Legal

Privacy Policy

Last updated: May 27, 2026

In one sentence: Phyllax is a desktop application. Your emails, calendar events, messages, files, and other connected data never touch our servers. They live on your computer, and AI calls go directly from your computer to whichever AI provider you configure.

1. Who we are

This Privacy Policy describes how Phyllax LLC ("Phyllax," "we," "us") handles information in connection with the Phyllax desktop application and related websites at phyllax.com. By installing or using Phyllax, you agree to this policy.

Contact: privacy@phyllax.com.

2. How Phyllax works (and why this matters for privacy)

Phyllax is a native desktop application that runs entirely on your computer (Windows or macOS). When you connect a service like Gmail, Slack, or Notion, the connection is between your computer and that service — not between us and that service. We never receive a copy of your emails, messages, files, or any other data from the services you connect.

When Phyllax uses an AI model (for example, to summarize an email or detect an urgent message), it sends that request directly from your computer to the AI provider you have chosen (Anthropic, OpenAI, Google Gemini, xAI Grok, Microsoft Azure, AWS Bedrock, Together AI, or a local model running on your machine via Ollama). We do not proxy, intercept, or store these requests.

3. What stays on your device

The following are stored locally on your computer and are never transmitted to Phyllax:

Email contents, subjects, and senders fetched from connected providers
Calendar events, attendees, locations, and meeting links
Messages from Slack, Microsoft Teams, Discord, and similar services
Documents, files, and notes from Google Docs, OneDrive, SharePoint, Notion, Box, and similar services
CRM records, tickets, orders, ad campaigns, and analytics from connected business tools
OAuth access tokens and refresh tokens (encrypted at rest using your operating system's secure key storage — DPAPI on Windows, Keychain on macOS)
API keys you provide for AI providers
The contents of every prompt and response sent to AI models
Schedules, priorities, notifications, and other application state

This data lives in a local SQLite database in your operating system's user-data directory (for example, %AppData%\phyllax on Windows). You can delete it at any time by uninstalling Phyllax or removing that folder.

4. What does leave your device

A small, defined set of information does leave your computer. It does not include any of the data listed in Section 3.

4.1 Design-partner application

If you apply to the design-partner program on phyllax.com, the information you submit (email address and, optionally, name, role, and tools-you-want-connected) is stored in a Phyllax-team-controlled Google Sheet via Google Forms. We use this information only to evaluate your application, contact you about your invitation, and prioritize which integrations to ship next. We do not add you to any other mailing list without your explicit opt-in.

4.2 License validation (paid plans)

If you have a paid plan, Phyllax periodically validates your license key with our payment and licensing provider. The validation request includes:

Your license key
A machine fingerprint (a one-way hash derived from non-personally-identifying hardware characteristics)
The Phyllax version number

The fingerprint exists so a single license can be limited to a fixed number of devices. It is not used for tracking or correlated with other data.

4.3 Anonymous usage analytics

Phyllax uses Mixpanel to collect anonymous usage analytics that help us understand which features are used and detect bugs. The analytics events do not contain:

Email contents, subjects, senders, or recipients
Message contents from Slack, Teams, Discord, or any other service
File names or document contents
Names, addresses, phone numbers, or other personal contact details from your connected accounts
API keys, OAuth tokens, license keys, or other credentials
Prompts or responses from AI models

The analytics events do contain things like: which application screen was opened, that a schedule fired (without its result), the category of integration used, the operating system and Phyllax version, and a randomly generated installation ID. You can disable analytics in Settings at any time.

4.4 Bug reports you submit

If you choose to submit a bug report from inside the application, the description you type is sent to a private Discord channel monitored by the Phyllax team. We do not collect bug reports automatically — only when you click "Submit Bug" and confirm.

4.5 Application updates

Phyllax checks our update server periodically to see whether a newer version is available. The check transmits only your current Phyllax version, operating system, and architecture.

5. Third parties Phyllax connects to on your behalf

When you connect a service to Phyllax, Phyllax acts on your computer as a client of that service using credentials you authorize. We are not a data controller of the data exchanged between your computer and those services.

Each service has its own privacy policy that governs how it handles your data:

Google services (Gmail, Calendar, Docs, YouTube, Google Ads): governed by Google's Privacy Policy
Microsoft services (Outlook, Teams, OneDrive, SharePoint): governed by Microsoft's Privacy Statement
AI providers (Anthropic, OpenAI, Google Gemini, xAI, Microsoft Azure OpenAI, AWS Bedrock, Together AI): governed by their respective privacy policies
All other connected services (Slack, Discord, Notion, Stripe, Shopify, Salesforce, HubSpot, etc.): governed by each service's own privacy policy

6. Google API Services — Limited Use disclosure

Phyllax's use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to data accessed through Google APIs (Gmail, Google Calendar, Google Docs, Google Drive — accessed via the Google Docs integration's scopes — YouTube, and Google Ads), Phyllax:

Does not transfer Google user data to others except as necessary to provide or improve user-facing features that are prominent in the application's user interface, and only with the user's explicit consent.
Does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
Does not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine learning models.
Does not allow humans to read Google user data, except (a) with the user's explicit consent for specific data items, (b) when necessary for security purposes (such as investigating abuse), (c) when necessary to comply with applicable law, or (d) when the data has been aggregated and anonymized for internal operations in accordance with applicable privacy regulations.

Because Phyllax is a desktop application, your Google data is processed locally on your computer and is not stored on Phyllax's servers. When you choose to use an AI feature, your data is transmitted directly from your computer to the AI provider you have configured, not through Phyllax.

7. Children

Phyllax is not directed to children under 13 (or 16 in the European Economic Area), and we do not knowingly collect information from them.

8. Security

OAuth access tokens, refresh tokens, and API keys stored locally by Phyllax are encrypted at rest using your operating system's secure storage API (Windows DPAPI or macOS Keychain). Network connections to integrated services and AI providers use TLS. We follow industry best practices in our build and release pipeline.

No system is perfectly secure. If you suspect a security issue, contact security@phyllax.com.

9. Your rights

Because the great majority of the data Phyllax interacts with is stored on your own computer, you have direct control over it: you can delete the local database, revoke any connected service's access from that service's settings page, or uninstall Phyllax entirely.

For the limited data we do receive (design-partner application data, license validation requests, anonymous analytics, bug reports you submit), you can:

Ask to be removed from the design-partner applicant list by emailing privacy@phyllax.com
Disable analytics in Settings
Stop submitting bug reports
Request deletion of license-related data by emailing the address above (note: this will deactivate your license)

If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR / UK GDPR / CCPA, including the right to access, correct, delete, and port the limited data we hold about you, and to object to processing. Email us at the address above to exercise these rights.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page. Material changes will be announced in-app on the next launch.

11. Contact

Questions about this policy: privacy@phyllax.com.