Security

If you're connecting a work account, this page is for you. Here's how TextMyAgent handles your email and calendar data.

OAuth, not passwords

TextMyAgent connects to your email and calendar accounts through OAuth — the standard authorization protocol used by Google, Microsoft, and Apple. You authorize access through your provider's own login flow. We never see, store, or transmit your email or calendar password. If you change your password, our access continues. If you revoke our access through your provider's account settings, our access ends immediately, regardless of anything on our end.

What we ask access to

We request only the scopes we need to perform the two functions of the service:

• Read your inbox — to determine which incoming messages are important enough to surface to you.
• Send messages and save drafts — only when you direct us to.
• Mark messages read — for messages you've handled through us.
• Read your calendar — to answer your questions about it.
• Add, move, and clear calendar events — when you ask.

We do not request access to delete email. We do not request access to your contacts, files, or any other data we don't need.

Encryption

• In transit: all connections to and from textMyAgent use TLS.
• At rest: access tokens, refresh tokens, and any cached data are AES-256-GCM encrypted. Our database is encrypted at rest.
• Secrets: credentials are stored in a managed secrets vault, never in source code, configuration files, or logs.

Data minimization

We do not store your email content in our database beyond the working memory needed to respond to you. Email is read on demand and the durable record we keep is limited to operational metadata (when a message was surfaced, whether you replied) — not the message bodies themselves. Calendar events are read on demand to answer your questions; we don't replicate your calendar to our database.

Logging

We do not write the contents of your email messages to our logs. Operational logs contain metadata necessary to run and secure the service (timestamps, error traces, rate limits) but not message bodies.

AI processing

The reasoning behind your agent's behavior is performed by Claude via the Anthropic API. Anthropic does not train its models on data submitted through its API. Your connected-account data is processed only to serve you.

Disconnection and deletion

• Disconnect any account at any time. The access token is revoked and any synced data from that account is deleted.
• Delete your data: text "delete my data" to your agent. We confirm and then delete.
• Delete your account: text "delete my account" to your agent. We confirm and then close it.
• You can also revoke access at any time through your provider's account settings (Google Account permissions, Microsoft account apps, Apple App-Specific Passwords).

Google API Limited Use

textMyAgent's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not allow humans to read it except in narrow circumstances (with your explicit consent, for security, or for legal compliance), and do not transfer it except as needed to deliver the service to you.

Service providers

The service runs on infrastructure provided by Amazon Web Services. AI reasoning is provided by Anthropic. SMS delivery is provided by Twilio and Sendblue. Payments are processed by Stripe. Each of these providers operates under contractual confidentiality and uses your data only to provide their service to us.

Reporting a security concern

If you believe you've found a security vulnerability or want to report a concern, please email security@textmyagent.app. We will respond within two business days.

More detail

See our Privacy Policy for the full details on data handling, your rights, and how to exercise them.