Google API Services User Data Policy

1. Which Google APIs and scopes we use

With your explicit consent at sign-in, Mouda requests a single Gmail OAuth scope:

• https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail messages and threads. Mouda cannot send, modify, delete, or label messages on your behalf. We ask for no other Gmail scope.

We also use Google’s Pub/Sub service behind the scenes to receive real-time notifications that new matching emails have arrived, so we can sync without polling your inbox. Pub/Sub messages contain only opaque change markers, not your email content.

2. What we do with the data we receive

Information received from Google APIs is used solely to provide and improve user-facing features of Mouda — specifically, to:

• Fetch messages whose sender or subject matches the supported prop-firm confirmation patterns (Apex, Topstep, Tradeify in V1). Messages that do not match these patterns are not retrieved.
• Parse each matching message into structured fields (firm, event type, date, amount, account identifier) and persist those structured fields in your ledger.
• Store an encrypted copy of the raw message body so that if our parsers improve we can re-derive your ledger without going back to Gmail, and so you can audit how a specific ledger row was produced.
• Maintain real-time sync via Gmail Pub/Sub and renew the Gmail watch subscription before its 7-day expiration.

3. What we do not do

Consistent with the Google API Services User Data Policy’s Limited Use requirements, Mouda does not:

• Sell your Google user data — ever. Not to advertisers, data brokers, affiliates, or any third party.
• Use your Google user data for advertising — including retargeting, personalized advertising, or interest-based advertising.
• Transfer your Google user data to any other app or party, except to the sub-processors listed in our Privacy Policy that are strictly necessary to provide the Service (for example, encrypted storage and error monitoring), under data-processing agreements.
• Allow humans to read your Google user data, except (a) with your explicit consent; (b) when necessary for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized and is used for internal operations in accordance with the Limited Use requirements. In particular, if you open a support ticket that requires us to look at a specific parsed message, we will only access that message after you have explicitly asked us to and identified it.
• Train machine-learning models on your Google user data. When our rule-based parsers cannot classify a message, we may send the message body to an LLM provider (Anthropic) for a single fallback inference; that data is not retained by the provider for model training.

4. How we protect the data

• OAuth refresh tokens and raw email bodies are encrypted using envelope encryption. A master key held in AWS KMS wraps a per-user data-encryption key (DEK); the DEK encrypts your content.
• All network traffic is TLS-encrypted, with HSTS enforced on both mouda-ledger.com and app.mouda-ledger.com.
• Row-level security at the database layer prevents one user from reading another user’s data, even in the event of an application-layer bug.
• OAuth tokens are never written to application logs. Sentry and Axiom pipelines scrub token-shaped strings.
• Administrative access to production requires hardware MFA.
• Mouda undergoes the annual Cloud Application Security Assessment (CASA) required by Google for restricted Gmail scopes.

5. Your control

• You can disconnect Gmail from Mouda at any time in Settings → Connections. Doing so revokes our refresh token locally and stops all future Gmail reads.
• You can also revoke Mouda’s access to your Google account at any time by visiting myaccount.google.com/permissions.
• Deleting your Mouda account purges the encrypted raw emails, parsed ledger, and tokens in line with the 60-day retention window described in our Privacy Policy.

6. Incident reporting

If we learn of an incident that may have exposed Google user data, we will notify affected users and, where applicable, Google, in line with Google’s reporting requirements and applicable law. Security reports can be sent to support@mouda-ledger.com.

7. Changes to this disclosure

We will update this page whenever we change the Google API scopes we request, the sub-processors that receive Google user data, or the purposes for which we use it. The “Last updated” date at the top of the page always reflects the current version.

8. Contact

Questions about this disclosure can be sent to support@mouda-ledger.com.