Back to Heimdall

Privacy Policy

Last Updated: February 17, 2026

Heimdall ("we", "our", or "the extension") is a Chrome browser extension that helps users manage their Gmail inbox by identifying subscription and promotional emails and providing tools to unsubscribe from unwanted senders. This Privacy Policy explains how Heimdall accesses, uses, stores, and protects your data.

1. Information We Access

When you sign in with Google and grant permission, Heimdall accesses the following Gmail data through the Gmail API:

• Email message headers — including sender name, sender address, subject line, and date. This is used to identify subscription and promotional emails in your inbox.
• List-Unsubscribe headers — a standard email header that contains the unsubscribe URL or mailto address for subscription emails. This is used to process unsubscribe requests on your behalf.
• Email labels and categories — used to filter for promotional and subscription emails (e.g., the Gmail "Promotions" category).

Heimdall does not access or read the body/content of your emails. We only access the metadata and headers listed above.

2. How We Use Your Data

Your Gmail data is used exclusively for the following purposes:

• Scanning — Identifying subscription and promotional emails in your inbox by reading message headers.
• Displaying results — Showing you a list of senders with email counts and frequency so you can decide which to keep or unsubscribe from.
• Unsubscribing — Processing unsubscribe requests using the List-Unsubscribe header and, when authorized, moving unwanted emails to trash.

3. Data Storage

Heimdall processes your email data locally in your browser. Specifically:

• Email scanning and analysis happens entirely within the Chrome extension running on your device.
• We do not store your email messages, headers, or any Gmail content on any external server.
• Your Google OAuth authentication token is stored locally in Chrome's secure storage (chrome.storage.local) and is only used to authenticate API requests to Gmail.
• Basic account information (email address) is sent to our server solely to verify your subscription status for the paid service. No Gmail data is sent to our server.

4. Data Sharing & Transfer

We do not sell, trade, rent, or share your Google user data with any third parties. Specifically:

• Your data is never transferred or sold to third parties including advertising platforms, data brokers, or information resellers.
• Your data is never used for serving ads, including retargeting, personalized, or interest-based advertising.
• Your data is never used to determine credit-worthiness or for lending purposes.
• Your data is never used for AI model training.

Data may only be transferred in the following limited circumstances:

• For security purposes, such as investigating abuse or security incidents.
• To comply with applicable laws or legal processes.
• As part of a merger, acquisition, or sale of assets, but only after obtaining explicit prior consent from the user.

5. Human Access to Data

No humans (including Heimdall employees, agents, contractors, or successors) read your Gmail data, unless:

• You provide affirmative consent to view specific data for support purposes.
• It is necessary for security purposes (e.g., investigating a bug or abuse).
• It is necessary to comply with applicable law.
• The data is aggregated and anonymized and used for internal operations in accordance with applicable privacy requirements.

6. Permissions We Request

Heimdall requests the following Google OAuth scopes:

• https://www.googleapis.com/auth/gmail.readonly — Allows Heimdall to read email headers to identify subscription and promotional emails.
• https://www.googleapis.com/auth/gmail.modify — Allows Heimdall to modify emails, such as moving unwanted subscription emails to trash when you click "Unsubscribe."
• https://www.googleapis.com/auth/userinfo.email — Allows Heimdall to retrieve your email address to verify your subscription status.

We follow the principle of minimum required access and only request the scopes necessary for Heimdall to function.

7. Authentication & Security

• We use Google OAuth 2.0 for secure authentication.
• Your Google password is never shared with or stored by Heimdall.
• OAuth tokens are stored in Chrome's built-in secure storage.
• You can revoke Heimdall's access at any time through your Google Account permissions.

8. Payment Information

Subscription payments are processed by Stripe. Heimdall does not collect, store, or process any payment card information. All payment data is handled directly by Stripe in accordance with their privacy policy and PCI compliance standards.

9. In-Product Privacy Notifications

Heimdall displays a privacy notice within the extension interface when you first sign in, including a link to this Privacy Policy. This ensures you are aware of how your data is handled before granting access to your Gmail account.

10. Data Retention & Deletion

• Email scan results are stored only in your browser's memory during your active session and are cleared when the extension popup closes.
• If you uninstall Heimdall, all locally stored data (OAuth tokens, preferences) is automatically removed by Chrome.
• You can revoke Gmail access at any time through your Google Account settings.
• To request deletion of your subscription account data, contact us at the email below.

11. Children's Privacy

Heimdall does not collect or store personal data on external servers from any user. Additionally, Heimdall is not intended for use by anyone under the age of 13, in compliance with the Children's Online Privacy Protection Act (COPPA).

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of Heimdall after changes constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy or how Heimdall handles your data, please contact us:

• Email: thorwarnken@gmail.com
• Website: heimdallprotections.com

---