Legal
Privacy Policy
Last updated: April 29, 2026
1. Who we are
This Privacy Policy describes how Phyllax LLC ("Phyllax," "we," "us") handles information in connection with the Phyllax desktop application and related websites at phyllax.com. By installing or using Phyllax, you agree to this policy.
Contact: support@phyllax.com.
2. How Phyllax works (and why this matters for privacy)
Phyllax is a native desktop application that runs entirely on your computer (Windows or macOS). When you connect a service like Gmail, Slack, or Notion, the connection is between your computer and that service — not between us and that service. We never receive a copy of your emails, messages, files, or any other data from the services you connect.
When Phyllax uses an AI model (for example, to summarize an email or detect an urgent message), it sends that request directly from your computer to the AI provider you have chosen (Anthropic, OpenAI, Google Gemini, xAI Grok, Microsoft Azure, AWS Bedrock, Together AI, or a local model running on your machine via Ollama). We do not proxy, intercept, or store these requests.
3. What stays on your device
The following are stored locally on your computer and are never transmitted to Phyllax:
- Email contents, subjects, and senders fetched from connected providers
- Calendar events, attendees, locations, and meeting links
- Messages from Slack, Microsoft Teams, Discord, and similar services
- Documents, files, and notes from Google Drive, OneDrive, SharePoint, Notion, Box, and similar services
- CRM records, tickets, orders, ad campaigns, and analytics from connected business tools
- OAuth access tokens and refresh tokens (encrypted at rest using your operating system's secure key storage — DPAPI on Windows, Keychain on macOS)
- API keys you provide for AI providers
- The contents of every prompt and response sent to AI models
- Schedules, priorities, notifications, and other application state
This data lives in a local SQLite database in your operating system's user-data directory (for example, %AppData%\phyllax on Windows). You can delete it at any time by uninstalling Phyllax or removing that folder.
4. What does leave your device
The community edition of Phyllax intentionally sends nothing about you or your usage. The only bytes that leave your computer are ones you deliberately cause — either by connecting an integration (in which case data flows between your machine and that service directly, not through Phyllax), by choosing an AI provider (calls go directly to that provider), or by composing and sending a bug report.
4.1 Analytics and telemetry
Phyllax does not collect analytics or telemetry. The community edition does not include Mixpanel, Google Analytics, or any other tracking or usage-measurement service. Nothing about which screens you open, which schedules fire, or which integrations you connect is transmitted anywhere.
4.2 Bug reports you submit
If you choose to submit a bug report from inside the application, the description you type and a small diagnostic context (OS, Phyllax version, connected integration names, most recent error) are placed into a new email drafted in your default email client and addressed to support@phyllax.com. Nothing is transmitted until you review the draft and click Send in your email client. Phyllax does not automatically send bug reports.
5. Third parties Phyllax connects to on your behalf
When you connect a service to Phyllax, Phyllax acts on your computer as a client of that service using credentials you authorize. We are not a data controller of the data exchanged between your computer and those services.
Each service has its own privacy policy that governs how it handles your data:
- Google services (Gmail, Calendar, Drive, Docs, YouTube, Google Ads): governed by Google's Privacy Policy
- Microsoft services (Outlook, Teams, OneDrive, SharePoint): governed by Microsoft's Privacy Statement
- AI providers (Anthropic, OpenAI, Google Gemini, xAI, Microsoft Azure OpenAI, AWS Bedrock, Together AI): governed by their respective privacy policies
- All other connected services (Slack, Discord, Notion, Stripe, Shopify, Salesforce, HubSpot, etc.): governed by each service's own privacy policy
6. Google API Services — Limited Use disclosure
Phyllax's use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
Specifically, with respect to data accessed through Google APIs (Gmail, Google Calendar, Google Drive, Google Docs, YouTube, and Google Ads), Phyllax:
- Does not transfer Google user data to others except as necessary to provide or improve user-facing features that are prominent in the application's user interface, and only with the user's explicit consent.
- Does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- Does not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine learning models.
- Does not allow humans to read Google user data, except (a) with the user's explicit consent for specific data items, (b) when necessary for security purposes (such as investigating abuse), (c) when necessary to comply with applicable law, or (d) when the data has been aggregated and anonymized for internal operations in accordance with applicable privacy regulations.
Because Phyllax is a desktop application, your Google data is processed locally on your computer and is not stored on Phyllax's servers. When you choose to use an AI feature, your data is transmitted directly from your computer to the AI provider you have configured, not through Phyllax.
7. Children
Phyllax is not directed to children under 13 (or 16 in the European Economic Area), and we do not knowingly collect information from them.
8. Security
OAuth access tokens, refresh tokens, and API keys stored locally by Phyllax are encrypted at rest using your operating system's secure storage API (Windows DPAPI or macOS Keychain). Network connections to integrated services and AI providers use TLS. We follow industry best practices in our build and release pipeline.
No system is perfectly secure. If you suspect a security issue, contact support@phyllax.com.
9. Your rights
Because Phyllax stores all your data on your own computer and collects no analytics, you already have direct control over everything Phyllax touches. You can delete the local database, revoke any connected service's access from that service's own settings page, or uninstall Phyllax entirely at any time.
The only data that ever leaves your machine is content you explicitly send yourself — for example, an email bug report you compose in your own mail client and hit Send on. Stop sending those and Phyllax has no data about you to hold, correct, delete, or port.
If you are in the European Economic Area, the United Kingdom, or California, you have rights under GDPR / UK GDPR / CCPA. Because we do not collect data about you, most of these rights are exercised by controlling your own machine. If you have questions, email support@phyllax.com.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page. Material changes will be announced in-app on the next launch.
11. Contact
Questions about this policy: support@phyllax.com.