Legal
Last updated: April 2026
Nikki is a personal knowledge assistant that ingests your email communications to build a structured knowledge graph. Because we work with your private communications, we take our data handling obligations seriously. This policy explains exactly what we collect, why, and how we protect it.
When you connect your Gmail account, Nikki accesses the following data via the Gmail API under your OAuth authorization:
• Email content — subject lines, body text, and sender/recipient information for emails that pass our triage filter
• Contact metadata — names, email addresses, and organization names derived from your email headers
• Thread structure — email thread IDs and timestamps to understand conversation context
• Gmail labels — to apply organizational actions you authorize
We do not access attachments unless you explicitly enable attachment processing. We do not access Google Drive, Calendar, or any other Google service beyond what you authorize.
Your data is stored on dedicated infrastructure assigned to your workspace:
• Encryption at rest — all database content is encrypted using AES-256
• Encryption in transit — all API traffic uses TLS 1.2 or higher
• Data isolation — each workspace uses isolated infrastructure; your data is never commingled with another user's data
• Knowledge graph — entities and relationships extracted from your emails are stored in dedicated graph storage assigned to your workspace
Your email content and graph data are never stored on shared infrastructure.
Only you can access your data. Specifically:
• You — through the Nikki web interface, using your authenticated account
• Our team — may access anonymized system logs and infrastructure metrics for debugging purposes, but not your email content
• No third parties — we do not sell, share, or license your email data to any third party for any purpose
Our team members who require access to production infrastructure are subject to confidentiality agreements and access is logged and audited.
Nikki uses the following third-party services in the course of processing your data:
• OpenAI API — email content is sent to OpenAI's API for entity extraction, triage classification, and conversational AI. OpenAI does not retain your data beyond the request lifecycle under their API terms. We do not use your data to train OpenAI models.
• Google Gmail API — used exclusively for fetching your email data under your OAuth authorization
• Infrastructure providers — our servers run on cloud infrastructure subject to standard data processing agreements
We do not use any third-party analytics, advertising, or tracking services on data you share with Nikki.
We retain your data for as long as your account is active. When you cancel or request deletion:
• Your account data is deleted within 30 days
• Your knowledge graph data is purged within 30 days
• Backup snapshots are rotated and deleted within 90 days
You can request an export of your data at any time before deletion.
You have the following rights over your data:
• Access — request a summary of what data we hold about you
• Export — download a copy of your knowledge graph and processed email data
• Correction — ask us to correct inaccurate information
• Deletion — request full deletion of your account and all associated data
• Portability — receive your data in a machine-readable format
• Withdraw consent — revoke Gmail OAuth access at any time via Google's account settings; this will suspend syncing immediately
To exercise any of these rights, contact us at [email protected].
Nikki is built with GDPR as a first-class requirement:
• Lawful basis — we process your data under the lawful basis of contract performance (providing the service you signed up for) and your explicit consent for Gmail OAuth
• Data minimization — we only collect what is necessary to build your knowledge graph
• Purpose limitation — your data is used only to provide the Nikki service to you
• Data processing agreements — available upon request for EU-based customers
If you are located in the European Union or European Economic Area and have concerns about how we handle your data, you have the right to lodge a complaint with your local data protection authority.
We may update this privacy policy from time to time. When we make material changes, we will notify active users by email at least 14 days before the changes take effect. The date at the top of this page reflects the most recent revision.
For any privacy-related questions, data requests, or concerns, contact us at:
Nikki / CodeMax IT Solutions