We don't train on your data. We don't share it. You control access and can revoke it anytime.
How Authentication Works
SurfBuddy uses OAuth 2.0—the same standard used by apps like Slack and Notion to connect to Google.
- You click an agent and ask it to do something (e.g., "find my emails" in the Gmail workspace)
- SurfBuddy prompts you to connect
- Google's sign-in page opens (not ours)
- You approve the specific permissions requested
- Google sends us a secure token, and your request completes
We never see your Google password. Authentication happens entirely on Google's servers.
What Each App Can Access
| App | Can Access | Cannot Access |
|---|---|---|
| Gmail | Read emails, create drafts | Delete emails, change settings |
| Sheets | Read/write specified sheets | Sheets you don't share |
| Docs | Create and edit documents | Documents you don't share |
| Calendar | Read/create events | Delete events, other calendars |
| Web Explorer | Public web pages, search results | Private pages, authenticated content |
How to Revoke Access
- Go to myaccount.google.com/permissions
- Find "SurfBuddy"
- Click "Remove Access"
All tokens are invalidated immediately. SurfBuddy loses access until you reconnect.
Data Protection
In transit: All API communication uses HTTPS/TLS encryption.
At rest: Tokens are stored encrypted. We don't store copies of your emails, documents, or spreadsheets—data is fetched in real-time when you request it.