Legal

Privacy Policy

Last updated: May 31, 2026

Earnest ("Earnest," "we," "our," or "us") operates the platform at earnestai.app, an AI-powered service that helps user-generated-content creators land paid brand partnerships. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It applies to all use of the Earnest platform and any related services.

1. Information We Collect

1.1 Account and profile information

When you create an account or complete onboarding, we collect:

Email address and password (the password is stored as a salted hash; we never see the plaintext)
Display name and creator profile — TikTok handle, Instagram handle, follower counts, content niche, tone preference, audience description, and rate card
Optional billing information processed by Stripe — we do not store full card numbers

1.2 Google user data (Gmail and Calendar)

When you connect Google through Earnest, we request the following OAuth scopes and access the following data:

https://www.googleapis.com/auth/gmail.send — to send brand outreach emails and replies from your own Gmail account on your behalf, only after you explicitly click Send (or approve a scheduled send) inside Earnest.
https://www.googleapis.com/auth/gmail.modify — to (a) detect brand replies on threads you sent through Earnest so we can surface them in your dashboard, (b) scan your inbox's Primary tab for cold inbound brand outreach so we can show it in your Inbox, and (c) add labels to threads Earnest has handled so future scans can be scoped efficiently. We do not delete, archive, or move your messages.
https://www.googleapis.com/auth/calendar.events — to create calendar events with reminders for deliverable due dates you accept. Optional during the consent step. We only read or modify events Earnest creates; we do not access your other calendar events.
https://www.googleapis.com/auth/userinfo.email — to know which Gmail address the grant is associated with so we can attach it to the correct Earnest account.

From your Gmail, we read message metadata (From, Subject, Date) and message snippets (the first ~500 characters of message body) for the limited purposes described above. We do not download attachments. We do not read messages older than the active scan window. We do not access messages outside the Primary tab.

1.3 Usage and diagnostic data

We collect basic usage data (which features you use, which API endpoints you hit, error logs) to operate, secure, and improve Earnest. We log access in audit tables for security purposes.

2. How We Use Your Information

We use the information above to:

Provide the core Earnest service — generate brand outreach drafts, send approved emails from your Gmail, detect replies, scan your inbox for inbound brand outreach, and surface results in your dashboard
Authenticate you and protect your account from abuse (rate limiting, MFA, security audit logging)
Process payments for paid plans through Stripe
Communicate with you about account activity, security events, and (only with consent) product updates
Improve the reliability and quality of the service through aggregated, de-identified analytics

We do not sell your personal information. We do not use your personal information for advertising. We do not share your personal information with third parties except as described in Section 5.

3. Google API Services User Data Policy — Limited Use Compliance

Earnest's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Use only for user-facing features. Google user data is used only to provide the user-facing features of Earnest described in Section 1.2 — sending and reading email on your behalf, detecting brand replies, scanning your inbox for inbound brand outreach, and creating calendar events for deliverables.
No transfer to third parties except (a) as necessary to provide or improve those user-facing features, (b) to comply with applicable law, (c) as part of a merger, acquisition, or sale of assets with notice to you, or (d) for security purposes (e.g., investigating abuse).
No human reading of Google user data except (a) with your explicit consent for specific messages, (b) for security purposes (e.g., investigating a bug or abuse) under restricted access controls, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
No advertising use. We do not use Google user data to serve advertisements, and we do not transfer it to advertising platforms.
No AI/ML training. We do not use Google user data — including message bodies, subjects, snippets, or contact lists — to develop, improve, or train generalized AI or machine learning models. Anthropic, the AI provider used to draft outreach (see Section 4), does not train on data submitted through the Anthropic API by default, and Earnest does not opt into any training program for Google user data.

4. AI-Generated Content (Anthropic Claude)

Earnest uses the Anthropic Claude API to generate outreach drafts and reply drafts in your voice. To do this we send the following to Anthropic on a per-request basis:

Your creator profile fields you provided during onboarding (niche, tone, follower counts, rate card, audience description)
Brand context (brand name, public website summary, niche)
For reply drafting, the snippet and subject of the brand's most recent message in the thread

Anthropic processes this data solely to return the generated draft to Earnest and does not, by default, use API data to train its models. Anthropic's data handling is governed by their Privacy Policy and Commercial Terms. Generated drafts are stored in your Earnest account so you can review and edit them before sending; you can delete a draft at any time from the dashboard.

