Point Privacy Policy
Version: 1.0
Effective date: July 7, 2026
Entity: Advanced Mail Solutions, Inc., a Delaware corporation, DBA “Point”, with primary offices in California.
Privacy contact: privacy@getpoint.ai
Website: getpoint.ai
This Privacy Policy explains how Point (“Point,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects personal information.
1. Scope
This Policy applies to personal information we process when we act as a controller or business, including in connection with:
- Point websites, landing pages, blogs, and online properties;
- Point web, desktop, mobile, and other client applications;
- direct individual accounts;
- account registration, authentication, billing, support, security, sales, marketing, events, and business operations;
- connected-account authorization and account administration;
- use of the Services by Individual Customers; and
- personal information relating to representatives of prospects, customers, suppliers, partners, and other business contacts.
For Organization Customers, the organization may be the controller or business for Customer Content processed in the Services. In that case, Point generally acts as a processor, service provider, contractor, or similar role under the Agreement and Data Processing Addendum. If you use Point through an organization, direct privacy requests about Customer Content to that organization unless Point tells you otherwise.
This Policy does not apply to third-party websites, services, providers, app stores, email providers, calendar providers, or integrations that have their own privacy notices.
2. Summary
Point is designed to help users manage professional communication, email, calendar, tasks, search, summaries, scheduling, and automation. To provide these features, Point may process communications and connected-account data that users authorize, including email and calendar content.
Point may use Google as Point’s initial advertising, analytics, measurement, attribution, and retargeting technology vendor on public websites, marketing pages, and other non-authenticated or marketing properties where lawful. Point does not sell Customer Content, does not use Customer Content or connected-account content for cross-context behavioral advertising or retargeting, and does not use Customer Content to train generalized third-party large language models unless you expressly authorize it. Point may use Google advertising and retargeting technologies for website, app, and marketing measurement as described in this Policy, but not using Customer Content.
3. Personal information we collect
The information we collect depends on how you interact with Point.
3.1 Identity and contact information
Examples include name, email address, phone number, job title, employer, organization, role, avatar, country, and business contact details.
3.2 Account and authentication information
Examples include usernames, account IDs, organization IDs, user IDs, roles, admin status, login events, session data, authentication method, email verification status, security settings, device identifiers, and access logs.
3.3 Connected-account information
If you connect an email, calendar, identity, messaging, or other third-party account, we may collect provider account IDs, email addresses, OAuth tokens or token references, scopes, authorization status, sync state, provider metadata, folder or label metadata, and related account information.
3.4 Communications and content
Depending on your settings and Connected Accounts, Point may process:
- emails, messages, threads, recipients, senders, headers, metadata, attachments, files, and folders;
- calendar events, invitations, availability, RSVPs, reminders, participants, meeting links, and scheduling pages;
- contacts, identities, relationships, circles, labels, and organization membership;
- tasks, reminders, watch tasks, follow-up rules, notes, and activity logs;
- drafts, replies, notifications, automation actions, and audit records;
- search queries, search indexes, embeddings, summaries, points, generated titles, generated descriptions, and other AI Output;
- prompts, instructions, preferences, memory/imprints, autonomy settings, and style settings;
- voice audio, voice transcripts, and voice-session data when you use voice mode; and
- support messages, feedback, call notes, chat messages, and related correspondence.
3.5 Device, usage, and technical information
Examples include IP address, device type, operating system, browser, app version, language, timezone, approximate location derived from IP address, pages or screens viewed, referral source, event logs, performance data, crash reports, cookies, similar identifiers, advertising identifiers, campaign identifiers, and diagnostic data.
3.6 Billing and transaction information
Examples include billing name, billing address, payment method details handled by our payment processor, invoice details, tax information, subscription plan, purchase history, payment status, renewal status, and account credits.
3.7 Sales, marketing, and relationship information
Examples include communications preferences, marketing interactions, event attendance, lead source, demo requests, trial participation, survey responses, customer relationship records, Google advertising-cookie choices, retargeting audiences, conversion events, Customer Match or audience-exclusion records if enabled, campaign attribution, and lawful opt-out or suppression records.
