Legal
Privacy Policy
Last updated July 2, 2026
Kakerou is a personal lead-recovery operator. To do its job it connects to accounts you authorize and acts through them — as you, never through a shared address. This policy explains exactly what it accesses, what it does with that data, and the controls you have. In plain terms: your data is used to do the work you asked for, it is never sold, and nothing is sent on your behalf without your explicit okay.
What we access
Only what the operator needs, and only from accounts you connect:
- Gmail (via Google OAuth). We read recent inbound messages to find leads that went cold, and — when you approve — send replies from your own address. We request the narrowest scopes that make this possible.
- Connected accounts. When you link a tool (Gmail, Calendar, Drive, Slack, Notion, and others), the OAuth tokens are held by our integration provider (Composio) so the operator can act on your behalf. We do not see or store your account passwords.
- Your Kakerou account. Your email address and the Telegram (or iMessage) identifier we use to reach you.
- Operating memory. Facts you tell the operator and a record of the leads it found and the drafts it prepared, so it can do the job well.
How we use it
- To scan your recent inbound and identify leads that never got a reply.
- To draft win-back messages in your voice, which you review before anything sends.
- To send a message only after you approve it, and to follow up until the lead answers or you call it off.
- To keep the memory and preferences that make its work useful to you.
To draft and triage, message content is processed by our language-model provider (OpenRouter, which routes to Anthropic models). It is used to generate the draft for that task and is not used to train models on your data.
What we never do
- We never sell or rent your data, or share it for advertising.
- We never send, post, or take an irreversible action without your explicit approval.
- We never operate through a shared inbox — the operator acts as you, from your own connected accounts.
Where your data lives
Account records and operating memory are stored in our database (Supabase) with row-level security so only your account can read your data. OAuth tokens are held by Composio. The app runs on Vercel. Each provider processes data on our behalf under its own security commitments.
Third parties we rely on
- Google — Gmail access you authorize.
- Composio — secure storage of connected-account tokens.
- OpenRouter / Anthropic — drafting and triage.
- Supabase — database and authentication.
- Vercel — hosting.
- Telegram — the channel we message you on (iMessage where available).
Your controls
- Revoke access anytime. Remove Kakerou from your Google account permissions at myaccount.google.com/permissions and it can no longer read or send from your inbox.
- Reset. Send
/resetto the operator to clear your stored state. - Delete. Ask us to delete your account and associated data at any time using the contact below.
Data retention
We keep your data while your account is active and for as long as needed to provide the service. When you delete your account or revoke access, we delete or disconnect the associated data within a reasonable period.
Google API disclosure
Kakerou's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for advertising, and we do not transfer it except as needed to provide or improve the feature you asked for, to comply with law, or as part of a merger you are notified of.
Changes
We may update this policy as the product evolves. Material changes will be reflected by the date above.
Contact
Questions, or a data request? Email darynmirzhusip@gmail.com.