← PaceMaker

Privacy Policy

Effective: 21 April 2026

PaceMaker (“the Service”) is a personal productivity tool that collects scheduling and commitment signals from the communication channels you choose to connect, and surfaces them in a triage queue so you can route them to Google Calendar or elsewhere. This policy explains what the Service does with your data.

Who operates the Service

The Service is operated by the individual contactable at karo.bonas@gmail.com. It is currently offered to a single authorised user (the account owner). It is not a multi-tenant product.

What data the Service processes

  • Google OAuth tokens. If you connect a Google account, the Service stores an access token and refresh token encrypted with AES-256-GCM at rest. The Service requests the minimum scope required for each feature (e.g. gmail.readonly for Gmail polling).
  • Email content from connected inboxes. For each polled message, the Service fetches headers (From, Subject, Date, Message-ID) and the plaintext body (or a plaintext rendering of the HTML body). Only messages received after you connected the account are fetched; chats and spam are excluded.
  • Extracted captures.Message text is sent to Anthropic’s Claude model (via Vercel AI Gateway) for extraction of hard events, your commitments, and commitments made to you. The structured result is stored in the Service’s database alongside a snippet of the source text for your review.
  • Pasted content. Any text you paste into the Ingest page is processed the same way as email bodies.
  • Session data. A signed, HTTP-only cookie records that you have entered the shared passcode. No profile, password, or biometric data is collected.
  • Operational logs. Vercel records request metadata (IP address, timestamps, status codes) for infrastructure operation. The Service does not operate its own analytics, ad, or tracking pixels.

How Google user data is used

The Service’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • Gmail message content is used only to extract scheduling and commitment signals for display to you in the triage queue.
  • Gmail message content is not used to train machine-learning models, serve advertising, or enrich any third-party profile.
  • Gmail message content is not shared with any party other than the sub-processors listed below, and only for the purpose of providing the Service to you.
  • No human reads your Gmail content except you. The operator does not access the database contents except to diagnose issues you report.

Sub-processors

  • Vercel Inc. — application hosting and AI Gateway routing.
  • Neon, Inc. — managed PostgreSQL database (primary data store).
  • Anthropic PBC— language-model inference for capture extraction (accessed via Vercel AI Gateway; Anthropic’s commercial API does not retain prompts or completions for training).
  • Google LLC — OAuth, Gmail API, and (when connected) Google Calendar API.
  • Resend, Inc. — transactional email delivery (only if the morning digest feature is enabled).

Retention

OAuth tokens, captures, and audit records are retained for as long as you use the Service. You may disconnect a provider at any time from the Settings page; disconnection immediately deletes the stored OAuth tokens and poll state, and attempts to revoke the grant with the provider. Captures derived from that provider remain in the database so your triage history is preserved; you may delete them individually.

Your rights

You may access, export, correct, or delete any data held by the Service at any time. Requests should be sent to karo.bonas@gmail.com. Because the Service currently serves a single authorised user, most of these rights are exercised directly in the application.

Security

  • All traffic is served over HTTPS.
  • OAuth tokens are encrypted at rest using AES-256-GCM with a key held only in environment variables.
  • Session cookies are HTTP-only, Secure (in production), SameSite=Lax.
  • OAuth flows use PKCE (RFC 7636) to prevent authorisation-code interception.
  • Access to the application is gated by a shared passcode held only by the account owner.

Children’s data

The Service is not directed at, and may not be used by, children under 13 (or the equivalent minimum age in your jurisdiction).

Changes to this policy

Material changes will be reflected by updating the effective date above. The current version is always available at this URL.

Contact

Questions or requests: karo.bonas@gmail.com.