← Back to Via

Privacy Policy

Effective April 2026

Via is an email client. To show you your inbox and send mail on your behalf, we request access to the following through Google's OAuth system:

  • Gmail read, send, and modify scopes (for inbox display, compose, snooze, and labels)
  • Google Calendar read and write (for inline event display and invite creation)
  • Basic Google profile (name, email, avatar)

Token storage

Your OAuth tokens are encrypted at rest using AES-256-GCM. They never leave our servers in plaintext and are never shared with third parties.

AI Triage

When you press the triage hotkey, the subject line and a short snippet of each message in view are sent to OpenRouter (model: gpt-4o-mini) for classification. This happens only on your explicit action. No email content is sent to any AI provider automatically, in the background, or without your instruction. OpenRouter does not train on inputs.

Read receipts

Messages you send through Via contain a 1x1 tracking pixel that records open time, approximate geolocation derived from IP, and user-agent. This data is shown to you in the analytics dashboard and is never sold or shared.

We do not sell user data

We do not use your email content for advertising, data brokering, or model training.

Deletion

You can revoke Via's access from your Google Account permissions page at any time, and from inside Via you can request full deletion of all stored data. Deletion is completed within 7 days.

Security

Via runs on modern infrastructure with strict Content Security Policy headers, HTTPS enforced via HSTS, and sensitive tokens encrypted at rest with authenticated encryption. We do not store email bodies on our servers — every view is a live read from Gmail using your scoped OAuth token.

Responsible disclosure: please report security issues to ciao@cherrystreetlabs.com. We acknowledge within 48 hours.

Contact

Questions, requests, or data deletion: ciao@cherrystreetlabs.com.