Pim
Get Pim free
Privacy first, by design

Privacy Policy

What Pim sees, what it never sees, and what does and does not leave your device. Plain English, no surprises.

Pim Privacy Policy

NOTICE: This document is an AI-drafted template based on free public templates and standard industry practice. It is NOT legal advice. Eric Erickson should have a licensed attorney review this before relying on it for any material legal matter. Recommended review trigger: revenue >$10K/year, first user complaint, first enterprise customer, first EU customer.

Effective date: May 26, 2026 Last updated: May 26, 2026 (custom-domain mailboxes) Owner: Eric Erickson, sole proprietor doing business as "Pim" Contact: privacy@trypim.com

TL;DR

Pim is a privacy-first Gmail cleaner browser extension. Your email content and metadata are processed entirely on your device. This policy explains exactly what data Pim accesses, what (specifically) leaves your computer and only when you ask, and how to revoke access at any time.

If you only read one paragraph, read this one: Pim never sends your email content or metadata to any server. The only data that leaves your device is the Gmail API instruction needed to label or move messages you choose to act on, plus a per-install random token used for billing entitlement checks. There is no analytics, no error reporting, no telemetry.

1. What Gmail data Pim accesses, and why

Pim connects to your Gmail account using the https://www.googleapis.com/auth/gmail.modify scope. That permission is used to:

  • Read email metadata (sender, subject, date, labels): so Pim can show and categorize your mail (promotions, social, subscriptions, and so on) and help you decide what to clean.
  • Read full message content only when you open the File Manager (a Pro feature): Pim reads a message to find and list its attachments, solely so you can save or offload those files. It does not read message bodies for any other feature.
  • Apply labels and move mail: archive (remove the INBOX label) or trash (add the TRASH label) based on what you choose, and create labels for organizing.
  • Read your Google account email address: read from your Gmail profile using the same gmail.modify connection (a standard profile lookup). It is not a separate scope and is used only to check your billing and entitlement status for Pro features.

Pim cannot permanently delete your email. Trashing moves a message to your Gmail Trash, where it stays recoverable for 30 days before Google purges it. There is no permanent-delete capability in the extension.

If, inside the File Manager, you choose "Save to Google Drive" as the destination for your attachments (an optional path; the default is a local zip download), Pim also requests the https://www.googleapis.com/auth/drive.file scope. This is the least sensitive Drive scope Google offers. With drive.file, Pim can ONLY see and modify files Pim itself creates. Pim CANNOT see any of your other Drive content (existing documents, photos, shared folders, anything created by other apps). It is used solely to create one top-level "Pim Archives" folder in your My Drive (and any subfolders you asked Pim to organize the upload into) and to upload the attachments themselves.

2. On-device processing

Email content and metadata are never sent to any server for analysis or storage. The only network calls Pim makes are listed in Section 3, and none of them carry your email.

Any on-device AI models Pim uses run entirely in your browser. Your email is never sent to any AI service.

3. What does leave your device, and only when you ask

Pim makes exactly four categories of network call. Each one is listed in full so a reviewer or auditor can verify the behavior in the source code.

3.1. Gmail API (gmail.googleapis.com)

  • When: every Gmail action you take inside Pim (scan, clean, archive, trash, file, undo, list attachments, refresh).
  • What is sent: a Google OAuth token bound to the gmail.modify scope you granted, plus the Gmail API request your action needs (e.g. a message id to label or trash). The request body never contains your email content; Pim only sends Gmail the instructions to move or label messages that you already authorized it to touch.
  • Who sees it: Google, as your Gmail provider, the same as any other Gmail client.
  • Why: this is how every Gmail integration works.

3.2. One-click unsubscribe POST to the sender's own server (RFC 8058 List-Unsubscribe=One-Click)

  • When: only when you click Unsubscribe on a sender inside Pim. Implementation: entrypoints/background.ts (the chatUnsubscribe and chatUnsubBatch paths, fetch(u.url, { method: "POST", mode: "no-cors", body: "List-Unsubscribe=One-Click" })).
  • What is sent: an empty-bodied List-Unsubscribe=One-Click POST to the URL the sender themselves published in their email's List-Unsubscribe header.
  • Who sees it: the sender (or their email service provider). If the sender embedded a tracking token in their own unsubscribe URL, they learn that the recipient acted on their mail. This is by design of the RFC 8058 unsubscribe standard, not by Pim. The browser sends the request in no-cors mode and Pim does not read the response.
  • Why: this is the only way to honor a one-click unsubscribe and actually remove you from the list. You can also just trash the mail; Pim never does this POST unless you click Unsubscribe.

