← Back to Skycot

Privacy Policy

Last updated: April 10, 2026

1. Information We Collect

When you use Skycot, we collect:

  • Account information: Email address, name, and profile photo from your Google account when you sign in.
  • Conversation data: Messages you send to AI agents, agent responses, and any facts extracted from conversations (e.g., income, goals, preferences).
  • Usage data: Message counts, feature usage, and session information for rate limiting and analytics.
  • Uploaded files: Documents (PDF, CSV, DOCX, TXT) and images you attach to conversations are processed during your session to provide agent responses.
  • Waitlist data: Email address and referral information if you join our waitlist.

2. How We Use Your Information

  • To provide and improve the Skycot platform and AI agent services.
  • To personalise your agent interactions through persistent memory.
  • To process payments and manage subscriptions.
  • To communicate with you about your account, updates, and marketing (with consent).

2A. Google Account Data Access & Usage

Skycot integrates with Google services to enhance your agent experience. When you authorise Skycot to access these services via Settings → Integrations, you grant the following permissions:

Google Calendar

Scopes: calendar.readonly, calendar.events

  • Data accessed: Calendar events, titles, dates, times, attendees, locations, and event descriptions.
  • Purpose: Provide scheduling assistance, analyse availability patterns, and maintain memory about your commitments so agents can give context-aware recommendations.
  • Retention: Event data is cached during sessions. Facts extracted from calendar data (e.g., "weekly meeting every Tuesday") are stored in your Memory until you delete them. Raw calendar data is not permanently stored.

Google Sheets

Scopes: spreadsheets

  • Data accessed: Spreadsheet names, cell content, and structure for spreadsheets you share with Skycot via URL or ID.
  • Purpose: Read, analyse, and write spreadsheet data to assist with financial analysis, project tracking, and data organisation tasks.
  • Retention: Spreadsheet data is cached during sessions only. Not permanently stored beyond extracted facts in your Memory.

Gmail

Scopes: gmail.readonly, gmail.compose

  • Data accessed: Email messages, sender/recipient addresses, subject lines, message body, and attachments metadata.
  • Purpose: Search and read your emails so agents can summarise, prioritise, and draft replies. Agents create draft emails for your review — you send them yourself from Gmail.
  • Retention: Email content is cached during sessions only. No email content is permanently stored. Facts extracted from emails (e.g., "meeting with David on Thursday") are stored in your Memory until you delete them.
  • AI processing: When you ask agents about your emails, message content is sent to Anthropic (Claude) for AI processing. Anthropic does not retain this data beyond the API call.

Scope Justification

Each Google permission is requested for a specific purpose:

  • calendar.readonly + calendar.events: Required to read your schedule and create/modify events for scheduling assistance.
  • spreadsheets: Required to read and write spreadsheet data for data analysis tasks.
  • gmail.readonly: Required to search and read emails for inbox triage, meeting prep, and email summarisation.
  • gmail.compose: Required to create draft replies. Skycot does NOT send emails on your behalf — drafts are created for your review and you send them from Gmail.

Limited Use Compliance

Skycot's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Prohibited Uses of Google Data

Skycot will NOT:

  • Sell, rent, or share your Google data with third parties for advertising or marketing purposes.
  • Use your Google data to train or improve general-purpose AI models.
  • Store your Google data longer than necessary to provide the service.
  • Access your Google data for any purpose other than those specified above.
  • Allow any human to read your Google data except where required by law or with your explicit consent.

Revoking Google Access

You can revoke Skycot's access to your Google Account in three ways:

  1. Via Skycot: Disconnect any Google integration in Settings → Integrations.
  2. Via Google: Visit myaccount.google.com/permissions, find "Skycot", and remove access.
  3. Account deletion: Deleting your Skycot account revokes all Google integrations and deletes all associated data.

Once revoked, Skycot cannot access any new Google data. Previously extracted facts remain in your Memory until you delete them manually via Settings → Memory, or by deleting your account.

3. Your Memory & Data Control

Skycot gives you full control over your data:

  • You can view all facts your agents have learned about you in the Memory page.
  • You can edit or delete any stored fact at any time.
  • You can export all your data as JSON.
  • You can delete all your data permanently at any time.
  • You can disconnect any integration to stop data access from that service.

4. Data Storage & Security

Your data is stored on secure cloud infrastructure (AWS, Sydney region). We protect your information with:

  • Encryption in transit: All connections use TLS 1.2+ (HTTPS).
  • Encryption at rest: Database storage is encrypted using AWS-managed keys.
  • Access controls: Only your authenticated account can access your data. No shared access.
  • Network isolation: Database is in a private VPC, not publicly accessible.
  • HSTS headers: Strict transport security enforced on all pages.

Google data specifically receives the same security protections as all other user data. OAuth tokens are stored encrypted in our database and are never exposed to other users or third parties.

5. Third-Party Services

Skycot uses the following third-party services that may process your data:

  • Anthropic (Claude): AI agent responses. When you ask agents about your Google data, that data is sent to Anthropic for processing. Anthropic Privacy Policy.
  • OpenAI: Text embeddings for memory search and DALL-E image generation. OpenAI Privacy Policy.
  • ElevenLabs: Voice synthesis (if voice mode is used).
  • Deepgram: Speech recognition (if voice mode is used).
  • Google: Authentication and integrated services (Calendar, Sheets) as described in Section 2A.
  • Stripe: Payment processing. Skycot does not store your credit card details.

These providers process data solely to deliver functionality to you. Your data is not used by these providers for their own training or marketing purposes, subject to their respective privacy policies linked above.

6. Data Retention & Deletion

  • Account data: Retained while your account is active. Permanently deleted within 30 days of account deletion request.
  • Conversation history: Retained while your account is active. You can delete individual conversations at any time. All conversations are permanently deleted upon account deletion.
  • Memory facts: Retained until you delete them or delete your account. Deletion is immediate and irreversible.
  • Google integration data: Cached in-memory during sessions only (typically under 24 hours). Not permanently stored beyond extracted Memory facts. All cached data is cleared when you disconnect the integration or end your session.
  • Uploaded files: Processed in-session only. File content is not stored after the session ends. No copies are retained on our servers.
  • Payment data: Managed by Stripe. Skycot stores only your Stripe customer ID and subscription status. Transaction records are retained by Stripe for legal/accounting requirements (7 years per Australian tax law).
  • Audit logs: Access logs for memory and data operations are retained for 90 days for security monitoring, then automatically purged.
  • Inactive accounts: Accounts with no activity for 12 months may be flagged for deletion. You will be notified via email 30 days before any inactive account deletion.

7. Data Access & Deletion Requests

To request access to, a copy of, or deletion of your data (including any Google-derived data), contact privacy@skycot.com with your Skycot account email address and a description of your request. We will respond within 30 days.

You can also self-serve most data requests directly within Skycot:

  • View and delete Memory facts in the Memory page.
  • Disconnect integrations in Settings → Integrations.
  • Delete your account in Settings → Profile.

8. Contact

For privacy inquiries, contact us at privacy@skycot.com.

Skycot Pty Ltd. Melbourne, Australia. ABN pending.