What we hold. What we never hold.
You hand LastShelf read access to your Gmail. That’s a real ask. Here’s exactly what we do with it — and what we refuse to do.
What we hold
- — Gmail read-only access, granted with an explicit consent flow separate from account sign-in.
- — A list of your approved bills — biller, amount, due date, and where to pay.
- — The dependents you choose to designate (first name, last name, email).
- — Audit history of past bills, so dependents have context if they need to step in.
What we never hold
- — The ability to pay a bill on your behalf. LastShelf reminds and alerts; it never moves money.
- — Your Gmail password. OAuth tokens are encrypted at rest and refreshed server-side.
- — Dependent logins. Dependents are email recipients, not users. They have no account to hack.
- — Data from non-US banking or currencies. Out-of-scope transactions are flagged, not silently dropped.
No auto-actions
Every discovered bill is presented for you to approve, edit, or dismiss. Missed-payment detection is best-effort; you always have a manual mark-as-paid override. LastShelf never silently commits an AI extraction as truth.
One-click disconnect
Revoking Gmail deletes the stored tokens and flips your connection status. Your past bill records remain so dependents retain context, and a full purge flow is available if you want a clean break.
Encrypted tokens, server-only secrets
Third-party tokens (Gmail, bank access if we add it) are encrypted at rest with AES-256-GCM and only decrypted inside our server functions. Client secrets never touch the browser.
Dependents are recipients, not tenants
Dependents receive alert emails. They do not log in, they do not see a dashboard, and they do not get general access to your financial data. The primary user stays the sole authority.