Privacy Policy

Last updated: April 28, 2026

Summer is a personal-scale tool that summarises receipts and invoices from your Gmail inbox. This page explains what data passes through it and what does not.

Data we receive from you

• Google account profile. When you sign in we receive your name, email address, and Google account ID via Google OAuth.
• Gmail OAuth tokens. Access and refresh tokens for the scopes you grant: gmail.readonly and gmail.send. These let Summer read receipt-candidate messages and email the summary back to your own inbox.
• Session cookies. Standard authentication cookies issued by better-auth.

What we store

Only the data above — profile, OAuth tokens, sessions — in a Postgres database hosted on Supabase. We do not store the contents of your emails, the extracted receipts, or the generated summaries. Each run is computed from scratch in memory and discarded when the worker finishes.

How your email is processed

When you click Generate summary, a background worker:

• Fetches purchase-related messages from Gmail in your selected window.
• Extracts structured fields (merchant, amount, currency, date) using embedded schema.org markup where available, falling back to Google Gemini (model gemini-2.5-flash-lite) for the rest. Email content is sent to the Gemini API to perform this extraction.
• Converts amounts to ILS using public ECB rates from frankfurter.dev.
• Sends the rendered HTML summary back to you via your own Gmail account.

Note that Google's Gemini API may retain prompt content for abuse monitoring per its own terms. See Gemini API terms.

Third parties involved

• Google (OAuth + Gmail API) — sign-in and email read/send.
• Google Gemini API — receipt extraction.
• Supabase — Postgres hosting for the auth tables.
• Upstash QStash — background job queue.
• Vercel — application hosting.
• frankfurter.dev — currency exchange rates.

Use of Google user data

Summer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Your Gmail data is used solely to produce the requested summary and is not sold, used for advertising, or shared with third parties beyond the processors listed above.

Your choices

• Revoke access at any time via myaccount.google.com/permissions. Doing so invalidates the stored OAuth tokens.
• Request deletion of your account record by contacting the address below.

Contact

Questions or deletion requests: yariv@riser.co.il.