1. Introduction
Gold-B's Agent ("the Application", "we", "our") is a self-hosted multi-channel messaging automation platform that runs entirely on the user's own hardware. This Privacy Policy explains how the Application handles data, including information accessed through Google APIs, Microsoft Graph APIs, and third-party messaging services.
By installing and using Gold-B's Agent, you ("the User") agree to the practices described in this policy.
2. Self-Hosted Architecture
Gold-B's Agent is designed as a self-hosted, privacy-first application:
- The Application runs as Docker containers on your local machine.
- No data is transmitted to or stored on any servers controlled by Gold-B's Agent.
- All configuration, credentials, messages, and cached data reside solely on your hardware, under your control.
- We do not operate any cloud service, analytics platform, or centralized data store.
3. Google API Services — Data Access & Usage
The Application optionally integrates with Google services via OAuth 2.0. Each integration is independently enabled by the user. The Application requests the following scopes:
| Google API Scope | Purpose | Data Accessed |
|---|
spreadsheets |
Log incoming leads and export data to Google Sheets |
Read and write rows in user-specified spreadsheets |
drive.file |
Store documents created by automation rules in Google Drive |
Create and read files that the Application itself created (no access to other Drive files) |
gmail.modify |
Read incoming emails for lead processing and send automated email replies |
Read, send, and manage labels on emails in the connected Gmail account |
calendar.events |
Create follow-up reminder events in the user's Google Calendar when automation rules are triggered by incoming leads. List available calendars for configuration. |
Create events in Google Calendar, list calendar names |
userinfo.email |
Identify the connected Google account in the admin panel |
Email address of the authenticated Google account |
3.1 How Google Data Is Used
- Google data is accessed only to perform the specific automation tasks configured by the user (e.g., logging a lead to a spreadsheet, sending an email notification).
- Data retrieved from Google APIs is processed locally and is not forwarded to any third party.
- AI providers (e.g., Gemini, OpenAI) configured in the Application do not receive Google API data. Google data is used solely for direct automation tasks (logging, sending, scheduling) and is never passed to AI models for processing.
3.2 How Google Data Is Stored
- OAuth 2.0 tokens (access and refresh tokens) are stored locally on your machine, encrypted with AES-256-GCM using a key derived from your gateway password via PBKDF2 (600,000 iterations).
- Tokens are stored in the Application's local configuration file and are never transmitted externally.
- If you change your gateway password, all stored tokens are automatically invalidated and must be re-authorized.
3.3 How Google Data Is Shared
Gold-B's Agent does not share Google user data with any third parties. All data processing occurs locally on your machine. We do not sell, rent, license, or disclose Google user data to anyone.
3.4 Google API Services User Data Policy Compliance
Gold-B's Agent's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:
- The Application only uses Google data for the purposes described in this policy and as configured by the user.
- The Application does not use Google data for advertising, market research, or any purpose unrelated to the Application's core functionality.
- The Application does not allow humans to read Google user data, except where the user has given affirmative consent (e.g., viewing their own data in the admin panel), it is necessary for security purposes, or it is required by law.
- The Application does not transfer Google data to third parties except as necessary to provide the user-configured functionality.
4. Microsoft 365 API Services — Data Access & Usage
The Application optionally integrates with Microsoft 365 services via OAuth 2.0 (PKCE). Each integration is independently enabled by the user. The Application requests the following Microsoft Graph API permissions:
| Microsoft Graph Permission | Purpose | Data Accessed |
|---|
Files.ReadWrite |
Store and retrieve documents in OneDrive |
Create, read, and list files in the user's OneDrive |
Mail.ReadWrite |
Read incoming emails for lead processing and send automated replies |
Read, send, and manage emails in the connected Outlook account |
Calendars.ReadWrite |
Create follow-up events and reminders in the user's calendar |
Create and read calendar events, list calendars |
User.Read |
Identify the connected Microsoft account in the admin panel |
Display name and email address of the authenticated account |
4.1 How Microsoft Data Is Used
- Microsoft data is accessed only to perform the specific automation tasks configured by the user.
- Data retrieved from Microsoft Graph APIs is processed locally and is not forwarded to any third party.
- AI providers configured in the Application do not receive Microsoft API data directly. Microsoft data is used solely for direct automation tasks (file storage, email sending, scheduling).
4.2 How Microsoft Data Is Stored
- OAuth 2.0 tokens (access and refresh tokens) are stored locally on your machine, encrypted with AES-256-GCM using a key derived from your gateway password via PBKDF2.
- Tokens are stored in the Application's local configuration file and are never transmitted externally.
