Privacy Policy
Cleito ("Cleito", "we", "us") is a desktop application developed and operated by Mauricio Etienne, an independent software developer based in Mexico. This policy describes what information the application handles when you use it, where that information is stored, and what we do (and do not do) with it.
The short version
- Cleito is software that runs on your computer. It is not an online service.
- When you connect a Google or Microsoft account, Cleito stores the resulting credentials on your computer, encrypted by your operating system.
- Email, calendar, contacts, and other data fetched from Google or Microsoft is processed on your computer. We do not operate a server that receives, proxies, or stores this content.
- We do not sell, share, or otherwise transfer your data to third parties.
Information the application handles
When you use Cleito, the application may handle the following categories of information:
-
OAuth refresh tokens. When you connect a Google or
Microsoft account, the application stores the refresh token issued
by the provider. The token is encrypted at rest using your
operating system's keystore (macOS Keychain, Windows DPAPI, or
Linux Secret Service via Electron's
safeStorage) and stored in the application's local data directory on your computer. - Account profile information. Basic profile data (email address, name) returned by the provider during sign-in is stored locally so the application can display which accounts are connected.
- Email, calendar, contacts, and task content. When the assistant performs an action you have requested, it fetches the relevant content directly from the provider's API to your computer. Content is held in the application's process memory only for the duration of the action and is not persistently stored beyond what the operating system caches.
- Application logs. The application writes diagnostic logs to your computer's local file system to help you and the developer debug problems. Logs do not include message bodies or contact details.
Where your information is stored
All of the above is stored on your computer, in the operating-system user-data directory assigned to the application. None of it is transmitted to a server operated by us.
Information transmitted to third parties
The application transmits information to third parties only as needed to perform the actions you request:
- Google and Microsoft. When you connect an account and use a feature that calls a Google or Microsoft API, the application makes requests to those APIs on your behalf, using the stored refresh token. Your interactions with these providers are governed by their own privacy policies (Google Privacy Policy and the Microsoft Privacy Statement).
- The language-model provider you have configured. To produce assistant responses, the application sends prompts — which may include excerpts of the email, calendar, contact, or document content needed for the task — to the language-model provider you have selected (for example Anthropic, OpenAI, or a local model). You choose which provider to use; the application does not proxy these requests through a Cleito server.
Use of Google user data
Cleito's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Google user data is used only to provide or improve user-facing features that are prominent in the application's interface.
- Google user data is not transferred to others except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's notice.
- Google user data is not used for advertising purposes.
- Humans do not read Google user data unless we have your affirmative consent for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for the application's internal operations and only with the data being aggregated and anonymized.
Disconnecting an account
You can disconnect a Google or Microsoft account at any time from within the application's settings. Disconnecting deletes the corresponding refresh token from your computer. You can additionally revoke Cleito's access from your Google account (myaccount.google.com/permissions) or your Microsoft account (account.microsoft.com/privacy).
Children
Cleito is not directed at children under 13, and we do not knowingly process information about children.
Changes to this policy
We may update this policy as the application evolves. The effective date at the top of this page reflects the most recent revision. Material changes will be communicated through the application or this website.
Contact
Questions about this policy: mauricio.etienne@gmail.com