Sign up
Security & Privacy

Safe with your inbox. By design.

Useful AI for your messages without compromising on privacy or control.

Three commitments

Never used for training

Your messages are not used to train AI models. Not by us. Not by our model providers, who process messages under enterprise contracts that prohibit training on our data.

Encrypted, with keys we cannot access

Everything we store about you — messages, tasks, brain pages, calendar, and contacts — is encrypted in transit and at rest. AWS owns the encryption keys, and no one at this+that has access to them. Our app and AI services decrypt content automatically to serve your requests; no this+that employee can view it.

Yours to delete, anytime

Disconnect an integration and we stop analyzing new messages from that source. Delete your account and everything associated with it goes too. No retention games, no friction.

How your messages flow through this+that

When you connect Gmail, Outlook, Slack, Teams, Google Chat, Telegram, or another supported source, you authorize us through that service's standard OAuth flow. We never see or store your password. Instagram and Facebook Messenger are awaiting platform approval and will be added once approved.

As messages arrive, we read them to extract tasks, follow-ups, and other action items. The reading happens through Amazon Bedrock, AWS's managed AI service, which fronts foundation models from Anthropic and other providers. Bedrock's terms prohibit using customer data to train the underlying models, regardless of which model handles a given request. All of this happens inside AWS infrastructure; no this+that employee sees plaintext at any point.

Everything we store about you — messages, tasks, brain pages, calendar, and contacts — is encrypted at rest using AWS-owned encryption keys. No one at this+that has access to those keys. Our app and AI services decrypt content automatically to serve your requests, but no this+that employee can view it. If you disconnect an integration, we stop syncing new messages from that source, and you can request removal of previously synced data. If you delete your account, every message, task, and record we hold for you is removed.

What we don’t do with your data

  • We don’t sell your data. To anyone. Ever.
  • We don’t share it with advertisers, data brokers, or analytics resellers.
  • We don’t use it to train AI models, and our model providers don’t either, per the enterprise terms we’ve signed.
  • We don’t retain it after you delete your account.

Compliance & certifications

SOC 2 Type I

Submitted for examination. We submitted our SOC 2 Type I report to an independent auditor in 2026 and are awaiting issuance. We will publish the report on this page once it is delivered.

SOC 2 Type II

Underway. We have engaged an independent auditor to lead our SOC 2 Type II audit, and onboarding is beginning now. We will share progress as we move through onboarding and into the observation period.

GDPR, UK GDPR & CCPA

We follow the requirements that apply to us under each framework. Our Data Processing Addendum incorporates GDPR Article 28 terms, the EU Standard Contractual Clauses, and the UK International Data Transfer Addendum. You can request access to or deletion of your data at any time, in the app or by emailing privacy@thisandthat.chat.

Sub-processor list

We publish the full list of third parties that process customer data on our behalf, with at least 30 days’ notice and an objection right before any new sub-processor is added.

Breach notification

In the unlikely event of a security incident affecting your data, we will notify affected customers without undue delay and within 72 hours of confirming the incident, in line with GDPR Article 33 and the terms of our DPA.

Legal documents

Terms of Service

B2B terms governing your use of the Service, including warranty, indemnity, and limitation of liability.
Data Processing Addendum

GDPR Article 28 terms, including the Standard Contractual Clauses, the UK International Data Transfer Addendum, and a contractual no-training commitment. A counter-signed copy is available on request.
Sub-processor list

The third parties we use to provide the Service, with 30-day notice before changes and an objection right.
Privacy policies

How we handle personal information on the marketing site and inside the Assistant.

Frequently asked questions

Can I use two-factor authentication to secure my login?

Yes. this+that supports two-factor authentication directly: turn it on in Account Settings and you'll be asked for a code from your authenticator app each time you sign in. We provide backup codes so you can recover access if you lose your authenticator. If you sign in with Google or Microsoft, your this+that account also inherits whatever 2FA you've configured on that identity provider.

Is my data encrypted in transit and at rest?

Yes, both. Data is encrypted while moving between connected services (Gmail, Slack, Teams, and others) and our servers, and it's encrypted while stored. AWS owns the encryption keys for your stored content, which means we don't hold them and cannot extract them. Decryption happens automatically inside AWS to serve your requests.

Can your team at this+that read my emails and messages?

No. AWS owns the encryption keys for your content, and no one at this+that has access to them. Our app and AI services decrypt content automatically to serve you — for example, to display an email or extract a task — but no this+that employee can view it. If we need to investigate a specific issue you're having, we'll ask you for context rather than reading your data.

Where is my data stored?

On AWS, with DynamoDB as our primary database. AWS is the industry-standard cloud platform with extensive security and reliability certifications of its own.

Will this+that share my messages or data with third parties or AI developers?

No. Your data is never sold or shared for advertising. We process messages through Amazon Bedrock — AWS’s managed AI service that fronts foundation models from Anthropic and other providers. Bedrock’s terms prohibit training on customer data, regardless of which underlying model handles a request. AWS is our subprocessor for AI processing, not a data buyer.

What happens if I disconnect an integration?

We stop analyzing new messages from that source immediately. You can also request the removal of any previously synced data from that integration. If you delete your account entirely, everything is removed.

Do you comply with GDPR, CCPA, or other data privacy regulations?

Yes, we follow the major data privacy frameworks that apply to our service, and you can delete your account (and therefore your data) at any time. For specific requests under GDPR or CCPA, email privacy@thisandthat.chat.

What if there’s a data breach — will I be notified?

Yes. In the unlikely event of a breach affecting your data, we follow industry-standard protocols to notify affected users promptly and to take immediate steps to secure all systems.

Who can see my messages and tasks inside this+that?

Your DoBox is private — only you see what’s in it. Shared task lists are visible to everyone in that list, by design. If you move a task with an attached message into a shared list, others on that list will see the message; that visibility persists even if you later leave the list.

Questions about how we handle your data?

We answer security and privacy questions directly. Email us — a real person reads every message.

Email security@thisandthat.chat