Pincer Privacy Policy

Effective date: 2026-04-22 Last updated: 2026-04-22 Version: 1.0

1. Who we are

Pincer is a product of ePlane, LLC, a California limited liability company ("ePlane," "we," "us," or "our"). Pincer is a governed autonomous email agent for macOS. Our mailing address and entity details are filed with the California Secretary of State.

For any privacy question, data access request, deletion request, or complaint, contact us at rohbotics@gmail.com. We respond to verified requests within 30 days.

2. Geographic scope

Pincer v1.0 is offered to residents of the United States only. The service is not intentionally made available to residents of the European Union, the United Kingdom, Canada, or other jurisdictions. If you access Pincer from outside the United States, you do so on your own initiative and are responsible for compliance with local law. We will update this policy with GDPR, UK GDPR, and PIPEDA disclosures when we expand to those markets.

3. What this policy covers

This policy describes what information Pincer collects, how we use it, who we share it with, how long we keep it, and what rights you have under the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, "CCPA/CPRA"). It applies to the Pincer macOS application, our backend API, and our website.

4. Summary (plain-English version)

Pincer reads the email messages in the inbox you connect, so that a large language model can draft replies for your review.
The agent never sends a message without your approval. Every outbound draft appears in an approval inbox that only you control.
Your email content is encrypted at rest using AES-256-GCM. Encryption keys live in the macOS Keychain on your device.
You can delete your account at any time from Settings. Deletion is irreversible and purges your data from our systems within 30 days.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
We use 11 sub-processors listed in Section 10. Your email content is processed by at most two of them (the LLM provider you connected and our infrastructure vendor).

5. Information we collect

5.1 Account information

When you create a Pincer account we collect your email address, your Apple ID (via StoreKit) if you subscribe to a paid tier, and the date you created the account.

5.2 Connected-channel content

When you connect a Gmail account or Telegram bot, Pincer receives message content from that channel so the agent can process it. Specifically:

Gmail: subject, body, thread history, sender and recipient addresses, attachments, and message metadata (timestamps, labels, message IDs). We receive this via the Gmail API under the scopes you grant in the OAuth consent screen.
Telegram: message text, sender username, chat ID, and message timestamps.

5.3 Agent session data

When the agent works on a task we store session state, including the plan the agent proposed, the drafts it produced, the approvals you issued, timestamps, and any feedback you recorded. This data is how the agent can resume work across sessions.

5.4 Contact allowlist

You configure which contacts the agent is allowed to act on. We store the names, email addresses, and trust tier (block / caution / allow) you assign to each contact.

5.5 Device and technical information

We collect your device's operating system version, the Pincer app version, an anonymous device identifier generated on first launch, your IP address when you make API requests, and Apple Push Notification service tokens if you enable notifications. We use this information to deliver notifications, diagnose errors, and maintain service quality.

5.6 Subscription and payment information

If you subscribe to Pincer Starter or Pro, Apple processes your payment through StoreKit and reports the transaction status to us. We do not receive your credit card, bank account, or payment-method details. We receive an anonymized transaction identifier, the tier you subscribed to, and the renewal status.

5.7 What we do not collect

We do not collect your full contact list from your device. We do not read messages in channels you have not explicitly connected. We do not access files on your device outside our own application container. We do not track your browsing across other apps or websites.

6. How we use information

We use the information above for the following purposes:

To provide the service. Drafting replies, coordinating multi-step workflows, rendering the approval inbox, synchronizing state between your device and our backend, delivering notifications.
To keep the service working. Diagnosing crashes, measuring latency, investigating security incidents, and maintaining the integrity of the agent engine.
To bill you. Reconciling Apple's subscription reports against your account status.
To communicate with you. Sending service-related emails such as subscription receipts, security notices, and material changes to this policy. We do not send marketing email to you without your explicit opt-in.

We do not use your connected-channel content to train any artificial intelligence model, our own or anyone else's. Content sent to LLM providers for drafting is subject to the no-training terms described in Section 10.

7. Gmail API compliance (Google Limited Use)

Pincer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Pincer does not:

Use Gmail data to develop, improve, or train generalized or non-personalized AI or machine-learning models.
Transfer Gmail data to third parties except as necessary to provide or improve the user-facing features of the Pincer app, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
Use Gmail data for serving advertisements of any kind.
Allow humans to read Gmail data, except with the affirmative agreement of the user (for example, for troubleshooting at your request), where required for security purposes such as investigating abuse, to comply with applicable law, or for Pincer's internal operations where the data has been aggregated and anonymized.

8. How we protect your information

Encryption at rest. Message content stored on our servers is encrypted using AES-256-GCM. Message content cached on your Mac is also encrypted using AES-256-GCM, with the data encryption key (DEK) wrapped by a master key stored in the macOS Keychain.
Encryption in transit. All network traffic between the Pincer app, our backend, and our sub-processors uses TLS 1.2 or higher.
Crypto-shredding on deletion. When you delete an account, we destroy the Keychain-wrapped key so that any residual ciphertext becomes unreadable. We then delete the ciphertext itself on a 30-day schedule.
Access controls. Access to production systems is restricted to personnel who need it for operations, logged, and multi-factor authenticated.
No human review by default. Pincer employees do not read user email content. Any human review requires your affirmative consent and happens only in response to a support ticket you file.

