Privacy Policy

Effective date: April 5, 2026

This Privacy Policy describes how Corral ("we", "us") collects, uses, and protects your information when you use our service at corrall.ing. We are committed to being transparent about our data practices.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and profile information provided through your login provider (e.g., Google).

OAuth Tokens

When you connect third-party accounts, we store OAuth access tokens and refresh tokens to maintain authorized access to those services on your behalf. These tokens allow Corral to read and interact with your data in connected services.

Calendar Data

From connected Google Calendar and Microsoft Calendar accounts, we access event details including titles, times, attendees, descriptions, and meeting links.

Email Data

From connected Gmail and Microsoft Mail accounts, we access email metadata (sender, recipients, subject, date) and message content to provide AI-powered analysis and summaries.

Slack Data

When connected to a Slack workspace, we access messages and channel information relevant to your interactions with the Corral bot.

Usage Data

We collect basic usage information such as when you log in and which features you use.

2. How We Use Your Information

We use the data we collect to:

• Provide the Service: Analyze your calendar events, emails, and messages using AI to generate summaries, suggestions, and insights
• Build your workstream graph: Create a contextual map of your contacts, communication threads, and work relationships to provide relevant assistance
• Poll for updates: Periodically check connected accounts for new events, emails, and messages to keep your information current
• Improve the Service: Understand how the product is used to fix bugs and develop new features

3. Data Storage

Your data is stored in a self-hosted PostgreSQL database. OAuth tokens (both access and refresh tokens) are stored in this database to maintain your connections to third-party services. We do not use third-party cloud databases or data warehouses.

4. Third-Party Services

Corral integrates with and transmits data to the following categories of third-party services:

• AI providers (OpenRouter, Google Gemini): Portions of your data (such as email content, calendar events, and messages) are sent to AI language model providers to generate analysis and responses. These providers process data according to their own privacy policies and data handling agreements.
• Google APIs: Used to access your Google Calendar and Gmail data when you authorize a connection.
• Microsoft Graph API: Used to access your Microsoft Calendar, Mail, and Files data when you authorize a connection.
• Slack API: Used to send and receive messages when you connect Corral to a Slack workspace.
• MCP servers: If you configure additional integrations via Model Context Protocol, data may be exchanged with those services as needed to fulfill requests.

5. Data Sharing

We do not sell your personal data. We do not share your data with third parties for advertising purposes. Your data is only shared with AI providers as described above, strictly for the purpose of providing the Service.

6. Your Rights

You have the right to:

• Disconnect accounts: You can revoke Corral's access to any connected service at any time through your account settings. This stops future data collection from that service.
• Request data deletion: You can request that we delete all of your data by contacting us at [email protected]. We will delete your data within 30 days of a verified request.
• Access your data: You can request a copy of the data we hold about you by contacting us at the email above.

Note that disconnecting an account within Corral does not revoke the OAuth grant at the provider level. To fully revoke access, you should also remove Corral from your authorized applications in your Google, Microsoft, or Slack account settings.

7. Security

We take reasonable measures to protect your data, including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• OAuth tokens stored in a secured, self-hosted database
• Access controls limiting who can access production systems
• Regular review of third-party service integrations

No method of storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies

Corral uses minimal cookies. We use session cookies strictly for authentication purposes — to keep you logged in while you use the Service. We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

10. Contact

If you have questions about this Privacy Policy or our data practices, contact us at [email protected].