Privacy Policy

Last updated: May 12, 2026

1. Information We Collect

The Open Assistant software itself does not collect any data. As a self-hosted solution, all data processed by your instance remains on your own infrastructure. We (the Project maintainers) do not receive any data from your use of the software.

If you use a managed instance provided by the Project or its partners, that instance operator may collect data as described in their separate privacy policy.

2. Self-Hosted Deployments

When you self-host Open Assistant:

• All conversation history, email content, calendar data, files, and credentials are stored exclusively on your own servers
• Your chosen LLM provider may log requests according to their own policies
• No telemetry or analytics are sent from the software to the Project

3. Third-Party Services

When you configure Open Assistant to connect with third-party services (Gmail, Outlook, OneDrive, Notion, WhatsApp, etc.), those services may collect and process data under their own privacy policies. We encourage you to review the privacy policies of any services you connect.

4. Google User Data

When you connect your Google account, Open Assistant requests access to specific Google services. This section describes what Google user data we access, how we use it, and how we protect it.

Data We Collect from Google

We request access to the following Google services and data solely to provide the functionality described below:

• Gmail — Email messages, attachments, and metadata (sender, subject, date, labels) to enable reading, composing, sending, and organizing your email
• Google Calendar — Event titles, times, attendees, descriptions, and locations to enable viewing, creating, and managing your calendar events
• Google Drive — Files, folders, file metadata, file contents, and sharing information to enable reading, creating, editing, and managing your files
• Google Docs — Document content and formatting to enable reading, creating, and editing your documents
• Google Sheets — Cell data, formatting, and sheet structure to enable reading, creating, and editing your spreadsheets
• Google Slides — Slide content and text to enable reading and creating your presentations

How We Use Google User Data

Google user data is used solely to provide the application's core functionality:

• Gmail data is used to read, compose, send, and organize your emails on your behalf
• Calendar data is used to view, create, update, and manage your events
• Drive, Docs, Sheets, and Slides data is used to read, create, edit, and manage your files and documents
• Google user data may be sent to your configured LLM provider solely to process your requests (e.g., generating email replies, summarizing documents)

No Google user data is used for any purpose beyond providing or improving these features.

How We Share Google User Data

• We do not sell, rent, or otherwise provide Google user data to any third party for their independent use
• Google user data is only transferred to your chosen LLM provider to the extent necessary to process your requests
• We do not share Google user data with advertising networks, data brokers, or information resellers

Google User Data Retention and Deletion

• Google OAuth tokens are stored in encrypted form in your local database; you can revoke Open Assistant's access at any time through your Google Account permissions settings
• Conversation data that includes Google user data is stored in your database and remains entirely under your control
• You can delete any or all data at any time by deleting individual conversations or clearing your data

Google User Data Security

• All Google OAuth tokens are encrypted at rest
• All Google service authentication uses OAuth 2.0
• All tool invocations involving Google data are recorded in the audit log
• No Google credentials are stored in plaintext

5. Use of Google User Data — Prohibited Uses

We do not use Google user data for any of the following purposes:

• Targeted or personalized advertising
• Selling data to data brokers or information resellers
• Credit-worthiness determination or lending decisions
• Training artificial intelligence or machine learning models
• Any purpose beyond providing or improving the application's functionality

6. Cookies

The web interface uses minimal session cookies for authentication. No tracking, analytics, or advertising cookies are used.

7. Data Retention

Data retention is entirely under your control when self-hosting. The software stores data in a local database. You may delete any or all data at any time.

8. Data Security

The software implements the following security measures:

• All service credentials are encrypted at rest using Fernet symmetric encryption
• OAuth2 is used for all third-party service integrations
• Full audit logging of all tool invocations
• No credentials are stored in plaintext

9. Children's Privacy

The Project is not intended for use by individuals under the age of 16. If you become aware that a child has provided us with personal information, please contact us at hello@open-assistant.org.

10. Your Rights

Because the Project does not collect personal data, most privacy rights (access, correction, deletion) apply to your own deployment rather than to the Project itself. For managed instances, contact the operator of that instance.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via the Project repository or project communications.

12. Contact

For privacy-related questions, contact us at hello@open-assistant.org.