1. Introduction
Gold-B's Agent ("the Application", "we", "our") is a self-hosted WhatsApp automation platform that runs entirely on the user's own hardware. This Privacy Policy explains how the Application handles data, including information accessed through Google APIs.
By installing and using Gold-B's Agent, you ("the User") agree to the practices described in this policy.
2. Self-Hosted Architecture
Gold-B's Agent is designed as a self-hosted, privacy-first application:
- The Application runs as Docker containers on your local machine.
- No data is transmitted to or stored on any servers controlled by Gold-B's Agent.
- All configuration, credentials, messages, and cached data reside solely on your hardware, under your control.
- We do not operate any cloud service, analytics platform, or centralized data store.
3. Google API Services — Data Access & Usage
The Application optionally integrates with Google services via OAuth 2.0. Each integration is independently enabled by the user. The Application requests the following scopes:
| Google API Scope | Purpose | Data Accessed |
|---|
spreadsheets |
Log incoming leads and export data to Google Sheets |
Read and write rows in user-specified spreadsheets |
drive.file |
Store documents created by automation rules in Google Drive |
Create and read files that the Application itself created (no access to other Drive files) |
gmail.modify |
Read incoming emails for lead processing and send automated email replies |
Read, send, and manage labels on emails in the connected Gmail account |
calendar.events |
Create calendar reminders and events triggered by automation rules |
Create and edit events in Google Calendar |
userinfo.email |
Identify the connected Google account in the admin panel |
Email address of the authenticated Google account |
3.1 How Google Data Is Used
- Google data is accessed only to perform the specific automation tasks configured by the user (e.g., logging a lead to a spreadsheet, sending an email notification).
- Data retrieved from Google APIs is processed locally and is not forwarded to any third party.
- AI providers (e.g., Gemini, OpenAI) configured in the Application do not receive Google API data. Google data is used solely for direct automation tasks (logging, sending, scheduling) and is never passed to AI models for processing.
3.2 How Google Data Is Stored
- OAuth 2.0 tokens (access and refresh tokens) are stored locally on your machine, encrypted with AES-256-GCM using a key derived from your gateway password via PBKDF2 (600,000 iterations).
- Tokens are stored in the Application's local configuration file and are never transmitted externally.
- If you change your gateway password, all stored tokens are automatically invalidated and must be re-authorized.
3.3 How Google Data Is Shared
Gold-B's Agent does not share Google user data with any third parties. All data processing occurs locally on your machine. We do not sell, rent, license, or disclose Google user data to anyone.
3.4 Google API Services User Data Policy Compliance
Gold-B's Agent's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:
- The Application only uses Google data for the purposes described in this policy and as configured by the user.
- The Application does not use Google data for advertising, market research, or any purpose unrelated to the Application's core functionality.
- The Application does not allow humans to read Google user data, except where the user has given affirmative consent (e.g., viewing their own data in the admin panel), it is necessary for security purposes, or it is required by law.
- The Application does not transfer Google data to third parties except as necessary to provide the user-configured functionality.
4. Other Data Handling
4.1 WhatsApp Messages
Incoming and outgoing WhatsApp messages are processed locally by the gateway container. Message content may be sent to the user's configured AI provider (e.g., Google Gemini, OpenAI) for generating responses. This is governed by the respective AI provider's privacy policy and the user's own API key agreement.
4.2 Configuration Data
All settings, rules, templates, keywords, and credentials are stored locally on your machine in a dedicated application directory. Sensitive credentials are encrypted using platform-native encryption (Windows DPAPI) or AES-256-GCM.
4.3 Usage Analytics
The Application collects local usage metrics (message counts, rule matches, token usage) stored as local NDJSON files with automatic 90-day retention. These metrics are never transmitted externally.
5. Data Retention & Deletion
- Google tokens: Stored until the user revokes access via the admin panel or changes their gateway password. Users can revoke access at any time, which immediately deletes all stored tokens.
- Local data: Retained as long as the Application is installed. Uninstalling the Application removes all local data.
- Usage logs: Automatically purged after 90 days.
6. User Rights
Since Gold-B's Agent is self-hosted, you have full control over your data:
- Access: All data is on your machine — you can inspect any file at any time.
- Deletion: You can delete any data by removing files from the local storage directory or uninstalling the Application.
- Revocation: You can disconnect Google integrations at any time via the admin panel or from your Google Account permissions page.
- Portability: Configuration files are stored in standard JSON format and can be exported at any time.
7. Security Measures
- OAuth 2.0 with PKCE (SHA-256) for Google authentication
- AES-256-GCM encryption for stored tokens with PBKDF2-derived keys
- CSRF protection with one-time-use state tokens (5-minute TTL)
- Timing-safe comparisons for all credential operations
- Docker container isolation with minimal privileges
- API rate limiting on all endpoints
8. Children's Privacy
Gold-B's Agent is not intended for use by individuals under the age of 18. We do not knowingly process data from minors.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected in updated versions of the Application. The "Last updated" date at the top of this page indicates the most recent revision.
10. Contact
If you have questions about this Privacy Policy or the Application's data practices, please contact us by opening an issue on our public support repository or by email at goldb.agent.support@gmail.com.