Privacy Policy
Working draft — pending legal review. Below is an honest account of what Threshold does with your data today.
Gmail access scope
Threshold uses two Gmail permissions only: read (gmail.readonly — to see incoming mail and classify it, and to detect when you reply in a paid thread) and send (gmail.send — to send paywall replies on your behalf). We did not request gmail.modify, so we can't label, archive, or delete anything in your mailbox.
Google Contacts (saved + Other Contacts)
During onboarding Threshold reads two lists from Google's People API: your saved Contacts (contacts.readonly — the addresses Gmail auto-promotes for frequent correspondents, plus anyone you manually added) and your 'Other Contacts' (contacts.other.readonly — Google's automatic record of everyone else you've corresponded with). We combine both, plus a one-time walk of your Gmail inbox to catch any addresses Google didn't auto-track, to populate a skip list so anyone you've ever interacted with doesn't get auto-paywalled when they reach out again. The addresses are stored only as a skip list — not displayed, exported, or shared.
Full bodies are never stored
When the classifier evaluates a new sender, the first ~4 KB of the message body is sent to Anthropic's Claude API in-memory and discarded after the response returns. The body is not written to our database. The same applies to live re-fetches when you open a row in the dashboard — Gmail is the source of truth, and the body lives in memory only for the length of the request.
Encryption at rest
Your Gmail OAuth refresh token is encrypted with AES-256-GCM before being written to the database. A database leak alone would not expose the token. Stripe payment metadata is stored unencrypted because it contains no secrets — only session and payment-intent IDs that are meaningless without the Stripe secret key.
Anonymized training data
When a sender pays your paywall, the message body is anonymized in two passes — a regex pass that strips your full name, every name token over two characters, your email address, and your email domain; followed by a Claude pass that catches nicknames, family-member references, employer or fund names, distinctive titles, and location clues that regex missed. The anonymized message is then added to a shared training set that improves the classifier for every Threshold user. We do not train on messages that did not pay.
What we do store per email
Sender address and name, subject line, the short snippet Gmail auto-generates, the classifier's confidence and one-sentence reasoning, Gmail thread + message IDs (pointers, not content), and payment state with Stripe IDs. We do not store card numbers or any payment instrument data; that lives at Stripe.
What we never do
We do not sell your data. We do not share your data with third parties for marketing. The only third parties we send your data to are the ones strictly required to deliver the product: Google (Gmail, you authorized us), Anthropic (classifier and anonymizer), and Stripe (payments). Each receives only the minimum necessary for that specific call.
Inactivity and account closure
If you don't open the Threshold dashboard for 30 days, automated processing pauses for your account — we stop classifying new mail and stop sweeping for replies, capping API costs and limiting how much of your inbox we read. The moment you load any page again, processing resumes. To delete your account entirely, email hello@thresholdmail.com; we'll honor any in-flight paid request and then purge your user record, requests, and known-senders cache. Anonymized training examples persist (by the time they exist, every reference to you has been scrubbed).
Questions about this policy? Email privacy@thresholdmail.com.