wednesday.bot·TermsPrivacy

Privacy Policy

Last updated: 2026-04-17

This Privacy Policy describes what wednesday.bot ("we") collects, how we use it, who we share it with, and your rights. wednesday.bot is designed so that credentials never reach the language model, but the agent does read your mailbox contents to do its job — so this document matters. Read it.

1. What we collect

a. Mailbox credentials

When you connect a mailbox, we store the IMAP/SMTP host, port, username, and password you provide. The password is encrypted at rest using AES-256-GCM with a per-user data-encryption key, which is itself wrapped by a master key-encryption key stored outside the database. The language model never sees the password, host, or username — tool schemas sent to the model only include logical parameters like mailbox_id.

b. Conversations and prompts

Your prompts, assistant responses, and the sequence of tool calls in each conversation are stored in our database so you can revisit and resume conversations.

c. Mail content fetched during a task

When the agent executes a tool (e.g., fetch_message or download_attachment), the resulting content is included in the tool_result returned to the language model so it can reason about your task. Attachments you have the agent download are stored in a private Supabase Storage bucket scoped to your account.

d. Operational metadata

Standard server logs (timestamps, request paths, status codes), error reports, and aggregate usage metrics (credit consumption, task latency) for monitoring and debugging.

2. What the language model sees

  • Your conversation history (user messages + assistant responses) within a given conversation.
  • The declared schema of each tool (name, description, input parameters). It does not see credentials — those parameters are never exposed to it.
  • The result of each tool it invokes — this includes message headers, bodies, and attachment text for the specific messages you've asked it to work on.

The model does not see mailboxes or messages you haven't asked it to touch. Scope is driven by your prompt.

3. Third parties that receive your data

a. Anthropic (model provider)

Prompts and tool results are sent to Anthropic via their API to run the agent loop. They process the data to generate responses. Per Anthropic's commercial terms, data sent via API is not used to train their models.

b. Supabase (database, auth, storage)

Hosts the database (conversations, encrypted credentials, credit ledger), anonymous auth, and attachment storage.

c. Hosting provider (Railway)

Runs the Next.js website + Node API. Receives request logs as a normal operational byproduct.

d. Stripe (billing)

When billing goes live, Stripe will process payments. We do not store payment card details — Stripe does.

We do not sell your data. We do not use your email content for advertising.

4. Retention

  • Conversation history and encrypted mailbox credentials: retained until you delete them or delete your account. Clearing an anonymous browser session removes access for that client, but the server-side record persists for up to 30 days before hard deletion.
  • Attachments fetched by the agent: retained until you delete them or until the parent conversation is deleted.
  • Operational logs: retained up to 90 days.

5. Security

  • AES-256-GCM envelope encryption for IMAP/SMTP credentials.
  • Supabase Row-Level Security on every table — users can only read their own rows.
  • The Service's own API enforces user_id scoping on every query that touches user data.
  • All traffic between your browser and our servers is TLS. All traffic between our server and your mail provider uses IMAP + STARTTLS or IMAPS / SMTPS.

No system is perfectly secure. If you discover a vulnerability, please report it at security@wednesday.bot.

6. Your rights

  • Delete data: disconnect a mailbox from /mailboxes to delete its encrypted credentials. Delete individual conversations from the sidebar. Request full account deletion via email.
  • Export data: email us for a data export. We'll provide your conversations + mailbox metadata in JSON.
  • EU / UK residents (GDPR, UK-GDPR): you have rights of access, rectification, erasure, portability, and objection. Contact us to exercise them.
  • California residents (CCPA): we do not sell your personal information. You have the right to know, delete, and opt-out of any future sale of your data.

7. Children

wednesday.bot is not directed at children under 13. We don't knowingly collect data from them. If you believe we have, contact us and we'll delete it.

8. Changes

We may update this Policy. Material changes will be announced in-app or by email. Continued use after the effective date constitutes acceptance.

9. Contact

privacy@wednesday.bot