← Back to Skub

Privacy Policy

Last updated: 17 April 2026

Who we are

Skub is operated by Provenance Tags ApS, Denmark. Skub is an AI assistant that watches your email inbox and sends you tap-to-act notifications when a message needs your decision. Throughout this policy "Skub", "we", or "us" means Provenance Tags ApS.

What data we collect

Account data

• Email address and display name — used to identify your Skub account. You sign in with a passkey; mail-provider identity (e.g. Google profile) is used when you connect a mailbox.
• OAuth tokens for each connected mailbox — encrypted at rest, used only to access that mailbox on your behalf.
• Telegram chat ID — if you link Telegram, so we know where to send notifications.
• Stripe customer ID — if you subscribe to a paid plan.

Gmail data (accessed via Google's Gmail API)

• Email metadata (sender, subject, date, labels) — read to decide which emails matter and to dedupe notifications.
• Email snippets and bodies — read so Skub can summarize, classify, and generate suggested replies.
• Labels — read to respect existing organization; added/removed when you tap "Move" or "Ignore".
• Sent messages — created on your behalf when you tap "Reply" or "Forward" and choose content.

Skub does not access attachments, draft messages, contacts, calendars, or any Google data outside Gmail.

Derived data

Skub learns from your taps — sender preferences, ignore patterns, learned habits — but that derived data does not live in a Skub database. It is kept under your own control, where you can inspect, edit, or clear it at any time. Categories:

• Sender state (VIP / Known / Ignored / Blocked) — inferred from your taps, used to decide future notifications.
• Preference notes — natural-language summaries of your habits (e.g. "user replies quickly to Lars") and their vector embeddings.
• Activity history — which emails Skub notified you about, and which buttons you tapped.

How we use your data

• Deliver the service — read your connected mailboxes, send notifications, execute your taps (reply / archive / move / ignore / forward).
• Personalize — learn from your taps so future notifications get more useful. Your learning data is used only for your own Skub agent; it never influences another user's experience.
• Send transactional messages — e.g. a message to the Telegram admin chat when you join the waitlist, or an email if something about your account requires attention.
• Billing — process subscriptions through Stripe if you upgrade.

AI processing

To decide what matters and generate summaries, Skub sends email content to a third-party large-language-model provider. Content is sent only to process one request at a time — it is not retained beyond that request, and not used to train any AI model, per the provider's contract with us. No other AI or analytics service receives your email content. The specific provider is disclosed in our subprocessor list, available on request.

How data is stored and secured

• What we hold: your OAuth tokens (in an EU-hosted headless vault, every use audit-logged), your login session reference, your Stripe subscription status. That is the complete list of what lives on our infrastructure.
• What we don't hold: your email content, your preferences, your rules, your VIPs, your history with Skub. These stay under your control and are not written to a Skub database.
• All of the above runs on servers in Amsterdam (EU), hosted by Fly.io. No customer data is transferred outside the EEA for storage.
• Connections between you, Skub, and every subprocessor use TLS/HTTPS.
• Access to production systems is restricted to Provenance Tags staff. The vault itself is headless — no human can log into it; access happens only through deployed code, audit-logged.

Who we share data with

We share the minimum necessary data with a small set of vetted processors, and only to deliver the service to you. Each is bound by a written data-processing agreement. Categories:

• Mail-provider APIs (e.g. Google for Gmail, with more providers planned) — we call these on your behalf to read / modify / send on the mailboxes you connect.
• Messaging platform — to deliver skub notifications and receive your button taps.
• AI processing provider — to classify, summarize, and draft replies. Our AI providers are contractually prohibited from retaining your content beyond the individual request, and from training models on your data. No AI or analytics vendor receives your email content outside of this single-purpose flow.
• Payments — if you subscribe to a paid plan; the payment provider handles card details; we never see your card number.
• Infrastructure / hosting — EU-hosted; processes data only at our direction.

We do not sell, rent, or share your data for advertising. We do not aggregate your mail data with other users'. We do not use your email content to train AI models, and our providers are bound by the same commitment.

The full, named subprocessor list is available on request — email us via the form below.

Limited-use disclosure

Skub's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data retention and deletion

• Active accounts — we retain your OAuth tokens, login session, and subscription status while your account is active. Email content is not persisted beyond the in-memory processing of a single notification. Preferences, rules, and history stay under your control and are not held by us.
• Account deletion — submit a deletion request using the form below, or disconnect individual mailboxes from Skub's Settings → Mailboxes. We wipe the OAuth tokens + account + subscription reference we hold within 48 hours; any derived data you've kept under your control stays exactly where you chose to keep it (or is removed with the mailbox if you revoke access at Google). Deletion is permanent.
• For Gmail accounts, you can also revoke Skub's access at any time at myaccount.google.com/connections.

Your rights (GDPR / UK GDPR)

You have the right to: access a copy of your data, correct inaccuracies, delete your data, object to processing, and export your data. Submit a request using the form below. We respond within 30 days — usually faster.

Data Processing Agreement (DPA) and security artefacts

Customers who need to comply with GDPR (e.g. if you process employee or customer email through Skub on behalf of an organisation) may request a Data Processing Agreement. Our DPA is pre-signed by Provenance Tags ApS and becomes active when you counter-sign.

We also make our Data Protection Impact Assessment (DPIA), incident-response runbook, and full subprocessor list available on request under NDA. A public summary of our security posture is at skub.me/security.

Request any of these via the form below (pick “Other”, write “DPIA” or “DPA” in the details) or through the Enterprise form on the landing page.

Cookies and tracking

Skub uses a single first-party session cookie on skub.me and app.skub.me to keep you logged in. No analytics, no tracking pixels, no third-party advertising cookies.

Children

Skub is not directed to children under 16 and we do not knowingly collect data from them. If you believe we have, submit a deletion request and we'll remove it.

Changes to this policy

If we materially change how we handle data, we'll notify active users by email before the change takes effect.

Contact

Questions, deletion requests, or concerns: use the request form above (pick "Other" if it's not a data request).

Provenance Tags ApS · Denmark