5. How We Share Information

We share data with the following service providers, each only with the minimum data needed to operate Earnest, and each bound by their own privacy and security obligations:

Supabase — our primary database and authentication provider (stores your account, creator profile, outreach history, and encrypted OAuth tokens)
Vercel — hosting and serverless compute
Stripe — payment processing for paid plans
Anthropic — AI-powered draft generation (see Section 4)
Resend — transactional email delivery (verification emails, billing receipts) — not used for outreach to brands
Google — the Gmail and Calendar APIs you authorized via OAuth

We do not share Google user data with any party not listed above, and we do not share it for any purpose beyond providing the user-facing features described in Section 1.2.

6. Data Storage, Security, and Retention

6.1 Security

We implement security controls including:

HTTPS for all network traffic
AES-256-GCM encryption at rest for OAuth tokens (Gmail and Calendar access and refresh tokens are never stored in plaintext in the database)
Salted password hashing using a modern key-derivation function
Optional two-factor authentication (TOTP)
HMAC-signed session cookies with periodic rotation
Rate limiting on authentication endpoints and OAuth flows
Audit logging of security-sensitive actions
Output scanning to prevent AI-generated content from leaking system context
A global kill-switch that can pause all outbound automation in case of an incident

6.2 Retention

We retain account information for as long as your account is active. Google user data (message snippets and metadata captured during inbox scans, sent outreach bodies you authorized) is retained as part of your outreach pipeline so you can see your own history. You can delete individual items from your dashboard at any time, or delete your entire account, which removes all associated Google user data within 30 days.

6.3 Deletion

You may delete your account at any time from Settings → Danger Zone → Delete Account. Deleting your account:

Revokes Earnest's access to your Gmail and Calendar (refresh tokens are invalidated)
Erases all Google user data we have stored — captured inbound messages, sent outreach bodies, reply drafts, calendar event references
Erases your creator profile, outreach history, billing records (subject to legal retention requirements for tax/accounting), and audit logs older than the security-incident review window

You can also revoke Earnest's Google access directly at https://myaccount.google.com/permissions without deleting your Earnest account — your Earnest account will continue to exist but the Gmail/Calendar integration will stop working until you reconnect.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate data
Request deletion of your data (see Section 6.3)
Export a machine-readable copy of your data (available from Settings → Export Data)
Object to or restrict certain processing
Opt out of non-essential communications at any time

To exercise any of these rights, use the dashboard self-service tools or email us at earnestmanagement4@gmail.com.

8. Cookies

We use a small number of essential cookies necessary for the platform to function — primarily the session cookie that keeps you logged in and the CSRF state cookie used during the Google OAuth flow. We do not use tracking cookies, third-party advertising cookies, or cross-site tracking. We display a consent banner where required.

9. Children's Privacy

Earnest is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, contact us and we will delete it.

10. International Users

Earnest is operated from the United States. If you access the service from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the most recent update at the top of this page. Material changes will be communicated to you via email or an in-app notice. Continued use of Earnest after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our handling of your data, contact us at earnestmanagement4@gmail.com.

Legal

Privacy Policy

Last updated: May 31, 2026

1. Information We Collect

1.1 Account and profile information

When you create an account or complete onboarding, we collect:

Email address and password (the password is stored as a salted hash; we never see the plaintext)
Display name and creator profile — TikTok handle, Instagram handle, follower counts, content niche, tone preference, audience description, and rate card
Optional billing information processed by Stripe — we do not store full card numbers

1.2 Google user data (Gmail and Calendar)

When you connect Google through Earnest, we request the following OAuth scopes and access the following data:

https://www.googleapis.com/auth/gmail.send — to send brand outreach emails and replies from your own Gmail account on your behalf, only after you explicitly click Send (or approve a scheduled send) inside Earnest.
https://www.googleapis.com/auth/gmail.modify — to (a) detect brand replies on threads you sent through Earnest so we can surface them in your dashboard, (b) scan your inbox's Primary tab for cold inbound brand outreach so we can show it in your Inbox, and (c) add labels to threads Earnest has handled so future scans can be scoped efficiently. We do not delete, archive, or move your messages.
https://www.googleapis.com/auth/calendar.events — to create calendar events with reminders for deliverable due dates you accept. Optional during the consent step. We only read or modify events Earnest creates; we do not access your other calendar events.
https://www.googleapis.com/auth/userinfo.email — to know which Gmail address the grant is associated with so we can attach it to the correct Earnest account.