3.8 Security and compliance information
Examples include authentication logs, security events, audit logs, abuse reports, rate-limit events, fraud indicators, sanctions or export screening results, suspected policy violations, quarantine and flagging records, and other information used to protect Point, users, customers, and third parties.
3.9 Inferences and derived information
Point may derive information to provide the Services, such as message priority, urgency, summaries, points, labels, circles, suggested tasks, reminders, scheduling suggestions, style preferences, relationship importance, and activity recommendations.
3.10 Sensitive personal information
Point does not require sensitive personal information to create an account. However, emails, messages, files, calendar events, or other Customer Content may contain sensitive personal information if users or their contacts include it.
Sensitive personal information may include account credentials or tokens, communications content, financial information, tax-related content, health-related references, precise meeting locations, government identifiers, or other sensitive content. Point uses sensitive personal information only to provide and secure the Services, comply with law, and for other permitted purposes described in this Policy.
4. Sources of personal information
Point may collect personal information:
- directly from you;
- from your organization, workspace admins, or other users;
- from Connected Accounts you authorize;
- from third-party providers, such as email, calendar, identity, payment, security, analytics, support, communications, and hosting providers;
- from recipients, senders, participants, contacts, customers, suppliers, and other people who communicate with you or your organization;
- from your use of the Services;
- from publicly available business sources, professional networking platforms, and corporate directories;
- from app stores and device platforms; and
- from legal, compliance, fraud-prevention, or security sources.
5. Purposes of processing
Point may process personal information to:
- provide, operate, maintain, and improve the Services;
- create, authenticate, secure, administer, and support accounts;
- connect, sync, search, summarize, prioritize, and organize email, messages, calendar, tasks, contacts, and related content;
- generate AI Output, drafts, summaries, points, tasks, scheduling proposals, labels, circles, notifications, and other user-facing features;
- enable automations, autonomy settings, review flows, approvals, undo functions, and activity logs;
- provide semantic search and indexing;
- send, receive, classify, and route communications where authorized;
- schedule meetings, manage availability, send scheduling links, and process RSVPs;
- provide customer support and respond to requests;
- process payments, subscriptions, renewals, taxes, invoicing, and account administration;
- communicate about accounts, security, transactions, service updates, product changes, and legal notices;
- personalize the Services based on settings, preferences, and usage;
- measure, debug, analyze, and improve reliability, security, performance, and user experience;
- detect, investigate, prevent, and respond to spam, fraud, abuse, security incidents, prompt-injection attempts, unauthorized access, and unlawful activity;
- enforce terms, policies, and legal rights;
- comply with legal, regulatory, tax, accounting, audit, sanctions, export, and recordkeeping obligations;
- conduct business-to-business sales and marketing where lawful;
- measure advertising effectiveness, attribute campaigns, build or exclude marketing audiences, and conduct retargeting or targeted advertising where lawful and subject to required choices; and
- carry out mergers, acquisitions, financing, reorganization, or similar business transactions.
6. AI, connected-account data, and advertising limits
6.1 User-facing use
Point uses connected-account data and Customer Content to provide user-facing features requested or enabled by users, such as inbox organization, summarization, task extraction, semantic search, scheduling, drafting, notifications, and automation.
6.2 No sale of Customer Content
Point does not sell Customer Content.
6.3 Advertising and retargeting limits
Point may use advertising, analytics, measurement, attribution, and retargeting cookies or similar technologies on public websites, landing pages, blogs, marketing pages, and other non-authenticated or marketing properties where lawful. Point may use website activity, cookie identifiers, advertising identifiers, device data, approximate location, referral source, campaign data, conversion events, and business contact information for marketing measurement, attribution, audience creation, audience exclusion, retargeting, and cross-context behavioral advertising where permitted by law.
Point does not use Customer Content, connected email content, connected calendar content, message content, files, attachments, prompts, AI Output, search indexes, embeddings, summaries, points, OAuth tokens, or Google/Microsoft API data for cross-context behavioral advertising, targeted advertising, retargeting, Customer Match, enhanced conversions, advertising measurement, or advertising profile creation.
