Privacy Policy & Data Handling

Last updated: April 5, 2026 · Effective immediately

✗We never sell your data. Your memories, emails, goals, and notes are yours. We have no advertising business. Full stop.
✗We never train AI on your content. Your actual data is never fed into AI models — ours or anyone else's. Only fully stripped, unidentifiable pattern counts (e.g. "user had 40+ items") may be used, never your words.
✗We never write to your apps without permission. REM reads your apps to learn from them. It never sends emails, edits files, creates events, or modifies anything in a connected app unless you explicitly enable Write Mode and confirm the specific action.
✗We never share your data with third parties. Integration data never leaves our infrastructure except to generate your brief and automations. Your information is not visible to other users.
✗We never keep your data after you leave. Delete your account and everything is gone — memories, integration tokens, briefs, automations. No waiting period. No backups retained.

What data we access from your connected apps

When you connect an integration, REM requests read-only OAuth access to the specific data listed below. We request the minimum scope needed to do the job. We do not request permissions we don't use.

Google (Gmail + Calendar)

Scope: gmail.readonly · calendar.readonly

We read: Email subjects, senders, dates, and body text from your inbox (last 90 days by default). Calendar event titles, times, attendees, and descriptions.
We never: Send emails, reply to emails, create or modify calendar events, access Google Drive, or read emails in Spam/Trash.
Why we need it: To surface unanswered emails that relate to your goals, identify deadline patterns, and include your schedule context in your morning brief.

Notion

Scope: read_content

We read: Pages and databases you explicitly share with the REM integration during OAuth authorization.
We never: Read pages you haven't shared, create pages, edit content, or access your entire Notion workspace.
Why we need it: To connect your notes and project pages to your goals and find relevant cross-source patterns.

GitHub

Scope: repo:read · issues:read

We read: Commit messages, issue titles/descriptions, and PR summaries from repositories you authorize.
We never: Read source code files, push commits, create issues, or access private repositories you haven't authorized.
Why we need it: To track shipping momentum, surface stalled issues, and connect code work to your goals.

Slack

Scope: channels:history:read · im:history:read

We read: Messages in channels and DMs you authorize. Message text, sender, and timestamp only.
We never: Post messages, join channels without permission, read private channels you haven't authorized, or access file attachments.
Why we need it: To catch action items and deadlines buried in messages that relate to your goals.

Microsoft 365 (Outlook + Teams)

Scope: Mail.Read · Calendars.Read

We read: Email subjects, senders, and body. Calendar events. Teams message text in authorized channels.
We never: Send mail, create meetings, or access files in OneDrive/SharePoint.

Readwise

Scope: highlights:read

We read: Your saved highlights and notes — text, source title, and date.
We never: Modify your library, create highlights, or access your full articles.

Health & Fitness (Oura, Strava, Apple Health)

Scope: Read-only via each provider's health API

We read: Sleep score, HRV, activity summaries, and workout logs. Aggregated metrics only — no raw biometric streams.
We never: Write health data, access location data, or share health metrics with third parties.
Why we need it: To correlate sleep and energy patterns with productivity and goal progress in your brief.

Other integrations (Todoist, Linear, Spotify, Reddit, etc.)

We read: Tasks and completion status (Todoist, Linear), recently played tracks for context (Spotify), saved posts and upvotes (Reddit).
We never: Create or modify tasks, control playback, post or vote on content.

How integration tokens are stored

OAuth access tokens are stored encrypted in our database using AES-256 encryption. Refresh tokens are rotated on each use. Tokens are never logged, never included in error reports, and are only decrypted at the moment of a sync operation.

You can revoke any integration at any time from your Account Settings. When you disconnect an integration, the token is immediately deleted from our database and we make a best-effort call to the provider's revocation endpoint.

Write Mode

By default, REM is read-only across all connected apps. REM will never send a message, create a file, modify a calendar event, or take any action in a connected app without your explicit authorization.

If you enable Write Mode in Account Settings, REM may suggest automations that involve writing — for example, drafting an email reply or creating a task. Every write action requires your explicit confirmation before it executes. Write Mode can be disabled at any time and takes effect immediately.

The Dream Engine and your data

The Dream Engine is REM's synthesis system. When it runs, it reads your connected app data and your saved memories, sends them to a large language model (OpenAI GPT-4.1 or Anthropic Claude) for analysis, and returns structured output. This data is sent over an encrypted connection and is not retained by the model provider beyond the immediate request.

We use OpenAI and Anthropic under their API terms, which prohibit using API inputs for model training. Your data sent during Dream Engine runs is not used to train their models.

Data minimization

We fetch only what is needed for each sync cycle. For email, we fetch subjects, senders, and body previews — not full attachment data. For calendar, we fetch event metadata — not video call links or meeting notes unless you have a note-taking integration connected. We apply recency filters (typically 90 days) to avoid processing stale data.

Data storage and security

Your data is stored on Railway's infrastructure (US region). All data in transit uses TLS 1.2+. Database data is encrypted at rest. We implement rate limiting, API key authentication, and access controls. We conduct regular reviews of our security posture.

In the event of a data breach that affects your personal data, we will notify you by email within 72 hours of discovery.

Cookies and sessions

We use HTTP-only session cookies to keep you logged in. These cookies cannot be accessed by JavaScript. We do not use tracking cookies, advertising pixels, or analytics that follow you across other websites. Our only analytics are aggregate, cookieless page view counts.

Data retention

We retain your account data for as long as your account is active. Integration tokens are refreshed automatically and deleted when you disconnect. Dream Engine results are stored for 90 days by default and can be cleared from your account settings. To delete your account and all associated data, contact privacy@remlabs.ai or use the delete option in Account Settings.

Your rights (GDPR / CCPA)

Regardless of where you live, you have the right to:

Access — request a full export of your data
Correction — correct inaccurate personal data
Deletion — delete individual memories or your entire account
Portability — export your memories and briefs in JSON format
Objection — opt out of any processing you disagree with
Restriction — limit processing while a dispute is resolved

To exercise any of these rights, email privacy@remlabs.ai. We respond within 48 hours and fulfill requests within 30 days.

Children

REM Labs is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately at privacy@remlabs.ai.

Changes to this policy

We may update this Privacy Policy from time to time. For significant changes, we will notify you by email and post a notice in the app at least 14 days before the change takes effect. Your continued use after that date constitutes acceptance of the updated policy.

Privacy questions

Have a question about how we handle your data? Want to export or delete your account? We're a small team and we respond personally — not with a ticket system.

privacy@remlabs.ai dev@remlabs.ai

We respond within 48 hours. For account deletion requests, include the email address on your account.