What we hold. What we never hold.
You hand LastShelf read access to your Gmail. That’s a real ask. Here’s exactly what we do with it — and what we refuse to do.
What we hold
- — Gmail read-only access, granted with an explicit consent flow separate from account sign-in.
- — A list of your approved bills — biller, amount, due date, and where to pay.
- — The trusted contacts you choose to designate (first name, last name, email).
- — Audit history of past bills, so trusted contacts have context if they need to step in.
What we never hold
- — The ability to pay a bill on your behalf. LastShelf reminds and alerts; it never moves money.
- — Your Gmail password. OAuth tokens are encrypted at rest and refreshed server-side.
- — Shared primary-user logins. Trusted contacts only get limited, revocable handoff access.
- — Data from non-US banking or currencies. Out-of-scope transactions are flagged, not silently dropped.
No auto-actions
Every discovered bill is presented for you to approve, edit, or dismiss. Missed-payment detection is best-effort; you always have a manual mark-as-paid override. LastShelf never silently commits an AI extraction as truth.
One-click disconnect
Revoking Gmail deletes the stored tokens and flips your connection status. Your past bill records remain so trusted contacts retain context, and a full purge flow is available if you want a clean break.
Encrypted tokens, server-only secrets
Third-party tokens (Gmail, bank access if we add it) are encrypted at rest with AES-256-GCM and only decrypted inside our server functions. Client secrets never touch the browser.
Trusted contacts are limited helpers, not tenants
Trusted contacts can receive help-alert emails and limited handoff access. They do not see your primary dashboard, cannot connect data sources, and do not get general access to your financial data. The primary user stays the sole authority.