9. How long we keep information

Account information: for as long as your account is active, plus 90 days after account deletion for audit-log purposes, then permanently deleted.
Connected-channel content: encrypted on our servers for as long as the agent needs it to continue a task. You can purge content manually at any time from Settings. On account deletion, content becomes unreadable immediately (via crypto-shredding) and is deleted from disk within 30 days.
Agent session data: retained for as long as the related session is active, plus 180 days of session history, then permanently deleted.
Technical logs: 30 days.
Billing records: 7 years, as required by US tax law.

10. Sub-processors

Pincer uses the following sub-processors to deliver the service. Each is bound by a data-processing agreement appropriate to their role. The sub-processor list as of the effective date of this policy is below. A current list is maintained at the URL where this policy is hosted.

Infrastructure

Sub-processor	Purpose	Location
Fly.io	Application hosting, API, OpenClaw gateway runtime, Telegram webhook receiver	United States
Neon	Primary relational database (system of record)	United States
Cloudflare R2	Object storage for attachments and backups	United States
Upstash / Fly Redis (TBD — confirmed before publish)	Caching, session layer, ephemeral state	United States

LLM providers

Sub-processor	Purpose	Location
Anthropic	Generates draft replies and agent reasoning when the user selects a Claude model	United States
OpenAI	Generates draft replies and agent reasoning when the user selects an OpenAI model; BYOK supported	United States

Channels, identity, and platform

Sub-processor	Purpose	Location
Google LLC	Gmail OAuth and Gmail API (v1.0 primary email channel)	United States
Apple Inc.	StoreKit subscription billing and APNs push notifications	United States
Telegram FZ-LLC	Telegram Bot API; outbound Telegram messages transit Telegram infrastructure	United Arab Emirates

Web search (agent tool)

Sub-processor	Purpose	Location
Perplexity AI, Inc.	Primary web-search backend (Sonar API) when the agent performs research	United States
SerpAPI, LLC	Fallback web-search backend	United States

We will amend this policy to add or remove sub-processors as our infrastructure evolves. Material changes are announced in-app and by email.

11. How we share information

Beyond the sub-processors listed in Section 10, we share information only as follows:

With your affirmative direction — for example, when you instruct the agent to send a message through a connected channel.
When required by law — in response to a valid subpoena, court order, or legally binding request from a government authority. We review each request for validity and scope.
To protect rights or safety — if we have a good-faith belief that disclosure is necessary to investigate fraud, defend ePlane or its users, or prevent imminent harm.
In a corporate transaction — if ePlane is involved in a merger, acquisition, or asset sale, we will continue to protect your information and notify you before any transfer, giving you the option to delete your account first.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Under CCPA/CPRA, these statements are made deliberately and cover the preceding 12 months.

12. Your rights under CCPA/CPRA

If you are a California resident, you have the following rights regarding your personal information. Exercising these rights will never result in discrimination against you.

Right to know what personal information we have collected about you, the sources, the purposes, and the categories of recipients.
Right to access a copy of the personal information we hold about you, in a portable format.
Right to correct inaccurate personal information.
Right to delete your personal information, subject to narrow legal exceptions (for example, billing records we are required to keep).
Right to limit the use of sensitive personal information to purposes reasonably necessary to provide the service.
Right to opt out of sale or sharing — not applicable, because we do not sell or share your personal information.
Right to non-discrimination when exercising any of the above.

How to exercise your rights. Send a request to rohbotics@gmail.com. We will verify your identity before we act. We respond within 45 days, with one 45-day extension if the request is complex.

Authorized agents. You may designate an authorized agent to make a request on your behalf. We will require proof of your written permission and, separately, verification of your identity.

Appeals. If we deny a rights request, you may appeal by replying to the denial email. We will respond to the appeal within 45 days.

13. How to delete your account

Inside the Pincer app, open Settings → Privacy & Analytics → Delete Account. Confirm the prompt. Your account is marked for deletion immediately; your encryption keys are destroyed (rendering your content unreadable); and your data is purged from our systems within 30 days. Billing records required by US tax law are retained for 7 years in a separate, access-restricted archive.

If you cannot reach the in-app control (for example, your subscription has lapsed), email rohbotics@gmail.com with the subject "Delete Account" from the address on file.

14. Children

Pincer is not directed to children under 17. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it. If you believe a child has provided us personal information, contact rohbotics@gmail.com.

15. Changes to this policy

We may update this policy as the product evolves, new sub-processors are added, or the law changes. When we make a material change, we will notify you in-app and by email at least 14 days before the change takes effect. The "Last updated" date at the top of this policy always reflects the current version.

16. Contact

ePlane, LLC Attn: Privacy Email: rohbotics@gmail.com

For data rights requests (Section 12), include the subject line "CCPA Request" so we can route it correctly.

This document is Version 1.0 of the Pincer Privacy Policy. A public changelog of material revisions is maintained at the same URL.