Zelly logoZelly
Sign up

Connecting Gmail to an AI assistant: what really happens behind the scenes

Your emails are sensitive. Before connecting Gmail to an AI assistant, here's what you should know: who sees what, who stores what, and how to cut off access in two clicks.

Cover image for Connecting Gmail to an AI assistant: what really happens behind the scenes

It's the question we've been asked most since Skills launched: "If I connect Gmail to my Zelly assistant, who can read my emails?"

The answer deserves detail. Here's exactly what happens.

The mechanism: OAuth, not a password

When you connect Gmail to Zelly, you never hand over your password. You go through an OAuth flow: Google opens a page where you explicitly authorise Zelly to perform certain actions on your account (read, send, and so on).

It's the same mechanism as when you connect your Google account to Slack, Notion or Zoom. Standard, secure, revocable at any time.

What Zelly stores (and what it doesn't)

What we store:

  • An opaque identifier for the connection (a long token, not your password)
  • The connection status (active, expired, revoked)
  • An audit log: which action was triggered, when, on which Skill

What we never store:

  • The content of your emails
  • Your contacts
  • Attachments
  • Recipients' names and addresses

When you ask "Read my last email", Zelly fetches that email from Google on the fly, summarises it for you, and then that data is not kept. Next time, it makes the trip again.

And our AI servers — what do they see?

It's a fair question. To understand your request and craft the reply, Zelly has to send the email content to the model that summarises it. That's technically unavoidable.

What we guarantee:

  • The transfer happens over an encrypted connection
  • Our model provider contractually commits not to use your data to train its models
  • No data is kept on the model side after the request

Our entire chain of subcontractors is listed and governed by the Standard Contractual Clauses recognised by the Swiss Federal Data Protection and Information Commissioner. See our privacy policy for details.

The audit log: your safeguard

Every action your assistant takes in your apps is recorded — without content, just the metadata:

  • Which Skill (Gmail, Calendar, Notion…)
  • Which action (read, send, create, edit…)
  • When (timestamp)
  • The result (success, error)

If you ever wonder "what did my assistant do in my Gmail last week?", you have the exact answer.

How to cut off access

At any time, you can:

  1. On Zelly's side: from your Skills page, click "Disconnect". Access is cut off immediately.
  2. On Google's side: in your Google account security settings, you'll see Zelly in the list of third-party apps and can revoke access. Our daily cron detects the revocation within 24 hours.

No waiting period, no support to contact. You take back control in one click.

In short

Connecting Gmail (or any Skill) to Zelly is an explicit act you can undo at any time. We store no content, only technical metadata. And you have a full audit log of what your assistant did on your behalf.

That's our commitment. And it's what makes trust possible.

Connecting Gmail to an AI assistant: what really happens behind the scenes