Pincer — Gmail API Limited Use Disclosure

For CASA (Cloud App Security Assessment) submission and Google OAuth verification.

Publish this paragraph verbatim on a page accessible from the Pincer website footer (same page as, or adjacent to, the privacy policy). Google's verification reviewers search for this exact language.

Required disclosure (publish this verbatim)

Pincer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Pincer's access to, and use of, Google user data is limited to providing or improving user-facing features of the Pincer application that are prominent from the requesting application's user interface. Pincer does not:

• use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models;
• transfer Google user data to third parties except as necessary to provide or improve user-facing features of the Pincer application, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior user notice;
• use Google user data for serving advertisements; or
• allow humans to read Google user data, except with the affirmative agreement of specific users for support (addressing a support ticket you have filed), where required by law, for security purposes such as investigating abuse, or for internal operations using data that has been aggregated and anonymized.

Scopes Pincer requests

No other Google API scopes are requested.

Where Gmail data is processed

1. User device (macOS) — Pincer app caches messages in an AES-256-GCM-encrypted local SQLite store; encryption key lives in macOS Keychain.
2. Pincer backend (Fly.io, US region) — encrypted message content passes through the backend for LLM drafting and approval-state tracking.
3. LLM provider — the provider the user selected (Anthropic or OpenAI) receives message content for the duration of a draft generation request. Both providers have executed DPAs with Pincer that prohibit training on user data. BYOK is supported; in BYOK mode the user's own API key is used and the user's contract with the provider governs.

No other third party (including web search providers, analytics, crash reporting) receives Gmail data under any circumstance.

Data retention specific to Gmail data

• On user device: cached for the active session; purgeable from Settings.
• On Pincer servers: retained encrypted for as long as the agent needs it to continue a task. User may purge any time from Settings. On account deletion, the Keychain-wrapped key is destroyed (crypto-shredding) and ciphertext is removed within 30 days.
• At LLM provider: subject to the provider's zero-retention API configuration. Anthropic: no retention on the API. OpenAI: API data is not used for training and is retained for 30 days for abuse monitoring only.

Human access

No Pincer employee or contractor reads Gmail content as part of normal operations. Human access occurs only in the following cases, each logged and auditable:

1. The user files a support ticket and affirmatively consents to access for that specific issue.
2. Investigation of security abuse affecting Pincer infrastructure, limited to the minimum data necessary.
3. Legal compulsion (subpoena or court order), reviewed for validity and scope before compliance.

Contact for Google verification reviewers

For questions about Pincer's Gmail API usage, verification reviewers should contact rohbotics@gmail.com (subject: "Google API Verification"). We respond within 3 business days.

Page URL at which this disclosure is published

https://pincer-dzh.pages.dev/gmail-api-disclosure (final custom domain will be updated before submission)