Privacy Policy — DJEP Gmail Webmail

Summary

What Gmail data we access (and why)

When you connect Gmail, we request a minimal set of OAuth scopes. Exact scopes appear on Google’s consent screen and reflect the code shown below. We currently use standard identity scopes and a Gmail scope that provides full mailbox access so the webmail features function correctly.

Gmail data we access (read-only unless you take an action like Send/Reply/Label): labels/folders, message lists, message metadata (IDs, headers, from/to/subject), message bodies (plain & HTML), inline images and attachments (when opened), and thread relationships.

When you send or reply from DJEP, we use the content you create (recipients, subject, body, attachments) solely to deliver the message through Gmail.

We do not access your Gmail settings (signatures, filters, forwarding, delegates) and we do not engage in automated analysis of message content beyond what is required to display and send your email.

How we use the data

• User-facing features only: Gmail data is used exclusively to power features you use: reading messages and sending replies/new messages.
• No advertising: We do not use Gmail data for ads or marketing and do not transfer Gmail data to third parties for advertising.
• No background scraping: We fetch data as you use the UI; we do not routinely process your mailbox in the background.
• Human access is exceptional: Prohibited except (a) with your explicit consent for support, (b) when strictly required for security/abuse, or (c) to comply with applicable law. Any such access is limited and logged.

What we store (and what we don’t)

We store

• OAuth tokens (access token, refresh token, expiry, scopes, token type), your Google account email, and an internal link to your DJEP account (e.g., request_id, djidnumber, djemployeeid). Stored in a restricted MySQL database on oauth.djep.app.
• Minimal operational logs (timestamps, IP address, user agent, error traces without message content) to keep the service secure and debuggable.

We do not store

• Gmail message contents or attachments on our servers. Message bodies and attachments are fetched from Google and rendered to you as you view them. They are kept transiently in memory and are not written to disk, except where you deliberately download an attachment to your device.

Retention

• OAuth tokens are retained until you revoke access or disconnect (see Your choices & controls).
• Operational logs are retained for up to 30 days (or shorter where feasible) and then deleted/aggregated.

Security

• Transport security: All communications use HTTPS/TLS.
• Token protection: Tokens are stored with least‑privilege access; treated as secrets and never written to public logs.
• Secrets management: Application secrets/keys are stored outside the codebase and restricted to operational staff under confidentiality obligations.
• Infrastructure: Servers are hardened and monitored; access is limited to authorized personnel. We follow change‑management and vulnerability patching practices.

Note: The system is designed so Gmail content is not persisted on our servers—reducing risk. Attachments you choose to download go directly to your device.

Your choices & controls

Revoke app access (Google account controls)

1. Open Google Account → Security → Third‑party apps with account access.
2. Select the DJEP app (the exact app name shown on the consent screen).
3. Click Remove Access.

Disconnect & delete tokens (DJEP controls)

• At any time, you can use the Disconnect My Google Account button to remove the connection. This can be found by going to SETUP -> Integrations -> Google within DJ Event Planner. This immediately deletes your stored OAuth tokens from our systems.

Data portability

Your Gmail data remains in Gmail. Because we do not store message content, there is no additional export to provide beyond what Google already offers.

Sharing & transfers

• No selling of Gmail data. We do not sell or lease Gmail data.
• No sharing for advertising. We do not share Gmail data with third parties for ad purposes.
• Service providers: We may use infrastructure/service providers (e.g., hosting, monitoring) under contracts that restrict their use of data to providing those services to us.
• Legal: We may disclose information if required by law or to protect rights, property, or safety, consistent with due process.

International data transfers

All DJEP services for this integration are hosted and processed in the United States. If you access the service from outside the U.S. (for example, the UK or Australia), your information will be transferred to and stored in the United States.

For UK/EU users: where applicable, we implement appropriate safeguards for transfers to the U.S. consistent with applicable law (e.g., EU Standard Contractual Clauses/UK IDTA or their successors). Gmail message content itself remains with Google unless and until you view it in the UI.

Children’s privacy

DJEP is not directed to children under 13 (or the relevant age in your jurisdiction). Do not use the Gmail integration if you are under the minimum age.

Cookies and local storage

We use essential session cookies/local storage for authentication and to remember state in the webmail UI. We do not use Gmail data for advertising or cross‑site tracking.

Compliance with Google’s policies (Limited Use)

• We comply with the Google API Services User Data Policy, including the Limited Use requirements.
• Gmail data is used only to provide user‑facing features you request (reading/sending email).
• We do not transfer Gmail data to third parties except as necessary to provide or improve these features, comply with law, or as part of a merger/acquisition with equivalent protections.
• We do not use Gmail data for developing, improving, or training generalized AI/ML models.
• We do not use or transfer Gmail data for advertising, including retargeting.
• Human access to Gmail data is prohibited except with your consent, for security/abuse, or where required by law, and is limited/supervised.

Data controller, legal bases & rights (UK/EU)

• Controller: DJ Event Planner.
• Legal bases: Consent (Article 6(1)(a)) to access Gmail via Google OAuth; Legitimate interests (Article 6(1)(f)) for security logging and fraud prevention.
• Your rights: Subject to law, you may request access, correction, deletion, restriction, portability, or object to processing. To exercise these rights, email privacy@djeventplanner.com.
• Supervisory authority: You may lodge a complaint with your local data protection authority.

Changes to this policy

We may update this policy as our services evolve or to remain compliant. If changes are material, we will notify you (e.g., in‑app notice or email) and update the “Last updated” date above.

Contact