LEGAL
Privacy Policy
Last updated: 2026-06-05
Tolomail is a Chrome extension that helps you navigate Gmail by visualizing thread structure, tracking awaiting replies, and browsing attachments. This privacy policy explains what data Tolomail accesses, what it does with that data, and what choices you have.
Summary
- Tolomail reads your Gmail in your browser to render visualizations.
- All thread data, attachments, and notes are stored locally on your device in your browser's IndexedDB and Chrome storage.
- An optional Drive backup feature (OFF by default) can mirror your notes, awaiting list, and favorites to your own Google Drive (
appdatafolder — invisible to you outside Tolomail). You enable it in Tolomail's Settings; you can disable it or delete the Drive copy at any time from the same page. - No data is sent to Tolomail's servers. We do not operate any server that receives your data.
- No third-party analytics, advertising, or tracking SDKs.
Limited Use disclosure (Google API Services User Data Policy)
Tolomail's use of information received from Google APIs — including data obtained via the gmail.readonly restricted OAuth scope — adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Use only to provide or improve user-facing features. Tolomail uses Gmail data exclusively to render the in-product features the user opens Tolomail to use (thread map, awaiting-reply tracker, searchable attachments view, per-thread notes). The data is never used for any purpose unrelated to these user-facing features.
- No transfer to others. Tolomail does not transfer Gmail data to any third party except (a) as necessary to provide or improve user-facing features (none, since all processing is local), (b) for security purposes (e.g. to investigate abuse), (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with the user's explicit consent.
- No advertising use. Tolomail does not use Gmail data for advertising of any kind, anywhere.
- No AI/ML model training. Tolomail does not use Gmail data to develop, improve, or train generalized AI and/or ML models. Tolomail does not run any AI/ML model on user data in v1.
- No human reads of user data except (a) with the user's explicit consent for specific messages, (b) where necessary for security purposes such as investigating abuse, or (c) to comply with applicable law. The developer does not have access to any user's Gmail data — all data is processed and stored in the user's own browser; there is no server-side copy.
Why gmail.readonly and not a narrower scope?
Tolomail renders the structure of conversations (sender, subject, body excerpts, in-reply-to relationships) and indexes attachments by filename, type, and metadata. The narrower gmail.metadata scope returns only headers and labels — no message bodies, no attachment payloads, no body snippets — which is insufficient for Tolomail's core thread-map and attachment-browsing features. gmail.readonly is the minimum scope that supports the features described in the Tolomail Chrome Web Store listing.
What permissions Tolomail uses, and why
| Permission | Why |
|---|---|
gmail.readonly (OAuth) | Read message bodies and headers to render thread maps + extract attachment metadata. Tolomail never writes, sends, deletes, or modifies your Gmail. |
drive.appdata (OAuth) | Used only when you turn on the optional "Drive backup" feature in Settings. Backup is OFF by default — no Drive writes happen unless you explicitly enable it. When enabled, Tolomail writes one JSON file per account to a private folder in your own Google Drive that only Tolomail can see. You can disable backup or delete the Drive file from Settings ("Delete my Drive backup" button); existing Drive data is left untouched on disable. |
openid (OAuth) | Used solely to obtain your Google Account ID for correctly namespacing multi-account data. No additional profile information is requested. |
storage | Save your Tolomail settings, notes, awaiting-reply state, and account list in your browser's local storage. |
sidePanel | Render the Tolomail attachments and thread-map views in Chrome's side panel. |
downloads | Save attachments you choose to download via the Attachments panel's Download button. Tolomail never writes to Downloads without an explicit click. |
alarms | Schedule periodic Drive backup runs. |
identity, identity.email | Identify which Google account you're using so per-account data stays isolated. |
Host permissions: mail.google.com, gmail.googleapis.com, www.googleapis.com/drive/v3, www.googleapis.com/upload/drive/v3, www.googleapis.com/oauth2/v3, oauth2.googleapis.com | Required to make authorized requests to Google's Gmail, Drive (appdata only), and OAuth userinfo endpoints on your behalf. Narrowed in v0.9.68 to the specific endpoints actually used. |
Where your data lives
| Data | Location |
|---|---|
| Thread maps, message metadata | Your browser's IndexedDB (gtv database) |
| Attachment metadata + cached blobs | Your browser's IndexedDB (gmail-attachments database) |
| Notes (per thread) | Your browser's chrome.storage.local |
| Awaiting-reply state | Your browser's chrome.storage.local |
| Account registry | Your browser's chrome.storage.local |
| Optional Drive backup (OFF by default) | Your own Google Drive (appdata folder — only Tolomail can access). Created only after you enable backup in Settings. |
| OAuth tokens | Chrome's built-in chrome.identity token cache (encrypted at rest by Chrome) |
Tolomail does not transmit any of this data to any third party. Tolomail operates no server.
Multi-account support
If you register more than one Google account in Tolomail, each account's data is stored under a separate namespace keyed by your Google account ID. Tolomail does not share data between your registered accounts.
Data deletion
| To delete | Action |
|---|---|
| One registered account + its local data | In Tolomail's popup, click "Remove" next to the account. This clears IndexedDB + storage entries for that account. |
| All Tolomail data | Uninstall the extension. Chrome automatically clears all chrome.storage.local and IndexedDB entries owned by the extension. |
| The Drive backup file | In Tolomail's Settings, click "Delete my Drive backup." Or go to drive.google.com → Settings → Manage apps → find Tolomail → Disconnect. Either deletes the appdata folder. |
| Revoke OAuth grant | Go to myaccount.google.com/permissions → find Tolomail → Remove. |
Children's privacy
Tolomail is not directed at children under 13. We do not knowingly collect data from children under 13.
Changes to this policy
We may update this policy when Tolomail adds new features. Material changes will be reflected in the "Last updated" date at the top. Continued use of Tolomail after a change constitutes acceptance.
Contact
Questions or concerns: support@tolomail.com
Compliance
See the "Limited Use disclosure" section above for the full Google API Services User Data Policy statement.