3.3. On-device AI model download (Hugging Face + jsdelivr)

  • When: the first time Pim needs the small on-device embedding model, and again only if the browser cache is cleared. Implementation: src/ai/embedder.ts via the @huggingface/transformers library (transformers.js).
  • What is sent: a regular HTTPS GET for the model files (about 23 MB total, the Xenova/all-MiniLM-L6-v2 model in 8-bit) from huggingface.co, cdn-lfs.huggingface.co, cdn-lfs-us-1.huggingface.co, and the transformers.js runtime from cdn.jsdelivr.net. The request includes your IP address (any HTTPS request does) and a User-Agent, but no email content, no Gmail token, and no Pim-specific identifier.
  • Who sees it: Hugging Face and jsdelivr, as the model and library hosts. They learn that a browser fetched a public file; they do not see your email.
  • Why: the AI model runs on your device. The download is the only way to get the model onto your device in the first place.

3.4. ExtensionPay entitlement check (extensionpay.com)

  • When: at launch and periodically, to confirm whether your account is currently entitled to Pro features. Implementation: the extpay library (ExtPay("pim").getUser() in entrypoints/background.ts).
  • What is sent: a per-install random token (generated by ExtensionPay when the extension first runs; not derived from your Gmail address, your name, or your email content) and an HTTPS GET to extensionpay.com/api/v2/user. ExtensionPay receives a heartbeat from your install but no Gmail data and no message content.
  • Who sees it: ExtensionPay, as the billing provider. If you make a purchase, the payment itself is processed by ExtensionPay and Stripe; Pim never sees or stores payment details.
  • Why: this is how Pim confirms a paid subscription without running its own billing server.

3.5. Google Drive uploads when you pick "Save to Google Drive" in File Manager (www.googleapis.com)

  • When: only when you, inside File Manager, choose "Save to Google Drive" instead of the default local zip download, AND you grant the additional drive.file scope at the Google consent prompt. With the default save mode, Pim never calls Drive. Implementation: src/drive/client.ts (folder lookup, folder create, resumable file uploads) called by src/drive/uploadFilesToDrive.ts.
  • What is sent: one Google OAuth token bound to the drive.file scope you granted, plus the Drive API request your action needs. For a save batch, Pim makes:
    • GET https://www.googleapis.com/drive/v3/files?q=... to look up an existing "Pim Archives" folder (or any subfolder Pim previously created).
    • POST https://www.googleapis.com/drive/v3/files to create the "Pim Archives" folder (first time only) and any subfolders for the organization mode you chose.
    • POST https://www.googleapis.com/upload/drive/v3/files?uploadType=resumable followed by PUT to the returned upload session URL, to upload each attachment's bytes. The bytes are the same attachment data Pim already reads from Gmail under the gmail.modify scope; the only thing that changes here is the destination.
  • Who sees it: Google, as your Drive provider. They store the files in your Drive under your account, the same as if you had downloaded them locally and re-uploaded by hand.
  • Why: so you can keep large attachment archives off your laptop's disk and inside your own Google Drive instead.
  • Privacy boundary, important to understand: the drive.file scope is the LEAST-sensitive Drive scope Google offers. With it, Pim can ONLY see and modify files Pim itself creates. Pim CANNOT see your existing Drive documents, your photos, your shared folders, or anything created by another app. If you ever want to remove every Drive file Pim made, deleting the single "Pim Archives" folder (and emptying Trash) removes everything Pim ever wrote to your Drive.

That is the complete list. Pim makes no other outbound network calls. There is no analytics provider, no error reporting service, no third-party SDK that phones home with your usage.