- If you change your gateway password, all stored tokens are automatically invalidated and must be re-authorized.
4.3 How Microsoft Data Is Shared
Gold-B's Agent does not share Microsoft user data with any third parties. All data processing occurs locally on your machine. We do not sell, rent, license, or disclose Microsoft user data to anyone.
5. Multi-Channel Messaging
In addition to WhatsApp, the Application supports the following messaging channels. All message processing occurs locally:
- Telegram: Messages are received via the Telegram Bot API. Message content is processed locally and may be sent to the user's configured AI provider for generating responses.
- Instagram & Facebook Messenger: Messages are received via Meta Graph API webhooks. Webhook payloads are verified using HMAC-SHA256 signatures. Message content is processed locally.
- SMS: Messages are sent and received via the Twilio API. Phone numbers and message content pass through Twilio's servers as required by the SMS protocol. This is governed by Twilio's Privacy Policy.
- Email: Email is processed via Gmail API and/or Microsoft Graph API (as described in sections 3 and 4 above).
For all channels, message content may be sent to the user's configured AI provider (e.g., Google Gemini, OpenAI, Anthropic) for generating responses. This is governed by the respective AI provider's privacy policy and the user's own API key agreement.
6. Knowledge Base & Document Processing
- Document uploads: Users may upload documents (PDF, DOCX, TXT, JSON) to create AI knowledge agents. Documents are stored locally, extracted, chunked, and indexed on your machine. Document content may be sent to the user's configured AI provider for enrichment and analysis.
- Knowledge Sources: The Application can optionally sync data from connected platforms (Gmail, Google Sheets, Google Drive, Google Calendar, OneDrive, Outlook, Microsoft Calendar, Microsoft Excel, WhatsApp, Telegram) into local knowledge agents. Synced data is stored locally and may be sent to AI providers for indexing and retrieval.
- OCR processing: Scanned documents may be processed using the user's configured AI provider (LLM Vision), Google Cloud Vision API (if configured), or local Tesseract OCR. Only LLM Vision and Google Cloud Vision involve external data transmission.
7. Other Data Handling
7.1 Configuration Data
All settings, rules, templates, keywords, and credentials are stored locally on your machine in a dedicated application directory. Sensitive credentials are encrypted using platform-native encryption (Windows DPAPI) or AES-256-GCM.
7.2 Lead & Webhook Data
The Application receives lead data from configurable webhook sources (e.g., Facebook Ads, Zapier). Incoming webhook payloads are processed and stored locally. Lead data may be forwarded to WhatsApp groups or other channels as configured by the user.
7.3 Usage Analytics
The Application collects local usage metrics (message counts, rule matches, token usage) stored as local NDJSON files with automatic 90-day retention. These metrics are never transmitted externally.
8. Data Retention & Deletion
- Google & Microsoft tokens: Stored until the user revokes access via the admin panel or changes their gateway password. Users can revoke access at any time, which immediately deletes all stored tokens.
- Knowledge base documents: Stored locally until the user deletes them via the admin panel or uninstalls the Application.
- Local data: Retained as long as the Application is installed. Uninstalling the Application removes all local data.
- Usage logs: Automatically purged after 90 days.
9. User Rights
Since Gold-B's Agent is self-hosted, you have full control over your data:
- Access: All data is on your machine — you can inspect any file at any time.
- Deletion: You can delete any data by removing files from the local storage directory or uninstalling the Application.
- Revocation: You can disconnect Google integrations via the admin panel or from your Google Account permissions page. You can disconnect Microsoft integrations via the admin panel or from your Microsoft Account permissions page.
- Portability: Configuration files are stored in standard JSON format and can be exported at any time.
10. Security Measures
- OAuth 2.0 with PKCE (SHA-256) for Google and Microsoft authentication
- AES-256-GCM encryption for stored tokens with PBKDF2-derived keys
- CSRF protection with one-time-use state tokens (5-minute TTL)
- Timing-safe comparisons for all credential operations
- Webhook signature verification (Meta HMAC-SHA256, Twilio HMAC-SHA1, Telegram secret_token)
- Docker container isolation with minimal privileges
- API rate limiting on all endpoints
- SSRF protection on HTTP automation steps
11. Children's Privacy
Gold-B's Agent is not intended for use by individuals under the age of 18. We do not knowingly process data from minors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected in updated versions of the Application. The "Last updated" date at the top of this page indicates the most recent revision.
13. Contact
If you have questions about this Privacy Policy or the Application's data practices, please contact us by opening an issue on our public support repository or by email at goldb.agent.support@gmail.com.