Safe with your inbox. By design.
Useful AI for your messages without compromising on privacy or control.
Three commitments
Your messages are not used to train AI models. Not by us. Not by our model providers, who process messages under enterprise contracts that prohibit training on our data.
Messages are encrypted between Gmail, Slack, Teams, and our servers, and encrypted on disk while stored. Hosted on AWS with industry-standard hardening on every layer.
Disconnect an integration and we stop analyzing new messages from that source. Delete your account and everything associated with it goes too. No retention games, no friction.
How your messages flow through this+that
When you connect Gmail, Outlook, Slack, Teams, or another supported source, you authorize us through that service’s standard OAuth flow. We never see or store your password.
As messages arrive, we read them to extract tasks, follow-ups, and other action items. The reading happens through Amazon Bedrock — AWS’s managed AI service, which fronts foundation models from Anthropic and other providers. Bedrock’s terms prohibit using customer data to train the underlying models, regardless of which model handles a given request. The extracted tasks and the metadata we need to link them back to the original message are stored on AWS DynamoDB, encrypted at rest.
We store the messages themselves so you can read, reply, and act on them inside this+that — the same way they live in Gmail, Slack, Teams, and the other platforms we connect to. Stored data is encrypted at rest. If you disconnect an integration, we stop syncing new messages from that source, and you can request removal of previously synced data. If you delete your account, every message, task, and record we hold for you is removed.
What we don’t do with your data
- We don’t sell your data. To anyone. Ever.
- We don’t share it with advertisers, data brokers, or analytics resellers.
- We don’t use it to train AI models, and our model providers don’t either, per the enterprise terms we’ve signed.
- We don’t retain it after you delete your account.
Compliance & certifications
SOC 2 Type I
In progress. We’re working with an independent auditor on our SOC 2 Type I certification. We’ll publish the report and update this page when it lands.
GDPR & CCPA
We follow the requirements that apply to us under both frameworks. You can request access to or deletion of your data at any time — in the app, or by emailing privacy@thisandthat.chat.
Breach notification
In the unlikely event of a security incident affecting your data, we follow industry-standard protocols to notify affected users promptly and to remediate the underlying issue.
Frequently asked questions
Can I use two-factor authentication to secure my login?
Yes. We recommend signing in with your Google account, which supports 2FA. Your this+that account inherits the security posture of the identity provider you use to sign in.
Is my data encrypted in transit and at rest?
Yes, both. Data is encrypted while moving between connected services (Gmail, Slack, Teams, and others) and our servers, and it’s encrypted while stored.
Where is my data stored?
On AWS, with DynamoDB as our primary database. AWS is the industry-standard cloud platform with extensive security and reliability certifications of its own.
Will this+that share my messages or data with third parties or AI developers?
No. Your data is never sold or shared for advertising. We process messages through Amazon Bedrock — AWS’s managed AI service that fronts foundation models from Anthropic and other providers. Bedrock’s terms prohibit training on customer data, regardless of which underlying model handles a request. AWS is our subprocessor for AI processing, not a data buyer.
What happens if I disconnect an integration?
We stop analyzing new messages from that source immediately. You can also request the removal of any previously synced data from that integration. If you delete your account entirely, everything is removed.
Do you comply with GDPR, CCPA, or other data privacy regulations?
Yes, we follow the major data privacy frameworks that apply to our service, and you can delete your account (and therefore your data) at any time. For specific requests under GDPR or CCPA, email privacy@thisandthat.chat.
What if there’s a data breach — will I be notified?
Yes. In the unlikely event of a breach affecting your data, we follow industry-standard protocols to notify affected users promptly and to take immediate steps to secure all systems.
Who can see my messages and tasks inside this+that?
Your DoBox is private — only you see what’s in it. Shared task lists are visible to everyone in that list, by design. If you move a task with an attached message into a shared list, others on that list will see the message; that visibility persists even if you later leave the list.
Questions about how we handle your data?
We answer security and privacy questions directly. Email us — a real person reads every message.