Privacy Policy

Last updated: March 5, 2026

This Privacy Policy describes how Gmail Surge ("we", "us", or "our") handles information when you use the Gmail Surge Chrome extension ("Extension") and the Gmail Surge website ("Website"), collectively the "Service".

We take your privacy seriously. The Extension is designed to operate entirely within your browser, and we have built it so that your personal data stays on your device.

1. Information We Do NOT Collect

This is the most important section. Gmail Surge is a client-side Chrome extension. We do NOT:

• Collect, transmit, or store your email content on any external server.
• Collect, transmit, or store your CSV contact lists or recipient data.
• Store your Google account password or OAuth tokens on our servers.
• Track your email sending activity or campaign data.
• Use analytics, tracking pixels, cookies, or fingerprinting in the Extension.
• Sell, rent, or share any user data with third parties.
• Access your Gmail inbox, contacts, or any data beyond what is needed to send emails on your behalf.

2. Information That Stays on Your Device

The following information is stored locally in your browser using Chrome's built-in storage APIs (chrome.storage.local) and never leaves your device:

• Email templates — Subject lines and email body content you save.
• Campaign history — Records of sent campaigns, including recipient status (sent/failed).
• Settings — Your daily send limit, delay preferences, and subscription status.
• CSV data — Contact data from uploaded CSV files is held in browser memory during use and is not persisted after the session.

You can delete all locally stored data at any time by uninstalling the Extension or clearing your browser data.

3. Google API Usage

3.1 Authentication

Gmail Surge uses Chrome's Identity API to authenticate with your Google account via OAuth 2.0. This is Google's standard, secure authentication flow. We never see or store your Google password.

3.2 Permissions Requested

The Extension requests the following Google API scopes:

• Gmail Send (gmail.send) — To send emails on your behalf. This is the minimum scope required for the Extension's functionality.
• User Email (userinfo.email) — To display your email address in the Extension interface.

We do NOT request read access to your inbox, contacts, drafts, or any other Gmail data.

3.3 Google API Services User Data Policy

Gmail Surge's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. Payment Information

Pro tier purchases are processed entirely by Stripe. Payment information (credit card numbers, billing address) is collected and processed by Stripe and is never transmitted to or stored by us. We only receive a confirmation that payment was completed and the associated activation code.

5. Website Information

5.1 Hosting

The Website is hosted on GitHub Pages. GitHub may collect standard server access logs (IP address, browser type, referring page). Please refer to GitHub's Privacy Statement for details.

5.2 Cookies and Tracking

The Website does not use cookies, analytics services, tracking pixels, or any form of user tracking. We do not use Google Analytics, Facebook Pixel, or any similar service.

6. Data Security

Because the Extension operates entirely client-side, your data benefits from the security of your own device and browser. Specifically:

• All Gmail API communication uses HTTPS encryption.
• OAuth tokens are managed by Chrome's built-in Identity API and stored securely by the browser.
• No user data transits through our servers (we do not operate any servers for data processing).

While we employ reasonable measures in the design of the Extension, no method of electronic storage or transmission is 100% secure. You are responsible for maintaining the security of your device and Google account.

7. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has used the Service, please contact us.

8. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your use is governed by the laws of the State of California. Because the Extension processes data locally on your device, no cross-border data transfer to our servers occurs.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — You can view all data stored by the Extension in Chrome's storage (accessible via the browser developer tools).
• Deletion — You can delete all Extension data by uninstalling the Extension or clearing browser data.
• Portability — Campaign data and templates are stored in standard formats accessible through Chrome's storage APIs.
• Opt-out — Since we do not collect data on our servers, there is no data collection to opt out of.

For GDPR, CCPA, or other data protection inquiries, please contact us.

10. Third-Party Services

The Service interacts with the following third-party services, each with their own privacy policies:

• Google (Gmail API, Chrome Identity API) — Google Privacy Policy
• Stripe (payment processing) — Stripe Privacy Policy
• GitHub Pages (website hosting) — GitHub Privacy Statement

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: Contact Us