6.4 Google advertising technology
Point’s initial advertising technology vendor is Google. Depending on the property, campaign, geography, and Point configuration, Point may use Google LLC, Google Ireland Limited, or another applicable Google affiliate, and Google advertising or measurement products such as Google Ads, Google Analytics, Google Tag, Google Tag Manager, Google Ads conversion tracking, remarketing tags, Enhanced Conversions, Customer Match, Campaign Manager, Display & Video 360, Search Ads 360, or comparable Google advertising and measurement services.
For these Google advertising and measurement activities, Point may disclose or make available public website or marketing-property activity, URL and referral information, IP address, approximate location, device and browser information, cookie or similar identifiers, advertising identifiers, campaign identifiers, conversion events, demo or trial status, plan or purchase events, hashed business contact information, and opt-out, suppression, or audience-exclusion records.
Point will not disclose Customer Content, connected-account data, Google API data, Microsoft connected-account data, prompts, AI Output, search indexes, embeddings, summaries, points, OAuth tokens, message content, email content, calendar content, files, or attachments to Google for advertising, retargeting, Customer Match, enhanced conversions, audience building, or advertising profile creation.
If Point uses Customer Match, Enhanced Conversions, or similar Google audience or conversion products, Point will use only Point-controlled sales, account, lead, trial, billing, or marketing relationship data for which Point has determined it has appropriate rights, notices, consent where required, and opt-out handling. Point will not build Google advertising audiences from Customer Content or connected-account data.
Google’s privacy role may vary by product and configuration. For some advertising and measurement activities, Google may act as an independent controller or controller-controller partner. For certain analytics, measurement, or restricted-data-processing configurations, Google may act as a processor, service provider, or similar restricted role. Point will configure consent, restricted data processing, ads personalization, retention, redaction, and regional settings where Point determines they are required or appropriate, and Point will treat disclosures to Google as sale, sharing, targeted advertising, or profiling where applicable law requires.
6.5 Model training
Point does not use Customer Content to train generalized third-party large language models or generalized foundation models unless you expressly authorize it. Point may use Customer Content to provide and improve the Services for you or your organization, including improving user-facing features, safety, security, reliability, and quality.
6.6 Google API Limited Use statement
Point’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Point does not use Google API data for advertising, retargeting, sale, or sharing, and does not transfer Google API data except as necessary to provide or improve user-facing Services, comply with law, secure the Services, or as otherwise permitted by Google’s applicable policies and user authorization. This restriction applies even though Point separately uses Google advertising and measurement services on public marketing properties: Google API user data from Gmail, Google Calendar, Google Sign-In, Google OAuth, Google Workspace APIs, or related Connected Account integrations is not sent to Google adtech services for advertising, retargeting, Customer Match, Enhanced Conversions, audience creation, or advertising measurement.
6.7 Microsoft connected-account data
Point uses Microsoft Graph, Microsoft 365, Outlook, Microsoft Entra ID, and related Microsoft connected-account data only to provide and improve user-facing Services, operate and secure the Services, comply with law, and act on user or Customer instructions. Point does not use Microsoft connected-account data for advertising, retargeting, sale, or sharing.
6.8 Human access
Point limits human access to Customer Content to circumstances such as providing support at your request, security and abuse investigation, legal compliance, troubleshooting, service operation, or with your consent.
7. Legal bases for EEA, UK, and similar laws
Where GDPR, UK GDPR, or similar laws apply, Point relies on one or more of the following legal bases:
- Contract. To provide the Services, administer accounts, process payments, provide support, and take steps requested before entering a contract.
- Legitimate interests. To operate, secure, improve, and market our business; prevent fraud and abuse; communicate with business contacts; maintain records; and enforce rights, where those interests are not overridden by applicable rights and interests.
- Consent. Where required, such as for non-essential cookies, advertising or retargeting technologies, marketing communications, optional integrations, or optional processing.
- Legal obligations. To comply with tax, accounting, sanctions, regulatory, privacy, consumer-protection, security, and other legal obligations.
- Vital interests or public interest. Rarely, where necessary under applicable law.
You may withdraw consent where processing is based on consent, without affecting processing that occurred before withdrawal.