4. Data we collect, share, retain (the formal table)

Category What Where it lives How long Shared with
Gmail metadata (sender, subject, date, labels) Read live from Gmail API as needed Browser memory, browser local storage cache Cleared when you log out of Pim or clear extension storage Nobody. Stays on your device.
Gmail message body Read live, only when you open the File Manager Browser memory only (not persisted) Cleared when the File Manager view closes Nobody. Stays on your device.
Gmail attachment metadata (filename, size, MIME type) Read live in File Manager Browser memory only Cleared when File Manager closes Nobody. Stays on your device.
Your Gmail address Read from your Gmail profile via the gmail.modify connection Browser local storage, sent to ExtensionPay only as part of the standard ExtensionPay user identification flow While you are logged in; cleared on logout ExtensionPay (billing only)
Per-install ExtensionPay token Generated by ExtensionPay on first run Browser local storage While the extension is installed ExtensionPay and Stripe (billing only)
Payment card data Captured directly by Stripe via ExtensionPay's checkout Never reaches Pim. We never see it. n/a Stripe (PCI DSS Level 1)

5. Agent API integration (OFF by default)

Pim's Settings panel includes an "Agent API" toggle (Pro+ feature). When you turn it on, Pim generates a per-install token that is shown once inside the Settings card. External AI agents you have installed on your computer (for example, Claude Desktop's Chrome extension, agent-style browser extensions, future Pim-aware tools) can then ask Pim to perform actions for you over the standard chrome.runtime.onMessageExternal channel. Every request requires your token, and the first time any new origin tries to call Pim, you see a banner in the Pim side panel asking whether to allow that origin once for one hour, allow it always, or deny it. The Agent API is OFF by default and remains OFF until you explicitly enable it.

If you enable Agent API access:

  • Third-party AI agents you grant access to can request Pim to perform actions on your behalf. The exposed actions are: search your scanned attachments, list your inbox categories, list pending Clean and Organize moves, queue an attachment-save job (local zip or Google Drive), trash emails after a verified save, and apply a staged Clean and Organize plan. Converter actions (audio, video, document) are reserved for a future release.
  • Pim never shares your Gmail data or OAuth tokens with those agents. The Google OAuth token stays inside Pim, the same as when you click buttons in the side panel.
  • The agents send requests and receive structured results only. They may receive metadata (sender names, subject snippets, file names, file sizes, message identifiers) in the response to a request they made. Whatever the agent does with that metadata on its own servers is governed by the agent's privacy policy, not Pim's.
  • Email message bodies and attachment file bytes never leave your device through this integration. Attachments still save to a local zip download or to your own Google Drive (with the drive.file scope already documented in Section 1 and Section 3), exactly as they do when you click the buttons in Pim.
  • You can revoke any connected origin at any time from Settings, regenerate your token (the old one stops working), or turn the Agent API off entirely. Turning the Agent API off clears the token and revokes every previously approved origin so re-enabling later does not silently re-grant access.

The manifest contains externally_connectable.ids: ["*"] so the message listener can fire. This only enables the message channel; no action ever runs without (1) the per-install token AND (2) explicit per-origin user approval. Rate limits cap any one token at 60 requests per minute and 1000 requests per hour to stop a runaway or malicious agent from thrashing your inbox.

6. No selling or sharing

Pim never sells, rents, or shares your Gmail data with anyone. Your email content and metadata stay on your device, under your control. This satisfies the California Consumer Privacy Act's definition of "do not sell or share" by default; we cannot share what we do not have.

7. No server-side retention

Because everything runs on your device, Pim keeps none of your email data on any server. Working data for the current session is cleared when you close the extension or log out. There is no server-side database of users, no logs of user actions, no archives.

The only persistent server-side record of you is your ExtensionPay subscription record (handled by ExtensionPay, governed by their privacy policy).

8. Children's privacy

Pim is not directed to children under 13. Pim does not knowingly collect personal information from children under 13. If you believe Pim has somehow collected data from a child under 13, contact privacy@trypim.com and we will delete it.

Note: because Pim runs entirely on the user's device with Google's Gmail authentication, the practical age gate is Google's own (Gmail accounts for users under 13 require parental consent under COPPA via Google Family Link).

