by Loqito — only the AI-generated briefing text is saved. Pro and higher tier users may optionally enable full email body mode; up to 2,000 characters of body content are then also sent, after the same PII scrubbing pass. Use the “Exclude domains” setting to prevent emails from specific senders from being processed at all.
3. How We Use Your Data
- Generate AI briefings from your email subject lines
- Display and play briefings in the Loqito dashboard
- Send you transactional emails when your scheduled briefing is ready (if enabled)
- Process payments via Stripe
4. AI Sub-processors
The following data is sent to AI providers to generate briefings: email subject lines, sender names, sender email addresses, and the short snippet Gmail includes with each message (approximately the first 100 characters of the email body). Pro and higher tier users who enable the full email body option also send up to 2,000 characters of body content per message. Before any of this data leaves Loqito's servers it passes through an automatic PII scrubber that replaces common sensitive patterns (account numbers, card numbers, phone numbers, email addresses, SSNs) with placeholder tokens.
We do not have control over these providers' internal data handling beyond what their data processing agreements specify. By using Loqito and giving AI-processing consent, you acknowledge that this data will be processed by the applicable provider below.
| Provider | Purpose | Data sent | Policy |
|---|---|---|---|
| OpenAI | Briefing narration (Free + Pro tiers) | Email subjects + senders | Privacy Policy |
| Anthropic | Briefing narration (Advisor tier) | Email subjects + senders | Privacy Policy |
| Google Gemini | Briefing narration (Pro tier, certain models) | Email subjects + senders | Privacy Policy |
| OpenAI TTS | Audio generation (Pro + Advisor tiers) | Briefing narration text | Privacy Policy |
5. Data Storage
| Data | Storage | Retention |
|---|---|---|
| User account | Neon Postgres | Until account deletion |
| Briefings | Neon Postgres | 30 briefings per user; older ones automatically pruned |
| Audio files | Vercel Blob | Until briefing is pruned |
| Schedule + preferences | Upstash Redis | Until explicitly changed or account deleted |
| Session tokens | httpOnly cookie (browser) | 30 days, then re-authentication required |
| Refresh tokens | Upstash Redis | Until sign-out or token revocation |
6. Third-Party Services
We use the following sub-processors to operate the service:
- Vercel — serverless hosting and edge compute. Privacy Policy
- Neon — managed Postgres database. Privacy Policy
- Upstash — managed Redis. Privacy Policy
- Stripe — payment processing. Privacy Policy
- Resend — transactional email. Privacy Policy
7. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your account and all associated data.
- Portability — receive your briefings in a machine-readable format.
- Withdraw consent — revoke AI processing consent at any time via Settings → “Revoke AI consent”. This stops future Gmail data from being sent to AI providers.
To exercise these rights, email privacy@loqito.com.
8. Cookies
We use one httpOnly session cookie set by NextAuth.js to maintain your login session. We do not use third-party tracking cookies, analytics cookies, or advertising cookies.
9. Children
Loqito is not directed at children under 13. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email to the address associated with your account.
11. Contact
For any privacy-related questions or requests, contact us at privacy@loqito.com.