1.3 Usage and diagnostic data

We collect basic usage data (which features you use, which API endpoints you hit, error logs) to operate, secure, and improve Earnest. We log access in audit tables for security purposes.

2. How We Use Your Information

We use the information above to:

Provide the core Earnest service — generate brand outreach drafts, send approved emails from your Gmail, detect replies, scan your inbox for inbound brand outreach, and surface results in your dashboard
Authenticate you and protect your account from abuse (rate limiting, MFA, security audit logging)
Process payments for paid plans through Stripe
Communicate with you about account activity, security events, and (only with consent) product updates
Improve the reliability and quality of the service through aggregated, de-identified analytics

We do not sell your personal information. We do not use your personal information for advertising. We do not share your personal information with third parties except as described in Section 5.

3. Google API Services User Data Policy — Limited Use Compliance

Earnest's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Use only for user-facing features. Google user data is used only to provide the user-facing features of Earnest described in Section 1.2 — sending and reading email on your behalf, detecting brand replies, scanning your inbox for inbound brand outreach, and creating calendar events for deliverables.
No transfer to third parties except (a) as necessary to provide or improve those user-facing features, (b) to comply with applicable law, (c) as part of a merger, acquisition, or sale of assets with notice to you, or (d) for security purposes (e.g., investigating abuse).
No human reading of Google user data except (a) with your explicit consent for specific messages, (b) for security purposes (e.g., investigating a bug or abuse) under restricted access controls, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
No advertising use. We do not use Google user data to serve advertisements, and we do not transfer it to advertising platforms.
No AI/ML training. We do not use Google user data — including message bodies, subjects, snippets, or contact lists — to develop, improve, or train generalized AI or machine learning models. Anthropic, the AI provider used to draft outreach (see Section 4), does not train on data submitted through the Anthropic API by default, and Earnest does not opt into any training program for Google user data.

4. AI-Generated Content (Anthropic Claude)

Earnest uses the Anthropic Claude API to generate outreach drafts and reply drafts in your voice. To do this we send the following to Anthropic on a per-request basis:

Your creator profile fields you provided during onboarding (niche, tone, follower counts, rate card, audience description)
Brand context (brand name, public website summary, niche)
For reply drafting, the snippet and subject of the brand's most recent message in the thread

5. How We Share Information

We share data with the following service providers, each only with the minimum data needed to operate Earnest, and each bound by their own privacy and security obligations:

Supabase — our primary database and authentication provider (stores your account, creator profile, outreach history, and encrypted OAuth tokens)
Vercel — hosting and serverless compute
Stripe — payment processing for paid plans
Anthropic — AI-powered draft generation (see Section 4)
Resend — transactional email delivery (verification emails, billing receipts) — not used for outreach to brands
Google — the Gmail and Calendar APIs you authorized via OAuth

We do not share Google user data with any party not listed above, and we do not share it for any purpose beyond providing the user-facing features described in Section 1.2.

6. Data Storage, Security, and Retention

6.1 Security

We implement security controls including:

HTTPS for all network traffic
AES-256-GCM encryption at rest for OAuth tokens (Gmail and Calendar access and refresh tokens are never stored in plaintext in the database)
Salted password hashing using a modern key-derivation function
Optional two-factor authentication (TOTP)
HMAC-signed session cookies with periodic rotation
Rate limiting on authentication endpoints and OAuth flows
Audit logging of security-sensitive actions
Output scanning to prevent AI-generated content from leaking system context
A global kill-switch that can pause all outbound automation in case of an incident

6.2 Retention

6.3 Deletion

You may delete your account at any time from Settings → Danger Zone → Delete Account. Deleting your account:

Revokes Earnest's access to your Gmail and Calendar (refresh tokens are invalidated)
Erases all Google user data we have stored — captured inbound messages, sent outreach bodies, reply drafts, calendar event references
Erases your creator profile, outreach history, billing records (subject to legal retention requirements for tax/accounting), and audit logs older than the security-incident review window

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate data
Request deletion of your data (see Section 6.3)
Export a machine-readable copy of your data (available from Settings → Export Data)
Object to or restrict certain processing
Opt out of non-essential communications at any time

To exercise any of these rights, use the dashboard self-service tools or email us at earnestmanagement4@gmail.com.

8. Cookies

9. Children's Privacy

10. International Users

11. Changes to This Policy

12. Contact Us

If you have questions about this Privacy Policy or our handling of your data, contact us at earnestmanagement4@gmail.com.