Privacy Policy

Last updated: May 7, 2026

This Privacy Policy explains how Boring Plugins LLC and its parent company Boring Plugins LTD (together, “everything,” “we,” “us”) collect, use, share, and protect information when you use the everything platform, our websites (including thetool.company and sign.boringplugins.com), our browser extensions, and our mobile applications (the “Service”).

Who we are

everything is operated by Boring Plugins LLC, a Delaware limited liability company that handles billing and US operations, and Boring Plugins LTD, our Israeli parent company that develops and operates the platform. For privacy questions, you can reach us at privacy@thetool.company.

Information we collect

Account information

When you sign up, we collect your name, email address, profile picture (if you sign in with Google), workspace name, role, and authentication identifiers. If you subscribe to a paid plan, our payment processor (Stripe) collects payment details on our behalf; we do not store full card numbers.

Customer content

We store the data you create or import into the Service — contacts, deals, notes, tasks, calendar events, email threads, call recordings and transcripts, documents and contracts you send for signature, and skill configurations. This data belongs to your workspace and is processed to provide the Service to you.

Google user data

When you connect a Google account, we request specific OAuth scopes to power features you opt into. We only request the scopes needed for the features you use:

  • Gmail (gmail.modify) — read your email threads to display them in the unified inbox alongside your CRM contacts; compose and send replies and new emails from inside everything; mark messages read/unread, archive, and apply labels when you take those actions in our UI; subscribe to Gmail push notifications so the inbox stays in sync. We do not permanently delete your email.
  • Other contacts (contacts.other.readonly) — read the contacts Gmail auto-saves when you exchange email with someone, so we can suggest them as people to add to your CRM and attribute incoming emails to the right contact record.
  • Calendar — read and write calendar events to show your schedule alongside CRM contacts, create meetings from everything, and attach booking notes to deals.
  • Profile and email (userinfo.profile, userinfo.email) — to identify your account and display your name and avatar in the app.

Data from other integrations

If you connect LinkedIn (via our browser extension), Slack, Twilio, WhatsApp, Stripe, or other integrations, we process the data those services return to power the corresponding features. LinkedIn traffic is always routed through your browser via our extension; we never call LinkedIn from our servers.

Usage data

We collect logs about how you use the Service — pages viewed, features used, errors encountered, IP address, browser and device type — to operate, secure, and improve the Service.

How we use information

  • To provide, maintain, and improve the Service.
  • To personalize the Service to your role, workspace, and workflow.
  • To send transactional messages (sign-in links, billing receipts, workspace invitations, security alerts).
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

We do not use the content of your Gmail messages, Calendar events, or other Google user data to train generalized AI or machine learning models. AI features that operate on your data (such as email drafting, meeting summaries, and the AI-powered inbox) process your data on a per-request basis to generate output for you, and that output is shown only to you and your workspace.

Google API Services — Limited Use disclosure

everything’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, with respect to data obtained through Google Workspace APIs (including Gmail):

  • We only use Google user data to provide or improve user-facing features that are prominent in the everything user experience.
  • We do not transfer Google user data to third parties except (a) as necessary to provide or improve user-facing features that are prominent in our user experience, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with notice to you.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for our internal operations and even then only when the data have been aggregated and anonymized.

Sharing and subprocessors

We share information only with service providers who help us operate the Service, under contracts that require them to protect your data. Our primary subprocessors are:

  • Google Cloud Platform — application hosting (Cloud Run), storage, and authentication.
  • Supabase — primary database and authentication.
  • Anthropic, OpenAI — AI model inference for features that you trigger.
  • Stripe — billing and payment processing.
  • Backblaze B2 — file storage for documents and attachments.
  • Twilio — voice and SMS for the dialer.
  • Resend / Postmark — outbound transactional email.

We do not sell your personal information, and we do not share Google user data with third parties for their own marketing or advertising.

Data retention

We retain customer content for as long as your workspace is active. If you delete data inside the Service, we remove it from production within 30 days and from backups within 90 days. If you cancel your account, we delete or anonymize your data within 90 days unless we are required to retain it for legal, tax, or security reasons.

You can disconnect your Google account at any time from your integration settings or by visiting your Google account permissions page. Disconnecting revokes our access to your Google data going forward; data already in your workspace remains until you delete it.

Security

We protect your data with encryption in transit (TLS) and at rest, scoped database access, audit logging, principle-of-least-privilege employee access, and SSO with hardware-key-protected accounts for engineering staff. We are pursuing SOC 2 Type II and follow the Cloud Application Security Assessment (CASA) framework for our handling of restricted Google scopes.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, to object to or restrict processing, and to withdraw consent. To exercise these rights, email privacy@thetool.company. We will respond within the time frames required by applicable law (typically 30 days under GDPR; 45 days under CCPA).

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority. If you are a California resident, you have the right not to be discriminated against for exercising your privacy rights.

International transfers

We are based in the United States and Israel, and we use service providers in those and other jurisdictions. When we transfer data from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses or other approved transfer mechanisms.

Children

The Service is not intended for individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

Cookies and tracking

We use first-party cookies and similar technologies for authentication, security, and product analytics. We do not use third-party advertising cookies. You can manage cookies in your browser settings.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before they take effect. Your continued use of the Service after the effective date means you accept the updated policy.

Contact

Questions or requests? Email privacy@thetool.company. You can also write to us at:

Boring Plugins LLC
Attn: Privacy
8 The Green, Suite #14483
Dover, DE 19901
United States