How AI Secretary’s permissions actually work.

• Your email, your calendar, your files live in your Google or Microsoft account — on your computer, the same as Notion AI, Slack AI, and Microsoft Copilot.
• AI Secretary does not move your data.
• There is no AI Secretary archive of your inbox.
• AI Secretary does not store your data.
• AI Secretary’s software runs on AI Secretary’s servers. Never written to a database. Never logged. Never touched again. (no ability to see the data)

AI Secretary’s database stores only:

• Your settings
• Your voice profile
• Your booking metadata (lead name, email, time)

Nothing else. Not email bodies. Not drafts. Not calendar details. Not anything inside your account.

AI Secretary uses its own AI keys — same way Notion AI, Slack AI, and Microsoft Copilot include AI in their subscription. The AI bill is bundled. You pay AI Secretary. AI Secretary pays the AI provider.

When you connect Google or Microsoft, you grant AI Secretary a set of permissions — the specific list is shown on the connect page and again in your account at myaccount.google.com/connections.

But AI Secretary doesn’t pool those permissions and use them for whatever it wants. Each automation in your dashboard has its own narrow job. The Gmail auto-reply automation can only install your vacation responder. The booking-page automation can only check free/busy and create events when a lead books. The prep-doc automation can only create new Google Docs.

If an automation tries to do anything outside its declared job, the call fails. There is no shared bucket of permissions any AI Secretary code can dip into.

Every automation you install shows up as a row in your dashboard → Automations with three buttons:

• Test — AI Secretary emails you a snapshot of what THIS automation is doing for you right now (e.g. the actual current text of your Gmail vacation auto-reply, the URL of your live booking page).
• Pause — AI Secretary stops running this automation. Permissions stay granted at Google/Microsoft, but no AI Secretary code is allowed to invoke them on your behalf.
• Delete — AI Secretary removes this automation from your account entirely. Existing artifacts (the auto-reply text, your lead tracker Sheet, prep docs already in your Drive) stay where they are; AI Secretary just stops using its scope.

AI Secretary uses Google’s drive.file scope, not the broader drive scope. The difference matters.

With drive.file, AI Secretary can only see and modify files it created. Your existing Drive — every file you’ve made yourself, every doc shared with you, every folder — is invisible to AI Secretary. Google enforces this at the API level. Even if AI Secretary wanted to read your tax returns, the Drive API would return permission errors.

For Gmail customers, AI Secretary uses gmail.send — a write-only scope. It lets AI Secretary send mail on your behalf, but provides zero read access. AI Secretary cannot list your messages, search your inbox, or read a single email you’ve received.

The only exception: the optional Personalization Wizard can request gmail.readonly separately, on its own consent screen, only after you click “Connect Gmail to learn your voice”. AI Secretary uses it once to read your last 75 sent emails, builds a voice profile, and that’s it. You can revoke this scope alone at Google without disconnecting AI Secretary.

For Microsoft 365 customers, the equivalent scope is Mail.ReadWrite — Microsoft does not offer a send-only scope, so AI Secretary needs read access to detect inbound lead emails. This is disclosed on the Microsoft connect page and is the one place AI Secretary’s permissions are broader than Gmail’s.

AI Secretary has no hidden mode. Every email AI Secretary sends shows up in your Gmail Sent folder. Every calendar event appears on your calendar. Every Doc lands in your Drive with a timestamp. There’s no separate “AI Secretary log” you have to trust — your existing Google or Microsoft account already shows you everything.

You can disconnect AI Secretary from your Google or Microsoft account at any time, from one place:

• Google customers: myaccount.google.com/connections
• Microsoft customers: myaccount.microsoft.com → Privacy → Apps and services

The moment you click revoke, every AI Secretary automation in your account stops. No call, no support ticket, no waiting for someone at AI Secretary to confirm.

Two places. First, Google’s and Microsoft’s OAuth systems — they enforce the scope boundary at the API level. AI Secretary can only do what those scopes allow. This is the same enforcement that protects you from any third-party app (Calendly, Zapier, your CRM).

Second, AI Secretary’s per-automation gating — the code is structured so each automation has its own narrow purpose. There is no place in AI Secretary’s code that says “use any granted permission for any reason”.

You don’t have to take this on faith. AI Secretary’s actions are visible in your account, the OAuth scopes are listed on the connect page, and you can revoke at any time.