Privacy Policy

Effective date: 23 March 2026

1. Introduction

Sotto is a desktop email client for macOS, Windows, and Linux that connects to your email accounts. Sotto currently supports Gmail, with Microsoft 365 and Outlook support coming soon. This policy explains what data Sotto accesses, how it is used, where it is stored, and which third-party services are involved.

2. What data Sotto accesses

Sotto requires broad access to your Gmail account to function as a full email client. During setup, you will be asked to authorise the following permissions via Google OAuth:

  • Read — email headers, body content (text and HTML), attachments, Gmail labels, thread structure, and read/unread status
  • Send — compose and send emails, reply, reply all, and forward on your behalf
  • Modify — archive, mark as read/unread, apply or remove labels, and manage drafts
  • Delete — move emails to trash when you choose to delete them
  • Profile — your Gmail email address (for account identification)

These permissions are necessary for Sotto to work as a complete email client — reading, composing, organising, and managing your inbox. Sotto only performs actions that you initiate or that you have explicitly configured (such as classification rules or automation workflows).

Disclaimer

While Sotto takes reasonable care to perform email operations correctly, we cannot guarantee that all actions (including sending, archiving, labelling, or deleting emails) will execute without error. By using Sotto, you acknowledge that the application interacts with your Gmail account on your behalf, and you accept responsibility for reviewing actions before confirming them. Sotto is provided "as is" and we are not liable for any unintended consequences of email operations performed through the application. See our Terms of Service for full details.

3. How your data is used

Displaying your inbox

Email content is fetched from Gmail and stored locally on your computer so you can browse your inbox, read messages, and view attachments.

AI-powered classification

To sort your emails into categories (such as bills, receipts, newsletters, and action items), Sotto sends the following to Anthropic's Claude API:

  • Email sender name and address
  • Email subject line
  • Email body text
  • Select email headers (e.g., In-Reply-To, List-Unsubscribe)

This data is sent for the sole purpose of classification and is processed according to Anthropic's privacy policy. Anthropic does not use API inputs to train models.

AI-powered search

When you use Sotto's AI search assistant, relevant email metadata (subject, sender, date, snippet) may be sent to Anthropic's Claude API to help answer your questions about your email.

Sender logos

To display company logos next to emails, Sotto sends the domain name extracted from sender email addresses to logo.dev. Only the domain name is sent — no email content, subject lines, or personal information.

4. Where your data is stored

  • All email data is stored locally on your computer in a SQLite database within the application's data directory.
  • No email content is stored on any remote server operated by Sotto. The content of your messages never passes through our infrastructure.
  • OAuth tokens (used to access Gmail) are encrypted using your operating system's secure storage (macOS Keychain, Windows Credential Manager, or equivalent via Electron safeStorage).
  • API keys (if you provide your own Anthropic key) are encrypted the same way.

Real-time sync service

Sotto may operate a server to enable real-time notifications and sync coordination between your devices. This service handles connection metadata only (such as account identifiers and sync timestamps). It never receives, processes, or stores the content of your emails, subjects, sender information, or any message data. All email content remains on your local device.

5. Third-party services

Google Gmail API

Used to read, send, organise, and manage your email. Access is authorised via OAuth 2.0 with the permissions described in Section 2. Governed by Google's Terms of Service.

Anthropic Claude API

Used for email classification and AI-powered search. Email content is sent to Anthropic's API for processing. Anthropic processes data per their privacy policy. Data sent via the API is not used for model training.

logo.dev

Used to fetch company logos. Only domain names are sent — no email content or personal information is transmitted to this service.

6. Analytics and telemetry

Sotto may collect anonymised usage analytics to improve the product, such as feature usage counts, error rates, and app version information. This telemetry:

  • Never includes email content, subjects, sender information, or any Gmail data
  • Never includes personal information or confidential data
  • Can be disabled in Sotto's settings

7. Google API Services User Data Policy

Sotto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Sotto only uses Gmail data to provide email client functionality to the user.
  • Sotto does not transfer Gmail data to third parties except as necessary for email classification (Anthropic) and sender logos (logo.dev), and only the minimum data required for each purpose.
  • Sotto does not use Gmail data for advertising, market research, or email campaign tracking.
  • Sotto does not allow humans to read user Gmail data unless the user explicitly provides it for support purposes.
  • Telemetry data never includes information received from Google APIs.

8. Data retention and deletion

  • Email data is retained locally until you clear the application cache or uninstall Sotto.
  • OAuth access can be revoked at any time through your Google Account settings or within the Sotto app.
  • Uninstalling Sotto removes all locally stored data, including the email database and encrypted tokens.

9. Security

  • OAuth tokens are encrypted using your operating system's secure keychain.
  • All communication with Google, Anthropic, logo.dev, and Sotto's sync service occurs over HTTPS.
  • Email content is processed and stored locally on your machine. Our sync service only handles connection metadata — never message content.

10. Children's privacy

Sotto is not directed at children under the age of 13. We do not knowingly collect data from children.

11. Changes to this policy

If this policy is updated, the revised version will be posted on this page with a new effective date. Continued use of Sotto after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this privacy policy or how Sotto handles your data, please visit our support page or email us at support@sottomail.com.