8. How we disclose personal information
Point may disclose personal information to:
- Affiliates for the purposes described in this Policy;
- service providers and processors that provide hosting, cloud infrastructure, storage, AI processing, embeddings, email and calendar integration, token storage, security, logging, monitoring, analytics, customer support, communications, payments, billing, accounting, and related services;
- advertising, retargeting, marketing, analytics, and measurement partners, including Google advertising and measurement services where enabled, where lawful and subject to required choices;
- third-party providers you authorize, such as email, calendar, identity, messaging, or app-store providers;
- organization admins and other users according to workspace settings, roles, and permissions;
- professional advisers, including legal, accounting, audit, tax, insurance, and compliance advisers;
- payment processors and financial institutions;
- business partners where relevant to the relationship and lawful;
- government, regulatory, judicial, law-enforcement, or supervisory authorities where required or appropriate under law;
- counterparties in business transactions, such as actual or prospective acquirers, investors, lenders, or transferees in a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections; and
- others with your direction or consent.
Point does not disclose personal information except as described in this Policy, the Agreement, or as permitted or required by law.
9. International transfers
Point is based in the United States, and personal information may be processed in the United States and other countries where Point, its Affiliates, or service providers operate.
Where required, Point uses appropriate transfer mechanisms and safeguards, such as adequacy decisions, standard contractual clauses, the UK Addendum, the UK International Data Transfer Agreement, Swiss transfer safeguards, and supplementary measures.
For Organization Customers where Point acts as processor, international transfers are governed by the Agreement and Data Processing Addendum.
10. Retention
Point retains personal information only for as long as reasonably necessary for the purposes described in this Policy, including providing the Services, account administration, security, legal compliance, tax and accounting, dispute resolution, and enforcement.
Retention periods vary depending on the type of information, user settings, Customer instructions, legal requirements, and technical constraints.
| Category | Typical retention approach |
|---|---|
| Account profile and authentication records | For the life of the account, then for a reasonable period needed for security, legal, and backup purposes. |
| Customer Content in active accounts | For as long as the account or workspace is active, unless deleted earlier by users, settings, or Customer instructions. |
| Deleted Customer Content | Deleted from active systems within a reasonable period; backups may persist until overwritten under backup cycles. |
| Connected-account tokens | Until the account is disconnected, authorization expires, the account is deleted, or retention is required for security or legal reasons. |
| Search indexes, embeddings, summaries, points, and derived service data | Generally retained while the related Customer Content or account is retained, unless separated for security, legal, or de-identified analytics. |
| Billing, tax, and transaction records | As needed for tax, accounting, audit, and legal obligations, often up to seven years or longer if required. |
| Security, fraud, audit, and system logs | As needed to protect the Services, investigate issues, and comply with law. |
| Marketing, advertising, and retargeting records | Until you opt out, withdraw consent where applicable, or the information is no longer needed, with suppression records retained to honor opt-outs. |
| Support communications | As needed to provide support, improve services, resolve disputes, and comply with law. |
For Organization Customer processor data, retention and deletion may be governed by the Agreement, Data Processing Addendum, Service Documentation, and Customer instructions.
11. Security
Point uses administrative, technical, and organizational measures appropriate to the nature of the data and risks involved. These may include encryption in transit and at rest where supported, access controls, least privilege, logging, monitoring, vulnerability management, incident response, backups, credential controls, token handling controls, prompt-injection defenses, quarantine workflows, and human-access limitations.
No method of transmission, storage, or processing is completely secure, and Point cannot guarantee absolute security.
12. Your choices and rights
Depending on where you live and how you use Point, you may have rights to:
- access personal information;
- receive a copy of personal information;
- correct inaccurate personal information;
- delete personal information;
- restrict or object to processing;
- opt out of sale, sharing, targeted advertising, or certain profiling;
- limit use and disclosure of sensitive personal information;
- withdraw consent where processing is based on consent;
- appeal a denied privacy request where applicable; and
- lodge a complaint with a data protection authority.
To make a request, contact privacy@getpoint.ai or use any request method made available in the Services.
We may need to verify your identity and authority before responding. Authorized agents may submit requests where permitted by law and after verification.
If your request relates to Customer Content controlled by an Organization Customer, we may direct you to that organization.
