Privacy Policy

Last updated: March 28, 2026

Gonga Inc. ("Gonga", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Gonga platform and related services (the "Service").

1. Information We Collect

1.1 Information You Provide

Account Information: Name, email address, organization name, and role when you create an account
Business Data: Documents, projects, contacts, financial records, and other data you upload or create within the Service
Communications: Messages you send through the chat interface and feedback you provide

1.2 Information from Third-Party Integrations

When you connect third-party services (such as QuickBooks Online, Gmail, Google Drive, Shopify, or Lightspeed), we collect data from those services that you authorize us to access. This may include:

Financial data (invoices, bills, payments, accounts) from accounting software
Email content (subject lines, body text, and attachments) from Gmail
Email metadata (sender, recipients, timestamps, labels, and thread IDs) from Gmail
Drafts composed within Gonga using your Gmail account
Contact names, email addresses, and phone numbers from Google Contacts
"Other contacts" (people you have interacted with but not explicitly saved) from Google Contacts
Files and documents from Google Drive
Product and order data from e-commerce platforms

We only access the data necessary to provide the features you use. You can disconnect any integration at any time, and we will stop collecting new data from that service.

1.3 Information Collected Automatically

Usage Data: How you interact with the Service, including features used and actions taken
Device Information: Browser type, operating system, and device identifiers
Log Data: IP address, access times, and pages viewed

2. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service
Process your requests and deliver AI-powered insights and assistance
Facilitate third-party integrations you have authorized
Send you important updates about the Service
Ensure the security and integrity of the Service
Comply with legal obligations

3. Data Isolation and Security

We implement a per-customer infrastructure isolation model. Each customer organization receives dedicated compute and storage resources, ensuring complete data isolation at the infrastructure level. Your data is never commingled with other customers' data.

We employ industry-standard security measures, including encryption in transit (TLS) and at rest, access controls, and regular security audits to protect your information.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

Service Providers: With trusted third-party vendors who assist us in operating the Service (e.g., cloud infrastructure, authentication), bound by confidentiality obligations
AI Processing: Your data may be processed by AI models (such as Anthropic's Claude) to provide the Service's features. This processing is done under strict data processing agreements that prohibit the AI provider from using your data for model training or fine-tuning. Google user data sent to AI providers is used solely for real-time inference to generate responses and is not retained by the AI provider after processing
Legal Requirements: When required by law, regulation, legal process, or governmental request
Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
With Your Consent: When you have given explicit permission

We do not use your data — including data obtained from third-party integrations — for advertising, retargeting, or serving personalized ads. We do not use your data to make credit-worthiness or lending determinations. We do not sell your data to data brokers or information resellers.

5. Google API Services — User Data Policy

This section describes how Gonga accesses, uses, stores, and shares data obtained through Google API Services. It applies to all information received from Google APIs, including data from Gmail, Google Contacts, and Google Drive.

5.1 Scopes and Justification

Gonga requests the following Google OAuth scopes:

Scope	Purpose
gmail.modify	Read, compose, send, archive, label, and trash emails on the user's behalf within Gonga
userinfo.email	Identify the user's Google account email for authentication and account linking
contacts.readonly	Read the user's saved contacts for autocomplete when composing emails within Gonga
contacts.other.readonly	Read "other contacts" (people the user has interacted with) for more comprehensive autocomplete

5.2 How Gonga Accesses Google Data

Gonga accesses Google user data in real time when you use Google-connected features within the Service (e.g., viewing your inbox, sending an email, or looking up a contact). There is no background bulk synchronization or batch downloading of your Google data.

5.3 How Gonga Uses Google Data

Google user data is used exclusively to provide the following user-facing features:

Displaying your Gmail inbox and message content within Gonga
Sending, replying to, and drafting emails on your behalf
Applying labels, archiving, and trashing emails as you direct
Autocompleting contact names and email addresses when composing messages
Generating AI-assisted email summaries, suggested replies, and action items from your email content

5.4 How Gonga Stores Google Data

Email metadata (subject, sender, date, labels, thread IDs) is cached in your isolated workspace to enable inbox display and search
Email body content is fetched on demand from the Gmail API when you open a message and is not persisted in Gonga's storage
Contacts are fetched in real time from the Google People API and are not stored locally
Encryption: All cached data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher
Isolation: Each customer workspace is fully isolated — Google data from one organization is never accessible to another

5.5 How Gonga Shares Google Data

Google user data may be shared only with the following categories of recipients, and only as necessary to provide user-facing features:

Anthropic (AI inference): Email content is sent to Anthropic's Claude API for real-time summarization and reply generation. Anthropic's Data Processing Agreement prohibits retention or use of this data for model training
Cloud infrastructure providers: Data is stored on infrastructure providers bound by data processing agreements and industry-standard security certifications

Gonga does not share Google user data with:

Advertisers, ad networks, or retargeting platforms
Data brokers or information resellers
Credit reporting agencies or lending institutions
Any third party for purposes unrelated to providing the Service

5.6 AI Processing and Limited Use

When you use AI-powered features (such as email summaries or suggested replies), the relevant email content is sent to Anthropic's Claude API for real-time inference. Anthropic is contractually prohibited from retaining, logging, or using this data to train or fine-tune any machine-learning model. No sub-processor of Gonga uses Google user data for AI/ML model training or improvement.

5.7 Limited Use Disclosure

Gonga's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5.8 Data Transfer Restrictions

Google user data is transferred to third parties only when:

It is necessary to provide or improve user-facing features that are visible to the user
It is necessary to comply with applicable law
It is part of a merger, acquisition, or asset sale, provided that the acquiring entity agrees to the same data protection commitments, and users are notified in advance

All transfers are protected by TLS 1.2 or higher in transit. For international data transfers, Gonga relies on Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.

5.9 Revoking Google Access

You can revoke Gonga's access to your Google account at any time using either of the following methods:

In-app: Go to Settings > Integrations > Google > Disconnect
Google account: Visit https://myaccount.google.com/permissions and remove Gonga from the list of authorized apps

Upon revocation, Gonga will immediately stop accessing your Google data. Any cached metadata will be purged from our systems within 30 days.

6. Third-Party Integrations

The Service integrates with third-party platforms. When you authorize an integration, data flows between Gonga and the third-party service. Each third-party service has its own privacy policy, and we encourage you to review those policies. Gonga is not responsible for the privacy practices of third-party services.

OAuth tokens and credentials for third-party services are stored securely and used only to maintain your authorized connections. You can revoke access at any time through the Service or through the third-party service's settings.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account termination, we will delete or anonymize your data within a reasonable period, unless retention is required by law. You may request deletion of your data at any time by contacting us.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate information
Request deletion of your personal information
Object to or restrict certain processing of your data
Request portability of your data
Withdraw consent for data processing

To exercise any of these rights, please contact us at support@gonga.ai.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it.

10. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service or by email. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@gonga.ai
Website: gonga.ai