9. Third-party services explicitly named

The following third parties are part of Pim's operation. Each has its own privacy policy that governs how it handles data it receives:

We name them because we use them. We do not endorse or warrant their practices; we link to their policies so you can read them yourself.

10. Billing

Subscriptions are handled by ExtensionPay (see Section 3.4 above). Payment details are processed by ExtensionPay and Stripe and are never seen or stored by Pim. Pim only checks whether your account is entitled to Pro features.

For refund policy, see refund-policy.md.

11. Your rights

You have the following rights regarding your data. Pim is built so most of these are automatic; this section explains how to exercise the rest.

10.1. Right to access

You have the right to ask what data Pim has about you. The honest answer is: only what is described in Section 4. To see your live Pim data, open the extension; everything Pim "knows" is visible in the UI. Pim does not have a separate user database to query.

10.2. Right to deletion

You can delete everything Pim has about you at any time, in three steps:

  1. Click the Logout button inside Pim. This clears the cached Google OAuth token.
  2. Uninstall the Pim extension from chrome://extensions. This deletes all extension local storage.
  3. Go to https://myaccount.google.com/permissions and revoke Pim's access to your Gmail. This invalidates the OAuth grant at Google.

To delete your ExtensionPay subscription record (the only server-side record of you), cancel your subscription in ExtensionPay and contact privacy@trypim.com to request deletion of the historical record (subject to ExtensionPay's own retention policies).

10.3. Right to rectification

If any data Pim shows you about your inbox looks wrong, refresh; Pim re-reads from Gmail and shows what is actually there. Pim does not store a separate copy that could fall out of sync.

10.4. Right to portability

Pim does not store your email; Gmail does. You can export your Gmail data via Google Takeout (https://takeout.google.com) at any time.

10.5. Right to opt out of sale or sharing

Pim does not sell or share your data. There is nothing to opt out of.

10.6. Right to non-discrimination

Pim will not charge you more, give you a lower-quality service, or otherwise discriminate against you for exercising any of these rights.

10.7. EU and UK users (GDPR)

See gdpr-rights.md for the full GDPR / UK GDPR rights notice.

10.8. California residents (CCPA / CPRA)

See ccpa-notice.md for the full California notice.

12. How to revoke access

You can revoke Pim's access to Gmail at any time. Use the Logout button inside Pim (it clears the cached Google token and revokes access at Google), or manage access from your browser's extension settings or your Google Account permissions page at https://myaccount.google.com/permissions.

13. Security

We follow these security practices:

  • All network calls use TLS (HTTPS) encryption.
  • OAuth tokens are stored in the browser's secure storage. They never leave your machine except as part of a request to Google's Gmail API (which is where they came from).
  • No analytics, no error reporting, no telemetry. We literally cannot leak data we never collected.
  • Code review before every release.
  • Vulnerability disclosure: see security-disclosure.md.

No system is 100% secure. We do our best, and we will tell you promptly if something goes wrong. If you become aware of a security issue with Pim, please follow security-disclosure.md.

14. Changes to this policy

If we change this policy in a way that materially reduces your privacy, we will notify Pim users in-product before the change takes effect, and update the "Last updated" date at the top. Minor clarifications may be made without notice but the change history is tracked in the Pim repository (https://github.com/eDoubleMUSIC/inbox-cleaner, if public).

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy is governed by the iron-clad dispute resolution module in the Terms of Service Section 14 (mandatory pre-dispute negotiation, binding individual arbitration through JAMS Streamlined Rules with AAA Consumer Rules backup, class waivers, 30-day opt-out, jury trial waiver, one-year statute of limitations), with non-waivable CCPA / GDPR / California Civil Code Section 1668 rights carved out.

15. Contact

Questions about this policy or Pim's data practices: Eric Erickson, privacy@trypim.com.

For security or vulnerability reports: see security-disclosure.md.

For California or EU rights requests, you may use the same email address; please indicate "Privacy Rights Request" in the subject.

Attribution

This policy was drafted using structural patterns common to industry SaaS privacy policies. Reference materials, all free and public:

No paid service's exact wording was copy-pasted.

Drafted 2026-05-25 by JIN, Wall-E sub-agent. Verified against Pim source code (entrypoints/background.ts, src/ai/embedder.ts) on the same date.