Skip to content
LastShelf
Sign In
Privacy

Privacy policy

Last updated: May 2026

Who this is for

This page covers how LastShelf (“we”, “us”) handles data on this marketing website, during account signup, and when you choose to connect Gmail in the product.

What we collect on this site

  • — Your email address when you start signup or contact us. Used to send product and account communications.
  • — Anonymous product-analytics events, only after you click “Accept” on the consent banner. Collected via a privacy-first analytics provider.
  • — Standard server logs (request time, IP, user agent) kept only as long as needed to operate the site.

What we do not do

  • — We don’t sell your email or share it with third parties for marketing.
  • — We don’t run marketing-site analytics until you’ve accepted the banner.
  • — We don’t place advertising cookies.

Google and Gmail data

If you choose to connect Gmail, LastShelf requests read-only access so we can identify bill-related emails and bill attachments, such as PDF statements, that help discover your recurring financial obligations.

  • — We use Google and Gmail data only to identify bill-related emails, senders, subjects, bill attachments, and account-reference details needed for this feature.
  • — Full account numbers, when detected, are encrypted before storage and shown only to the authenticated user on request.
  • — We do not sell Google or Gmail data.
  • — We do not use Google or Gmail data for advertising or ad targeting.
  • — We do not use Google or Gmail data to train generalized AI or machine-learning models.
  • — We do not modify, delete, or send emails on your behalf.
  • — You can disconnect Gmail or request deletion of Gmail-derived data by emailing support@lastshelf.ai.

Sharing, transfer, and disclosure of Google user data

We share, transfer, or disclose Google user data only when needed to provide, secure, or support the bill-discovery and alerting features you request.

  • — Our database hosting provider processes and stores Google OAuth tokens, Gmail-derived email metadata, attachments, extracted bill details, and related database records.
  • — Large language models process selected Gmail email body text and bill attachments so we can extract biller names, amounts, due dates, payment links, and account-reference details from bill-related messages.
  • — Our analytics provider may receive operational event data, such as scan status or feature events, but we strip sensitive fields and do not send raw email bodies, Gmail subjects, OAuth tokens, full account numbers, or bill attachments to analytics providers.
  • — Our email service provider processes email addresses and message content when we send account emails, reminders, or user-triggered trusted-contact handoff links. If you designate a trusted contact and request help, that contact may receive limited bill details needed to help, such as biller name, amount, due date, payment link, payment instructions, and masked account references.
  • — We may disclose information if required by law, legal process, or security obligations, or to protect users and the service from abuse.

We do not sell Google user data, transfer it for advertising, or allow service providers to use it for their own marketing or generalized AI model training. LastShelf’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

How we protect sensitive data

  • — Google OAuth access and refresh tokens are encrypted before storage using AES-256-GCM. Token encryption keys and Google client secrets are kept in server-side environment secrets and are not exposed to the browser.
  • — Full account numbers and other sensitive account references are stored separately from user-visible bill records, encrypted at rest, and accessible only through server-side functions after user authentication.
  • — Product data is stored with our database hosting provider using row-level security so authenticated users can access only their own records. Server-side functions use privileged keys only for controlled backend workflows.
  • — Data is transmitted over HTTPS/TLS between the browser, our server functions, Google APIs, our database hosting provider, and the service providers listed above.
  • — We minimize what we collect and send for analysis, use read-only Gmail access, do not request your Gmail password, and do not move money or make payments on your behalf.
  • — We avoid logging raw OAuth tokens, raw email bodies, full account numbers, and other sensitive Google user data. Analytics events are scrubbed before transmission.
  • — When you disconnect Gmail, we revoke the Google token when possible, delete stored Gmail tokens, and mark Gmail as disconnected in your profile.

Connected account data

If you connect a financial account, LastShelf uses Plaid data to identify recurring bill payments and link them to the vendors you confirm.

  • — We store account masks by default, such as the last four digits shown by Plaid.
  • — Full account numbers are requested only when you grant the required Plaid consent and are encrypted before storage.
  • — We do not use connected account data for advertising or ad targeting.

Your rights

You can ask us to remove your account signup information, disconnect Gmail, or delete Gmail-derived data at any time. Email support@lastshelf.ai and we’ll confirm the deletion within a few business days.

Contact

Questions about privacy: support@lastshelf.ai.