Privacy Policy

Last updated: April 30, 2026

Haul ("we", "our", "us") is operated by Penguin Labs LLC. This Privacy Policy explains how we collect, use, and protect your information when you use our service at usehaul.app.

The short version: We connect to your Gmail to find purchase confirmation emails. We extract purchase data from those emails. We never read your personal emails, never sell your data, and you can delete everything at any time.

1. What We Access

Gmail Access

Haul requests read-onlyaccess to your Gmail account using Google's OAuth 2.0 authentication. Specifically, we use the gmail.readonly scope.

We use this access exclusively to search for and read purchase confirmation emails— order confirmations, receipts, and shipping notifications from retailers like Amazon, Target, H&M, Apple, Walmart, and others.

We do not:

  • Read your personal emails, sent mail, or drafts
  • Read emails unrelated to purchases or orders
  • Store the raw content of your emails
  • Access your Gmail contacts, calendar, or other Google services
  • Send emails on your behalf
  • Modify, delete, or label your emails (unless you explicitly enable Gmail auto-labeling)

Information We Extract and Store

From purchase confirmation emails, we extract and store only:

  • Merchant/retailer name
  • Order total and currency
  • Order date
  • Return deadline (if stated in the email)
  • Order number
  • Item names and prices (where available)
  • Gmail message ID (used to prevent duplicate processing)

We do not store the body, subject, sender, or any other content of your emails. Once we extract the above fields, the raw email is discarded.

2. How We Use Your Information

We use the information we collect to:

  • Display your purchase history on your Haul dashboard
  • Calculate and display return deadlines
  • Send you return deadline alert emails (Premium feature)
  • Generate spending summaries and insights
  • Improve our email parsing accuracy across retailers

We use OpenAI's API (GPT-4o) to parse and extract structured data from email content. Email content sent to OpenAI is used solely for extraction and is subject to OpenAI's API data usage policies. OpenAI does not use API inputs to train their models.

3. Information You Provide Directly

  • Account information: Your email address when you sign in with Google
  • Payment information: Processed by Stripe. We never see or store your full card details.

4. How We Share Your Information

We do not sell your personal information. Ever.

We share data only with the following service providers, strictly to operate Haul:

  • Supabase — Database and authentication hosting
  • OpenAI — Email content parsing (purchase emails only)
  • Stripe — Payment processing
  • Resend — Transactional email delivery (return alerts)
  • Vercel — Application hosting

We may disclose your information if required by law or to protect the rights, property, or safety of Haul, our users, or the public.

5. Data Retention

We retain your purchase data for as long as your account is active. If you cancel your account, we delete all your data within 30 days.

You can delete your account and all associated data at any time from your account settings. Deletion is immediate and permanent.

6. Google API Services Disclosure

Haul's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request the minimum Gmail permissions necessary (gmail.readonly)
  • We use Gmail data only to provide the Haul service described to you
  • We do not transfer Gmail data to third parties except as necessary to provide the service
  • We do not use Gmail data for advertising or to train AI models
  • We do not allow humans to read your Gmail data except for security or legal compliance

7. Security

We implement industry-standard security measures including:

  • Encrypted storage of OAuth tokens
  • HTTPS enforced on all connections
  • Row-level security on all database records
  • No storage of raw email content

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@usehaul.app.

8. Your Rights

You have the right to:

  • Access all data we hold about you (available in your account settings)
  • Export your purchase history as CSV at any time
  • Delete your account and all data immediately
  • Revoke Gmail access at any time via Google Account settings
  • Correct any inaccurate data by contacting us

If you are located in the European Economic Area (EEA) or United Kingdom, you may also have rights under GDPR, including the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

Haul is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email. Your continued use of Haul after changes constitutes acceptance of the updated policy.

11. Contact Us

Questions about this Privacy Policy? Contact us at: