Common Defense Privacy Policy
Last updated: 2026-06-16
1. Who we are
Common Defense AI Security, Inc. ("Common Defense", or "we", "us", or "our") offers a proprietary service (the “Service”) that scans and classifies incoming messages to a user’s individual platform accounts (“Platform Account(s)”) on messaging platforms which include Gmail, Microsoft 365 / Outlook, Telegram, WhatsApp, and other such supported messaging platforms (each a “Messaging Platform” and collectively, “Messaging Platforms”).
We take your privacy seriously and we are committed to protecting your Personal Information. This Privacy Policy explains who we are, the Service we offer, the information (Personal Information and Usage Data) we collect when you use our Site or Service, how we use and share the information we collect, and the security measures we take to protect that information. The Personal Information identified below may be collected through our website at commondefense.ai (the “Site”), our mobile applications (“Apps”), and from users who register for a User Account (as defined in our Terms) to use our Service. For purposes of this Privacy Policy, an individual whose Personal Data is collected is referred to as “user” or “you”, or “your”. This Privacy Policy is a part of our Terms of Service (“Terms”) available at Terms of Service. Capitalized but undefined terms have the meanings ascribed to them in the Terms.
2. Types of Personal Information We Collect
We may collect the following types of Personal Information with your knowledge and consent when you register an Account to use the Service, communicate with us and provide feedback via the Site and Apps, allow us access to your Platform Accounts, or contact our support line:
- User Account information: Your name, email address, screen name/login and password, phone number, and any other profile fields you choose to provide.
- Platform Account Credentials: The OAuth tokens, app passwords, or API credentials you provide when you connect your Platform Account . We store these Platform Account credentials as encrypted at rest.
- Messages: Incoming messages on your Platform Account, including sender, recipients, message text and Content (as defined in our Terms), links, attachments metadata, and timestamps. Without your authorization to collect this Personal Information, our detection Service cannot work. When the Service first commences, it may also access a limited number of messages received in your Platform Account prior to activation of your User Account, for the sole purpose of detecting “suspicious” messages (as described below). We do not retrieve sent messages, drafts, or historical messages outside the detection scope.
3. Types of Information We Do Not Collect
Our Service is not designed to filter or collect sensitive information (e.g., social security numbers, age, ethnicity, gender, geolocation, credit card information, etc.) or personal health information (PHI under HIPAA) and you are responsible for ensuring that sensitive information and PHI is not routed through the Platform Accounts you ask us to monitor through the Service.
As of the date of this Privacy Policy, our Service is provided at no charge, and we do not collect sensitive information from users who register a User Account and receive the Service. If this changes, we will update this Privacy Policy accordingly, and change “Last Updated” date above.
4. Types of Automated Data We Collect
We automatically collect certain data relating to the performance and configuration of our Site and Service and related consumption, use of, and interaction with the Service (collectively, “Usage Data“). While Usage Data usually does not involve Personal Information, it may include such data in the following instances:
- Detection results: The verdict, confidence score, threat type, and any user overrides for each scanned message.
- Usage logs: Dashboard activity such as sign-ins, settings changes, and connector connect/disconnect events. These logs do not include message content.
- Cookies: A single short-lived, HttpOnly CSRF-protection cookie (oauth_nonce) set only during the Google sign-in redirect. We do not use tracking, analytics, advertising, or personalization cookies.
5. How We Use the Collected Information
Through our automated Service (no human interaction), we use the Personal Information and Usage Data we collect to:
- Scan incoming messages on your connected Platform Accounts for risks and provide the outcomes and verdicts to you in the Common Defense dashboard, in your messaging app where supported (for example, Gmail labels), and in optional alert channels you enable (such as email notifications).
- Operate, maintain, and improve the Service, including monitoring system health and investigating false positives or false negatives that you report.
- Train and refine our scam and phishing detection models on non-Gmail Messaging Platforms. When a message on a non-Gmail Messaging Platform has been classified as suspicious (as described below)by the Service’s automated detection or by your flagging that message, we may use that message to train and refine the detection models we use to protect you and other Service users. A message that is classified as “suspicious” may mean and include, without limitation, a scam, phishing, or warning-tier classification. We use only messages classified as suspicious for model training purposes; messages classified as safe and your routine correspondence are not used for model training. You may opt-out of contributing your suspicious-classified messages to detection improvement at any time through the Common Defense dashboard. No data from a Gmail Messaging Platform is ever used for model training. See Section 13 for the Additional Terms that apply to Account Data obtained through Google Workspace APIs.
- Comply with applicable legal obligations.
6. How We Do Not Use Your Personal Information
- We do not sell your Personal Information to anyone.
- We do not share your message content with advertisers, data brokers, or any other information resellers.
- We do not use your Personal Information for serving advertisements, retargeting, or interest-based advertising.
- We do not use your Personal Information to determine credit-worthiness or for lending purposes.
- We do not access, aggregate, or analyze your Personal Information so that it can be displayed, sold, or otherwise distributed to a third party conducting surveillance.
- We do not use messages classified as safe (your routine, non-threat correspondence) for model training.
- We do not transfer your message content to any party — including any third-party AI service — for model training, fine-tuning, or model improvement. Detection-model training (where it occurs, as described above) runs on Common Defense's own infrastructure. The third-party inference service we use for live scam classification (see Section 7 below) is configured under zero-data-retention terms and does not retain or train on your message content.
- We do not use any information of any kind obtained through Google Workspace APIs for model training of any kind. See Section 13.
7. Third Parties and Sub-Processors
In order to provide the Service, we use trusted service providers (sub-processors) for cloud hosting and infrastructure, transactional email delivery, email integration with supported Messaging Platforms for live scam classification, and (if and when applicable) payment processing. These service providers are bound by agreements that require them to handle Personal Information that is processed through the Service only as needed to deliver the Service to you.
8. Use of Message Content
Live inference; Zero-Data-Retention. Live inference (determining whether an incoming message is a threat) runs through our AI inference provider, which we configure in zero-data-retention mode. The inference provider and the upstream large-language-model provider will only have access to message content for the moments needed to run a live scam-detection classification under zero-data-retention configuration. The AI inference provider does not retain, log, or train on your message content.
Detection-Model Training. As described in Section 5, our Service may use messages from non-Gmail Messaging Platforms that are classified as suspicious to train and refine our detection models. This training runs on Common Defense's own infrastructure. We do not transfer training data to our AI inference service, to third-party fine-tuning services, or to any external model-training infrastructure. No data from a Gmail Messaging Platform is used for any model training.
Aggregated Threat patterns. Aggregated threat patterns derived from non-Gmail Messaging Platforms (E.g., indicator-of-compromise hashes, sender reputation signals, or domain reputation aggregates) may be used and shared across the Common Defense detection network in fully de-identified form. Aggregated threat patterns derived from Gmail data are treated differently and are subject to the strict Gmail-only Additional Terms in Section 13.
Law enforcement and regulators. Law enforcement and regulators receive data only when we are legally required to provide it, and only to the extent of that requirement.
9. Per-User Isolation and Retention of Account Data
Isolation. Your Personal Information is isolated from every other user. Other users cannot see your Personal Information, your message Content, your verdicts, or your detection history (collectively, your “Account Data”).
Retention.
- Account Data (sender, subject, timestamp, score, threat type) is retained for 90 days to power your dashboard history. After 90 days all Account Data is deleted.
- For messages classified as suspicious, the full message body is retained for up to 30 days to allow you to review the flagged message in context. After 30 days, the body is stripped and only the verdict and metadata remain (subject to the 90-day window above).
- For messages classified as safe, the message body is cleared from our systems immediately after the verdict is produced.
If you have not exercised your right to opt-out (see Section 11), copies of suspicious-classified messages from non-Gmail Messaging Platforms are retained in a training corpus for as long as is necessary to maintain and improve our detection models. The training corpus contains the message content itself (the scam pattern is what the model learns from), with certain of your Personal Information (your User Account email and recipient address) but only as necessary. Training-corpus copies are stored on Common Defense's infrastructure under the same encryption-at-rest and access controls as the rest of our systems. This is the only context in which suspicious-classified message content and Account Data is retained beyond the 30-day window described above. If you opt-out, your Account Data will not be used for future training, however, opting out does not reverse the training that has already occurred. No data from a Gmail Messaging Platform is included in the training corpus under any circumstance.
Aggregated threat patterns derived from non-Gmail Messaging Platforms (containing no individual message content) may be retained for longer than 90 days to operate and improve the Service for you and other Common Defense users. Aggregated threat patterns derived from Gmail Messaging Platform data are subject to the stricter retention rules (See Additional Terms in Section 13) and are not retained as part of a long-running threat-intelligence database. Other than the training corpus described above (which excludes data from a Gmail Messaging Platform), we do not retain your raw message content beyond the windows described above.
You may request deletion of your User Account including all of the Personal Information in your User Account and all Account Data, at any time by exercising your opt-out options in Section 11.
Encrypted backups follow the same retention windows on a rolling basis and do not extend the retention beyond the windows above.
10. Human Access to Your Data
Common Defense personnel (humans) do not read your Account Data in the course of normal operations. We may access your Account Data only in the following narrowly defined circumstances, in which cases, such access is logged and auditable:
- In response to your request. For example, you contact support to investigate why a message was missed, wrongly flagged, or to help you recover an account; or you opt in to a feature that requires us to view a specific message.
- Security or abuse investigation. Where access is necessary to investigate a security incident, debug a defect that is causing data loss or exposure, or investigate suspected platform abuse.
- Legal compliance. Where access is required by applicable law, valid legal process, or regulatory request.
- Aggregated or anonymized internal operations. Where Account Data is aggregated or anonymized so that individuals cannot be identified, to monitor system performance and operate the Service.
11. Your Rights
Depending on your jurisdiction, you may:
- Access and export the Account Data we hold in your User Account, in a machine-readable format that is comparable in ease to exporting data from the connected platform itself. Email accounts@commondefense.ai to export your Account Data. We will not make exported Account Data available to third parties who do not also abide by the data-portability obligations described here.
- Correct information that is inaccurate.
- Delete your User Account and all associated Account Data. Email accounts@commondefense.ai to delete your User Account and associated Account Data. User Account deletion revokes all User Account credentials and rights to use the Service, and all Account Data will be deleted from our systems within 30 days.
- Disconnect a Messaging Platform at any time. Disconnection immediately stops monitoring of that Messaging Platform; any Account Data derived from your Platform Account connected to that Messaging Platform is deleted in accordance with Section 9.
- Opt-out of detection-model training. For non-Gmail Messaging Platforms where training is described in Section 5, you may opt-out at any time from the Common Defense dashboard. When you opt-out, that prevents future use of your suspicious-classified messages for model training, however, opting out does not reverse the training that has already occurred (i.e., we cannot un-train a model on Account Data it has already seen). No further training will be conducted on your Account Data after you opt out. Data from a Gmail Messaging Platform is never used for training, regardless of this setting.
We do not discriminate against you for exercising any of these rights.
12. Security
We protect your Personal Information using:
- Encryption in transit for all communication with our servers, with the connected platforms, and with our sub-processors (HTTPS / TLS).
- Encryption at rest for OAuth tokens, Platform Account credentials, and message-derived Content, with encryption keys managed in AWS Key Management Service (KMS).
- Role-based access control for all internal systems, with least-privilege defaults.
- Audit logging of administrative and data-access events.
- Incident response. We will notify you and the relevant authorities of any unauthorized access to your Account Data to the extent and in the timeframes required by applicable law.
For more details, please see our Security Terms located on our Security page.
13. Additional Terms for Google Workspace API and Gmail Messaging Platform
This Section 13 applies to User Account holders who use Gmail as their Platform Account and connect that Gmail Platform Account to the Service. The following Additional Terms supplement, and where more protective, supersede, the terms in this Privacy Policy with respect to Account Data obtained through Google APIs.
13.1 Limited Use commitment
The use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use of raw or derived user data received from Google Workspace APIs will adhere to the same policy.
13.2 What Common Defense is approved to do
Common Defense uses Google APIs as an application that uses information from emails to provide reporting or monitoring services for the benefit of users that improve the email experience — specifically, by monitoring incoming messages for scam and phishing threats and reporting detected threats to the user.
13.3 Restrictive Scopes we request and why
When you connect your Gmail Platform Account, Common Defense requests the following Google OAuth scopes:
https://www.googleapis.com/auth/gmail.modify — to read your incoming Gmail messages so they may be scanned for scams and phishing, and to apply a label called Common Defense/Scam to messages that our detection identifies as a threat. While the gmail.modify scope technically permits broader access (including sending, deleting, and modifying other labels), Common Defense's use of this scope is limited to the two actions described above: reading incoming messages and applying the Common Defense/Scam label. When the Service first commences, it may read a limited number of Gmail messages received prior to activation of your User Account for the sole purpose of detecting suspicious messages. Common Defense does not send mail on your behalf, does not delete mail, does not modify any other labels, and does not access your sent mail, drafts, or trash.
We do not request or use any other sensitive/restrictive Gmail or Google account scopes.
13.4 Data Flows for Gmail Account Data
Email integration sub-processor (transitional). During the period before Common Defense's own Google API access is fully provisioned, Common Defense uses Unipile (France / European Union) as a sub-processor to mediate calls to the Gmail API on Common Defense's behalf. Unipile receives the Gmail messages we are authorized to read and forwards them to Common Defense for scam detection. Unipile is bound by a data processing agreement, processes Gmail Account Data only for the purposes described in this policy, and holds CASA Tier 2 certification. Once Common Defense's direct Google API access is in place, Unipile will no longer be in the Gmail Account Data path; we will update this Privacy Policy and the sub-processors list when that transition is completed.
Scam classification pipeline. Common Defense's scam and phishing classification logic runs in our own systems. Where a classification step requires a large language model, the inference call is routed through a third-party AI inference service under a zero-data-retention configuration. That service forwards each inference call to an upstream large language model provider that, under the terms applicable to Common Defense's account, does not retain, log, or use the content for training. Once the inference response is returned, no party in the chain retains the Gmail message content sent for inference.
No transfer for model training. Common Defense does not transfer Gmail message content to any party for model training, fine-tuning, model improvement, or any database built for those purposes.
Other sub-processors. The cloud hosting and transactional email sub-processors described in Section 7 may process Gmail-derived Account Data only to the extent necessary to host the service or deliver alerts to you. They do not have independent rights to your Gmail Account Data.
13.5 No AI / ML training on Gmail Account Data
Notwithstanding the detection-model training described in Sections 5 and 7 (which apply only to non-Gmail Messaging Platforms), Common Defense does not retain Gmail Account Data to develop, improve, or train any machine learning or artificial intelligence model, including non-personalized models, foundational models, and any model that would benefit users beyond the contributing Gmail user. Common Defense does not transfer, sell, or use Gmail Account Data to create, train, or improve any machine learning or artificial intelligence model, regardless of whether the model would serve only the contributing user, other users, or generalized populations. Gmail Account Data flows through scam detection only and is excluded from the training corpus described in Section 9.
We do not scrape Gmail Platform Accounts, and we do not build or maintain a database of Gmail content, or of patterns, signals, or aggregates derived from Gmail content, for any purpose other than the live scam-detection feature described in this policy. We do not retain Gmail content or Gmail-derived Account Data beyond the retention windows described in Section 9 and Section 13.6, and we do not keep cached copies of Gmail content longer than the cache headers permit.
13.6 Retention specific to Gmail Account Data
- Verdicts and metadata (sender, subject, timestamp, score, threat type) for Gmail messages are retained for 90 days to power your dashboard history.
- The full message body of Gmail messages that are classified as suspicious is retained for up to 30 days, after which the body is stripped and only verdict and metadata remain.
- The full message body for Gmail messages that are classified as safe is cleared immediately after the verdict.
13.7 Sharing and Transfers of Gmail Account Data
Common Defense does not transfer Gmail Account Data except:
- To deliver or improve the scam-detection feature that is visible and prominent in the Common Defense user interface, and only with your consent. This includes transfers to the sub-processors listed in Section 7 and Section 13.4, each of which is bound by an agreement and processes Gmail Account Data only for this purpose. Real-time threat indicators derived from your Gmail Account Data (such as malicious URL hashes or sender-spoofing fingerprints from a message scanned for you) are used to protect you on your own Gmail Platform Account in the moment of detection. Common Defense does not build a long-running threat-intelligence database from Gmail-derived Account Data, does not feed Gmail-derived patterns into model training or improvement pipelines, and does not share Gmail-derived patterns or aggregates with third parties or other users.
- For security purposes, such as investigating abuse, debugging a defect that is causing data loss or exposure, or threat-intelligence research carried out by us.
- To comply with applicable laws and regulations, including in response to valid legal process.
- As part of a merger, acquisition, or sale of assets of Common Defense, after obtaining your explicit prior consent.
Common Defense does not transfer or sell Gmail Account Data to advertising platforms, data brokers, or other information resellers; does not use Gmail Account Data for advertising, retargeting, or interest-based advertising; does not use Gmail Account Data to determine credit-worthiness or for lending purposes; and does not access, aggregate, or analyze Gmail Account Data so that it can be displayed, sold, or otherwise distributed to a third party conducting surveillance.
Common Defense ensures that its employees, agents, contractors, sub-processors, and successors comply with the Google API Services User Data Policy and with the commitments in this Section 13.
13.8 Human Access to Gmail Account Data
The general human-access exceptions in Section 10 also apply to Gmail Account Data, with the same four narrow exceptions: your explicit request, security or abuse investigation, legal compliance, and aggregated or anonymized internal operations. Gmail content is not read by Common Defense personnel (humans) in the course of normal operations.
13.9 Disconnecting Gmail and Deleting Gmail-Derived Account Data
You may disconnect your Gmail Platform Account at any time from the Common Defense dashboard. On disconnect:
- We revoke our refresh token with Google immediately.
- We delete the encrypted OAuth tokens from our systems.
- We delete the Gmail-derived Account Data and all history associated with the disconnected account, on the same retention timelines as account deletion (within 30 days).
For full Common Defense User Account deletion rights, see Section 11.
13.10 Where to learn more
14. Children
Common Defense is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact accounts@commondefense.ai and we will delete it.
15. International Users
Common Defense is operated from the United States. If you access the service from outside the United States, you understand that your Account Data will be processed in the United States and other jurisdictions where our sub-processors operate. We rely on appropriate transfer mechanisms (for example, Standard Contractual Clauses) where required by law.
16. Changes and Contact
We will notify you by email or in-product if this policy changes in a way that materially affects how we handle your Account Data, and we will update the "Last updated" date above. Continued use of Common Defense after the change becomes effective constitutes your acceptance of the change.
For changes that materially affect how Common Defense accesses, uses, stores, or shares Account Data obtained through Google APIs (including Gmail Account Data), we will notify you and prompt you to consent to the updated practices before we make use of your Google Account Data in a new way or for a different purpose than originally disclosed. We will not rely on continued use as consent for those changes.
For questions, requests, or to exercise any of the rights described above:
Common Defense AI Security, Inc.
accounts@commondefense.ai