13. California Notice at Collection and state privacy disclosures
This Section applies to California residents and, where similar laws apply, residents of other U.S. states.
13.1 Categories collected, purposes, and retention
| Category | Examples | Purposes | Retention |
|---|---|---|---|
| Identifiers | Name, email, account ID, IP address, device identifiers, provider account IDs, cookie identifiers, advertising identifiers | Account creation, authentication, support, security, communications, billing, analytics, advertising, retargeting, and campaign measurement | As described in Section 10 |
| California Customer Records information | Contact details, billing information, account information | Billing, subscriptions, customer administration, support, sales, and marketing | As described in Section 10 |
| Commercial information | Plan, purchases, renewals, invoices, trial status, usage records | Billing, subscriptions, service administration, analytics, advertising, retargeting, and campaign measurement | As described in Section 10 |
| Internet or electronic network activity | Device data, usage logs, pages/screens viewed, diagnostics, cookies, referral source, campaign identifiers | Security, operations, analytics, debugging, improvement, advertising, retargeting, and campaign measurement | As described in Section 10 |
| Geolocation data | Approximate location from IP address; timezone | Security, localization, timezone-aware scheduling | As described in Section 10 |
| Audio, electronic, visual, or similar information | Messages, emails, files, attachments, support communications, and, when voice mode is used, voice audio (including raw voice audio streamed to Point’s AI voice provider during voice sessions) and voice transcripts | Providing Services, support, automation, security | As described in Section 10 |
| Professional or employment-related information | Employer, title, business role, organization membership | Account administration, business relationship management, workspace features | As described in Section 10 |
| Inferences | Preferences, priorities, relationship importance, summaries, labels, circles, style settings, marketing segments inferred from non-Customer-Content activity | Personalization, triage, automation, user-facing features, sales, advertising, and marketing where lawful | As described in Section 10 |
| Sensitive personal information | Account credentials or tokens, contents of communications, precise details included in Customer Content, security logs | Providing and securing Services, legal compliance, customer-authorized processing | As described in Section 10 |
13.2 Sale, sharing, targeted advertising, and retargeting
Point does not sell Customer Content and does not use Customer Content for cross-context behavioral advertising, targeted advertising, or retargeting.
Point may disclose identifiers, internet or electronic network activity, commercial information, and related inferences to advertising, analytics, and retargeting partners, including Google where enabled, for cross-context behavioral advertising, targeted advertising, retargeting, campaign attribution, frequency capping, audience creation, audience exclusion, Customer Match or similar audience products, enhanced conversions, and measurement. Some privacy laws may treat these disclosures as “sharing,” “targeted advertising,” or “sale” even if no money is exchanged.
Where required, Point will provide a “Do Not Sell or Share My Personal Information” or comparable opt-out method, cookie settings, and legally required opt-out preference signal handling. Point will configure Google tags, consent mode, restricted data processing, ads personalization, or comparable Google privacy controls to reflect legally required choices where supported and applicable. Opting out of sale, sharing, targeted advertising, or retargeting does not opt you out of service, transactional, security, or non-targeted contextual communications.
13.3 Sensitive personal information
Point does not use or disclose sensitive personal information to infer characteristics about you, or for advertising or retargeting, unless Point provides the required right to limit and other legally required notices or controls.
13.4 Rights
California residents may have rights to know, access, correct, delete, obtain a copy of, opt out of sale or sharing, limit sensitive personal information, and be free from discrimination for exercising rights.
13.5 Global Privacy Control
Where required by law, Point will honor browser-based opt-out preference signals, such as Global Privacy Control, for the browser or device that sends the signal. If Point processes such a signal on a public website or marketing property, Point will treat it as an opt-out of sale, sharing, and targeted advertising for that browser or device where legally required.
13.6 Minors
Point does not knowingly sell or share personal information of individuals under 16.
