Just Text Me

Privacy Policy

Last updated: February 2026

1. Introduction

Just Text Me ("we," "our," or "us") operates a service that monitors your Gmail inbox and sends you SMS notifications when emails match your custom rules. This Privacy Policy explains what data we collect, how we process it, who we share it with, and your rights regarding your information.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Your email address and name (via Google OAuth sign-in)
  • Your phone number (for SMS notifications)
  • Your timezone and quiet hours preferences

Gmail Data

When you connect your Gmail account, we request read-only access (gmail.readonly scope). We use this access solely to check incoming emails against your notification rules. For emails that match your rules, we store:

  • Email subject line
  • Sender address
  • A short snippet (up to 500 characters)

We do not store full email bodies, send emails on your behalf, modify or delete your emails, or use your email data for advertising.

Notification Rules

Rules you create (e.g., "Text me when HAVN has a 25% off coupon") are stored as natural language text along with a machine-generated configuration used for matching.

Usage and Error Data

We collect aggregated daily metrics (rules created, matches found) and error reports via Sentry for debugging. Sentry error replays capture browser interactions only when an error occurs; we do not record general browsing sessions.

3. How We Process Email Data

When a new email arrives, Google sends a push notification to our server via GCP Pub/Sub. We then:

  1. Retrieve the email subject, sender, and a short snippet from Gmail via the Gmail API.
  2. Send this metadata to OpenAI to generate a semantic embedding — a numerical representation used to compare the email against your rules.
  3. If the similarity is uncertain (between 0.4 and 0.85), we send the email metadata to Anthropic (Claude) for a secondary confirmation check.
  4. If a match is confirmed, we send you an SMS via Twilio and store the match metadata (subject, sender, snippet) in our database.

Input sanitization is applied to all email content before it is sent to any AI provider, including zero-width character removal, Unicode normalization, and injection pattern detection.

4. Third-Party Service Providers

We share data with the following third-party services, each for a specific purpose:

  • Google — Authentication (OAuth sign-in) and Gmail API access for reading emails. Google Cloud Pub/Sub delivers real-time email arrival notifications to our server.
  • Anthropic — Email metadata (subject, sender, snippet) is sent to Claude for rule parsing and match confirmation on uncertain cases.
  • OpenAI — Email metadata is sent to generate semantic embeddings for similarity-based matching against your rules.
  • Twilio — Your phone number and notification message content are sent to deliver SMS alerts.
  • Stripe — Payment information is processed by Stripe. We do not store your credit card details.
  • Supabase — Hosts our PostgreSQL database where your account data, rules, and match history are stored.
  • Vercel — Hosts our application and runs scheduled maintenance tasks (cron jobs for token refresh and Gmail watch renewal).
  • Trigger.dev — Orchestrates background jobs for email processing and SMS delivery.
  • Sentry — Receives error reports and performance data for debugging and reliability monitoring.

Each provider processes data under their own privacy policy and applicable data processing agreements.

5. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance — Processing your emails against your rules and sending SMS notifications is necessary to provide the core service you signed up for.
  • Legitimate interest — Security monitoring (anomaly detection, webhook authentication), error tracking via Sentry, and fraud prevention are necessary for the safe operation of our service.
  • Consent — You explicitly opt in to SMS notifications by verifying your phone number during signup. You can withdraw consent at any time by replying STOP to any message or disabling notifications in your account settings.

6. Data Security

We implement the following security measures:

  • All data is encrypted in transit using TLS.
  • Gmail OAuth tokens are encrypted at rest using AES-256-GCM envelope encryption — each token is encrypted with a unique random data encryption key (DEK) and initialization vector (IV), and the DEK is itself encrypted with a master key encryption key (KEK).
  • Phone verification codes are cryptographically hashed before storage, with brute-force lockout after failed attempts.
  • OAuth state parameters are HMAC-signed to prevent cross-site request forgery.
  • Gmail webhook requests are authenticated using both OIDC JWT verification and a shared secret token.
  • Row-level security policies ensure users can only access their own data in the database.

7. SMS Notifications and Consent

By providing your phone number and completing phone verification during signup, you expressly consent to receive SMS notifications from Just Text Me. These messages will alert you when emails matching your notification rules are detected.

Message frequency varies based on your rules and email volume.

To opt out: Reply STOP to any message, or disable notifications in your account settings. You may also delete your account at any time.

Message and data rates may apply. Carriers are not liable for delayed or undelivered messages.

8. Data Retention

We retain your data for as long as your account is active and your subscription is current.

When you delete your account, all of your data is immediately and permanently deleted via a cascade delete, including your profile, rules, match history, queued SMS messages, and security event logs. Gmail OAuth tokens are revoked with Google before account deletion.

9. Your Rights

You have the following rights regarding your data:

  • Access and portability — You can export all of your data (profile, rules, matches) as a JSON file from your account settings.
  • Deletion — You can permanently delete your account and all associated data from your dashboard settings. Deletion is immediate and irreversible.
  • Revoke Gmail access — You can disconnect your Gmail account at any time from your dashboard, which revokes our access and stops all email monitoring.
  • SMS opt-out — Reply STOP to any SMS message or disable notifications in your settings.

10. GDPR Compliance

For users in the European Economic Area (EEA), we process your data in accordance with the General Data Protection Regulation (GDPR). The legal bases for our processing activities are described in Section 5 above. You may exercise any of your rights under GDPR by contacting us at privacy@justtextme.app or by using the self-service tools in your account settings (data export and account deletion).

11. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete their account and data.

12. Cookies and Sessions

We use cookies strictly for authentication and session management. When you sign in, NextAuth.js sets session cookies to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date above.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: