Privacy Policy
What data Abiat collects, why, and how it is handled.
Your email stays on your device
Email and calendar data is fetched from Google and cached locally. It is never uploaded to or routed through Abiat's servers.
No Abiat account
You sign in with Google. Abiat never stores your Google password. Access tokens are kept in your OS's native credential store, not on any Abiat server.
Minimal, anonymous analytics
Both the app and the website send anonymous usage events to Aptabase — things like app started, compose opened, and page views. No email content, no personal information.
Your data is never sold
Abiat does not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Ever.
1. Data controller
The data controller responsible for the personal data described in this policy is Abiat, reachable at info@abiat.io. As the controller, Abiat determines the purposes and means of processing your personal data in connection with the App and this website.
Abiat is based in Sweden and this policy is written in compliance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679).
2. Desktop app — what we access
Google OAuth tokens
When you sign in with Google, Abiat receives an OAuth 2.0 access token and refresh token from Google. These tokens are stored exclusively in your operating system's native credential store (macOS Keychain, Windows Credential Manager, or the equivalent on Linux). Abiat never transmits these tokens to any Abiat-controlled server.
Legal basis: contract performance — the tokens are necessary to provide the core functionality of the App.
Email & calendar data
Abiat uses the Gmail API and Google Calendar API to fetch your messages, threads, and calendar events. This data is stored in a local SQLite database on your device so the App can work quickly without a constant internet connection. The data is never uploaded to Abiat's servers.
Legal basis: contract performance — local caching is necessary to deliver the service you requested when you installed and signed in to the App.
3. Desktop app — what we do not collect
To be explicit: Abiat does not collect or transmit any of the following to its own servers:
- The content of your emails or calendar events.
- Your email attachments.
- Your Google contacts.
- Your Google password or any credentials beyond the OAuth tokens stored locally by your OS.
- Your IP address from within the desktop app.
- Search query text, email subjects, thread IDs, or any other content you type or view.
4. Analytics
Abiat uses Aptabase (EU region) to collect anonymous usage events from both the desktop app and this website. All events are strictly anonymous — no email address, no name, no IP address, and no personal information is ever included.
Desktop app events
The app sends the following events to Aptabase:
- app_started — the app has launched.
- app_exited — the app has quit.
- view_changed — which mailbox or view was navigated to (inbox, sent, drafts, or calendar).
- thread_opened — a thread was opened in a tab; whether it was pinned and whether multiple messages were selected.
- compose_opened — a compose window was opened; the source action (new, reply, reply all, or forward).
- message_sent — a message was sent successfully; whether it was a reply and whether it had attachments.
- search_performed — a search was run; how it was triggered (enter key, history, or person shortcut).
- settings_opened — the settings panel was opened; which section.
Properties are limited to categorical values (e.g. "reply", "inbox") and boolean flags (0 or 1). No free-text content — such as search queries, email subjects, or sender addresses — is ever included in any event.
The desktop app does not currently provide an in-app opt-out for analytics. If you wish to disable analytics, contact us at info@abiat.io.
Legal basis: legitimate interests — understanding which features are used to prioritise development, using data that cannot be traced back to any individual.
Website events
The website (abiat.io) sends the following events:
- page_view — which page was visited (home, download, terms, license, privacy).
- download_click — which platform build was clicked.
- theme_toggled — whether light or dark mode was switched.
- footer_link_click — which footer link was followed.
Each website event includes only the event name, a random session ID that resets hourly, your browser locale, and the app version string.
Legal basis: legitimate interests — improving the website and understanding which platforms users download from, using data that cannot be traced back to any individual.
Aptabase is a privacy-first analytics service. Abiat is the data controller; Aptabase acts as a data processor under a data processing agreement. You can review their practices at aptabase.com/legal/privacy.
5. Third-party services
The desktop app communicates with Google's servers to fetch your email and calendar data on your behalf. Your use of Gmail and Google Calendar is governed by Google's Privacy Policy. Abiat is not affiliated with Google and is not responsible for Google's data practices.
Aptabase
Anonymous analytics from both the desktop app and the website are processed by Aptabase. Their servers are located in the EU. See Aptabase's privacy policy for full details.
GitHub
Abiat's source code, issue tracker, and community discussions are hosted on GitHub. If you open an issue or participate in discussions, your activity is subject to GitHub's Privacy Statement.
6. Your rights under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Access — request a copy of the personal data Abiat holds about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data where there is no legitimate reason to keep it.
- Restriction — ask us to pause processing of your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
Because Abiat holds no server-side data about you, most of these rights are exercised directly through your Google account and your local device. Aptabase analytics events contain no personal identifiers and cannot be linked back to you or deleted on an individual basis. For any other privacy enquiry, contact us at info@abiat.io and we will respond within 30 days.
You also have the right to lodge a complaint with the Swedish supervisory authority, the Integritetsskyddsmyndigheten (IMY), if you believe your data has been handled unlawfully.
7. Data retention
Local app data
All data cached by the desktop app — your email, calendar events, and OAuth tokens — is stored on your device only. You control it entirely. Uninstalling Abiat removes the local cache. Your data in your Google account is unaffected.
Aptabase analytics
Anonymous analytics events sent to Aptabase are retained according to Aptabase's own retention policy. Because these events contain no personal identifiers, they cannot be linked back to you or deleted on an individual basis.
8. Changes to this policy
We may update this policy as the App evolves. When we do, we will update the date at the top of this page. Continued use of the App or this website after changes are posted constitutes acceptance of the revised policy. For significant changes we will make a reasonable effort to notify you via the Abiat GitHub repository.
9. Contact
Questions or requests regarding this policy:
- Email: info@abiat.io
- GitHub: github.com/abiat-universe/abiat/issues
Version history
- July 1, 2026 — First version.