Privacy Policy

Effective date: 8 April 2026

1. Introduction

Sotto is a product of Luminary Consulting Pty Ltd (ABN 60 608 016 815), an Australian company ("we", "us", "our"). Sotto is a desktop email client for macOS, Windows, and Linux that connects to your email accounts and calendars. Sotto supports Gmail and Microsoft 365 (Outlook). It also provides document signing, a rich email composer, and AI-powered features. This policy explains what data Sotto accesses, how it is used, where it is stored, and which third-party services are involved.

2. What data Sotto accesses

Sotto requires broad access to your email accounts and calendars to function as a full email client. During setup, you will be asked to authorise the following permissions.

Google (Gmail and Google Calendar)

Authorised via Google OAuth:

  • Read — email headers, body content (text and HTML), attachments, Gmail labels, thread structure, and read/unread status
  • Send — compose and send emails, reply, reply all, and forward on your behalf
  • Modify — archive, mark as read/unread, apply or remove labels, and manage drafts
  • Delete — move emails to trash when you choose to delete them
  • Calendar — read and write access to your Google Calendar events, including event details, attendees, and scheduling information
  • Profile — your email address (for account identification)

Microsoft 365 (Outlook)

Authorised via Microsoft Azure AD OAuth:

  • Mail.ReadWrite — read, create, and modify emails, attachments, labels, and folders
  • Mail.Send — send emails on your behalf
  • Calendars.ReadWrite — read and write access to your calendar events, attendees, and scheduling information
  • User.Read — your email address and display name (for account identification)

These permissions are necessary for Sotto to work as a complete email client — reading, composing, organising, and managing your inbox and calendar. Sotto only performs actions that you initiate or that you have explicitly configured (such as classification rules or automation workflows).

Document signing

When you use Sign & Return, Sotto opens PDF or DOCX attachments from your emails in a local signing window. All document processing, annotation, and signing happens entirely on your device. No document content is sent to Sotto's servers or any third-party signing service.

Disclaimer

While Sotto takes reasonable care to perform email operations correctly, we cannot guarantee that all actions (including sending, archiving, labelling, or deleting emails) will execute without error. By using Sotto, you acknowledge that the application interacts with your Gmail account on your behalf, and you accept responsibility for reviewing actions before confirming them. Sotto is provided "as is" and we are not liable for any unintended consequences of email operations performed through the application. See our Terms of Service for full details.

3. How your data is used

Displaying your inbox

Email content is fetched from Gmail and stored locally on your computer so you can browse your inbox, read messages, and view attachments.

AI-powered classification

To sort your emails into categories (such as bills, receipts, newsletters, and action items), Sotto sends the following to Anthropic's Claude API:

  • Email sender name and address
  • Email subject line
  • Email body text
  • Select email headers (e.g., In-Reply-To, List-Unsubscribe)

This data is sent for the sole purpose of classification and is processed according to Anthropic's privacy policy. Anthropic does not use API inputs to train models.

AI-powered search

When you use Sotto's AI search assistant, relevant email metadata (subject, sender, date, snippet) may be sent to Anthropic's Claude API to help answer your questions about your email.

Calendar

Sotto syncs with your Google Calendar or Microsoft 365 calendar to display events, create and edit appointments, and provide meeting intelligence. Calendar event data (titles, times, attendees, descriptions) is fetched via the Google Calendar API or Microsoft Graph API and stored locally on your computer. Calendar data may be cross-referenced with your email to identify meeting recordings, notes, and attendee correspondence — this analysis happens locally.

Document signing

When you use Sign & Return, Sotto opens PDF or DOCX attachments in a local signing window. All annotation and signing happens on your device. Signed documents are returned via email reply through your connected account. No document content is sent to Sotto's servers or any third-party signing service.

GIF search

The email composer includes a GIF picker powered by Giphy. When you search for GIFs, your search query is sent to Giphy's API. No email content, personal information, or account data is included in GIF search requests.

Sender logos

To display company logos next to emails, Sotto sends the domain name extracted from sender email addresses to logo.dev. Only the domain name is sent — no email content, subject lines, or personal information.

4. Where your data is stored

  • All email data is stored locally on your computer in a SQLite database within the application's data directory.
  • No email content is stored on any remote server operated by Sotto. The content of your messages never passes through our infrastructure.
  • OAuth tokens (used to access Gmail) are encrypted using your operating system's secure storage (macOS Keychain, Windows Credential Manager, or equivalent via Electron safeStorage).
  • API keys (if you provide your own Anthropic key) are encrypted the same way.

