Privacy Policy

When you create an account, we collect your email address for authentication and communication.

When you connect a Gmail account, we store your OAuth tokens encrypted at rest using AES-256-GCM. These tokens let AskFirst proxy requests to Gmail on your behalf.

We keep usage logs — an audit trail of every proxy request your agents make through AskFirst, including the action type, timestamp, and outcome (allowed, gated, denied).

AskFirst accesses Gmail through your connected Google account using the gmail.modify OAuth scope. This scope is required so agents can read, send, and manage email through the proxy.

We do not store email content. All Gmail API requests are proxied in real-time — we forward the request, return the response, and don't keep a copy.

Email metadata — such as subject lines, sender addresses, and recipient addresses — may appear in audit logs and in gate approval prompts sent to you via Telegram. This metadata helps you make informed approve/deny decisions.

Your OAuth tokens are encrypted with AES-256-GCM before storage. They are never exposed to your agents — agents authenticate with AskFirst using separate API keys.

We use your data to:

• Enforce the access policies you define for your AI agents
• Proxy Gmail API requests on behalf of your agents
• Show you audit logs of all agent activity
• Send you gate approval notifications via Telegram when an agent attempts a restricted action
• Authenticate you and manage your account

We do not use your data for advertising, training AI models, or any purpose other than operating AskFirst.

AskFirst uses the following third-party services:

• Supabase — authentication and database hosting
• Google OAuth — to connect your Gmail account securely
• Telegram Bot API — to send you gate approval notifications

We do not sell, rent, or share your data with advertisers or data brokers. We do not share your data with any third parties beyond what's listed above.

Audit logs are retained indefinitely so you have a complete record of agent activity. You can request deletion of your audit logs at any time.

OAuth tokens are deleted immediately when you remove a connector.

Account deletion removes all associated data — your account, connectors, API keys, policies, and audit logs.

We take the security of your data seriously:

• OAuth tokens are encrypted at rest using AES-256-GCM
• All connections use HTTPS
• Agent API keys are hashed with bcrypt — we store the hash, not the key
• Your Google credentials are never exposed to your agents

We use only essential cookies for authentication (Supabase session cookies). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

You have the right to:

• Access your data — view your audit logs, connectors, and account information in the dashboard
• Delete your data — remove individual connectors or delete your entire account
• Export your data — request a copy of your data by contacting us

To exercise any of these rights, contact us at hello@askfirst.io.

AskFirst is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us at hello@askfirst.io and we will delete it.