14. Cookies, analytics, advertising, retargeting, and “Do Not Track”
Point may use cookies, pixels, SDKs, local storage, device identifiers, and similar technologies for essential operations, authentication, security, preferences, analytics, performance, marketing, advertising, retargeting, attribution, and campaign measurement where lawful.
| Category | Examples | Choice approach |
|---|---|---|
| Essential and security technologies | Login, session management, CSRF protection, fraud prevention, load balancing, service integrity | Required for the Services and generally cannot be disabled through Point cookie controls |
| Preference and functional technologies | Language, timezone, display preferences, saved settings | May be configurable in browser, device, or Point settings |
| Analytics and performance technologies | Product analytics, crash reporting, page or screen analytics, feature usage, diagnostics, Google Analytics where enabled | Subject to consent or opt-out where required |
| Advertising and retargeting technologies | Google tags, Google Ads conversion tags, remarketing tags, ad cookies, campaign identifiers, conversion measurement, Customer Match or audience exclusions if enabled, enhanced conversions if enabled, retargeting | Subject to consent or opt-out where required; may be treated as sale, sharing, or targeted advertising under some laws |
Current initial advertising and measurement vendor:
| Vendor | Products or functions | Categories made available | Role and choices |
|---|---|---|---|
| Google LLC, Google Ireland Limited, or another applicable Google affiliate | Google Ads, Google Analytics, Google Tag, Google Tag Manager, conversion tracking, remarketing, Enhanced Conversions, Customer Match, Campaign Manager, Display & Video 360, Search Ads 360, or comparable Google advertising and measurement services where enabled | Public website or marketing-property activity, URL/referral, IP address, approximate location, device/browser information, cookie or advertising identifiers, campaign identifiers, conversion events, demo/trial/account/plan events, hashed business contact information, and opt-out or suppression records | Google’s role depends on product and configuration. Point will provide consent, opt-out, opt-out-preference-signal, restricted-data-processing, ads-personalization, and regional controls where required or appropriate. Customer Content and connected-account data are excluded. |
Where required, Point will provide cookie notices, consent mechanisms, opt-out controls, or settings. In the EEA, UK, Switzerland, and other jurisdictions requiring opt-in consent for non-essential cookies, Point will seek consent before using advertising, retargeting, or non-essential analytics cookies. Point may implement Google Consent Mode or similar consent-signaling tools so Google tags adjust behavior based on consent choices, where configured.
Some browsers send “Do Not Track” signals. There is no uniform industry standard for responding to these signals. Point responds to legally required opt-out preference signals, such as Global Privacy Control, where applicable.
15. Marketing choices
Point may send business, product, event, and promotional communications where lawful. You may opt out of marketing emails using the unsubscribe link or by contacting us.
Even if you opt out of marketing, Point may still send transactional, service, security, legal, billing, and account communications.
16. Organization workspaces
If you use Point through an organization:
- your organization may control the workspace and Customer Content;
- admins may access, manage, export, delete, or restrict information associated with the workspace;
- your organization’s policies may apply; and
- Point may process Customer Content on your organization’s behalf under the Agreement.
Contact your organization for questions about its privacy practices.
17. Third-party services
The Services may link to or integrate with third-party services, including email providers, calendar providers, app stores, payment processors, identity providers, advertising partners, analytics providers, and AI providers. Third-party services have their own terms and privacy policies. Point is not responsible for their privacy practices.
When you or your organization connects Google, Microsoft, or another provider account, that provider may continue to process personal information under its own terms with you or your organization. Point’s access to that account is limited by the scopes, permissions, provider policies, and settings you authorize.
Point’s use of Google as an advertising technology vendor is separate from Point’s access to Google APIs for Gmail, Google Calendar, Google Sign-In, Google Workspace APIs, or other Connected Account functions. Point does not use Google API data or Customer Content for Google advertising, retargeting, Customer Match, enhanced conversions, or advertising profile creation.
18. Children
The Services are not directed to children under 13, and Point does not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Point, contact us.
19. Changes to this Policy
Point may update this Policy from time to time. The updated version will become effective when posted or otherwise communicated, unless a later effective date is stated. If required by law, Point will provide additional notice of material changes.
20. Contact
For questions or requests about this Policy or Point’s privacy practices, contact:
Point
Advanced Mail Solutions, Inc.
4770 Duckhorn Dr, Sacramento, CA 95834
Email: privacy@getpoint.ai
Website: getpoint.ai
For EEA, UK, or Swiss individuals, Point may provide additional representative or data protection officer contact details if required by law.