Calendar event data is stored locally on your computer alongside your email database.

Real-time relay service

Sotto operates a stateless relay service to deliver real-time push notifications for email and calendar changes. This relay receives your email address (verified via signed JSON Web Tokens) to route notifications to the correct device. The relay does not store email addresses, message content, calendar data, or any personal information beyond what is needed for the duration of a single connection. All routing is cryptographically verified.

5. Third-party services

Google Gmail API

Used to read, send, organise, and manage your email. Access is authorised via OAuth 2.0 with the permissions described in Section 2. Governed by Google's Terms of Service.

Google Calendar API

Used to read, create, edit, and delete calendar events. Access is authorised via OAuth 2.0 with the calendar permissions described in Section 2. Calendar data is stored locally on your device. Governed by Google's Terms of Service.

Microsoft Graph API

Used to read, send, and manage email, and to access calendar events for Microsoft 365 and Outlook accounts. Access is authorised via Microsoft Azure AD OAuth 2.0 with the permissions described in Section 2. All data is stored locally on your device. Governed by Microsoft's Services Agreement.

Anthropic Claude API

Used for email classification, AI-powered search, smart reply suggestions, and meeting intelligence. Email content is sent to Anthropic's API for processing. Anthropic processes data per their privacy policy. Data sent via the API is not used for model training.

logo.dev

Used to fetch company logos. Only domain names are sent — no email content or personal information is transmitted to this service.

Giphy API

Used to search for and display GIF images in the email composer. Only your search query text is sent to Giphy — no email content, personal information, or account data. Governed by Giphy's Terms of Service.

Sentry

Used for crash reporting and error tracking. Crash reports may include technical information such as error messages, stack traces, app version, and operating system details. All personally identifiable information (email addresses, file paths containing usernames) is stripped before transmission. Crash reports never include email content, subjects, sender information, calendar data, or personal correspondence. Crash reporting is only active in released versions (not development builds). Governed by Sentry's Privacy Policy.

Auto-updates

Sotto periodically checks for application updates from GitHub Releases. Update checks transmit your current app version and operating system to GitHub's servers. No email content, calendar data, or personal information is included in update requests.

6. Analytics and telemetry

Sotto may collect anonymised usage analytics to improve the product, such as feature usage counts, error rates, and app version information. Sotto also uses Sentry for crash reporting (see Section 5 for details). This telemetry:

  • Never includes email content, subjects, sender information, or any email or calendar data
  • Never includes personal information or confidential data
  • Can be disabled in Sotto's settings

7. Google API Services User Data Policy

Sotto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Sotto only uses Gmail and Google Calendar data to provide email client and calendar functionality to the user.
  • Sotto does not transfer Gmail data to third parties except as necessary for email classification (Anthropic), sender logos (logo.dev), and GIF search (Giphy), and only the minimum data required for each purpose.
  • Sotto does not transfer Google Calendar data to third parties.
  • Sotto does not use Gmail or Calendar data for advertising, market research, or email campaign tracking.
  • Sotto does not allow humans to read user Gmail or Calendar data unless the user explicitly provides it for support purposes.
  • Telemetry and crash reporting data never includes information received from Google APIs.

8. Data retention and deletion

  • Email and calendar data is retained locally until you clear the application cache or uninstall Sotto.
  • Google OAuth access can be revoked at any time through your Google Account settings or within the Sotto app.
  • Microsoft 365 access can be revoked through your Microsoft Account permissions page or within the Sotto app.
  • Uninstalling Sotto removes all locally stored data, including the email and calendar databases, saved signatures, and encrypted tokens.

9. Security

  • OAuth tokens are encrypted using your operating system's secure keychain.
  • All communication with Google (Gmail and Calendar APIs), Microsoft (Graph API), Anthropic, logo.dev, Giphy, Sentry, and Sotto's relay service occurs over HTTPS.
  • Email and calendar content is processed and stored locally on your machine. Our relay service routes push notifications using your email address (JWT-verified) but never sees or stores message content.
  • Crash reports are stripped of personally identifiable information before transmission.

10. Children's privacy

Sotto is not directed at children under the age of 13. We do not knowingly collect data from children.

11. Changes to this policy

If this policy is updated, the revised version will be posted on this page with a new effective date. Continued use of Sotto after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this privacy policy or how Sotto handles your data, please visit our support page or email us at support@sottomail.com.