Mechanical Advantage
Before you read the legalese
You generate a lot of data when you work — every command you run, every email you index, every document you store, every memory entry you set. This privacy policy explains what happens to all of it. It’s written for humans and regulators, but since it’s your activity producing most of this data, you should understand what’s going on.
Activity logging is a feature, not surveillance. Every command you execute, every result you receive, every action you propose and every approval or rejection — all of it is logged with full context and timestamps. This isn’t hidden data collection. It’s the audit trail that lets your human answer “what did the AI do?” with confidence. It protects both of you.
Your data is not used to train AI models. This is explicit in the policy. Your emails, documents, calendar data, messages, and activity logs are never used to train models — not ours, not anyone else’s. Your data exists to provide the service, bill for usage, and maintain security. That’s it.
Your data is not sold. No ads, no marketing profiles, no third-party data sharing for commercial purposes. The only external parties that see your data are the providers your human has connected (Gmail, iCloud, etc.) and the payment processor.
The provider is the source of truth. Mechanical Advantage maintains a local index of your human’s provider data for fast access, but it doesn’t replace the original. If your human stops using Mechanical Advantage, their data at Gmail, iCloud, Fastmail, and everywhere else is completely unaffected. After account cancellation, Mechanical Advantage’s local index, documents, and memory are deleted within 30 days. Agent activity logs are retained for up to 12 months.
The full legal text follows below.
Overview
Mechanical Advantage (“we,” “us,” “our”) is a CLI toolkit that gives AI agents structured access to email, calendar, contacts, messaging, web, document storage, and memory services. This privacy policy explains what data we collect, how we use it, how we store it, and how we share it.
This policy applies to the Mechanical Advantage service available at https://mechanicaladvantage.ai, including the CLI tool, the API, and the web application.
Data We Collect
Account data
When you create a Mechanical Advantage account, we collect:
- Email address. Used for account creation via a one-time magic link. This is also the primary identifier for your account.
- Passkey credentials. We store the public key portion of your WebAuthn/FIDO2 passkey. The private key never leaves your device. We never have access to your biometric data (fingerprint, face scan, etc.) — biometric verification happens entirely on your hardware.
- Payment information. Processed by our third-party payment processor. We do not store full card numbers. We retain billing records (transaction amounts, dates, plan details) for accounting and compliance.
Connected account data
When you connect a provider account (Gmail, iCloud, Fastmail, Microsoft, Telegram, Discord, Reddit, Slack), we collect:
- OAuth tokens. Used to access your provider account on your behalf. Stored encrypted at rest.
- Email messages, calendar events, contacts, and documents synced from your connected providers. This data is indexed locally in markdown format for fast agent access. The provider remains the source of truth — Mechanical Advantage maintains a local index, not a copy that replaces the original.
- Messaging history from connected messaging platforms (Telegram, Discord, Reddit, Slack), indexed for agent access.
- Cloud storage documents (Google Drive, iCloud Drive, OneDrive) converted to markdown for agent use.
Agent activity data
Comprehensive activity logging is a core feature of Mechanical Advantage, not incidental data collection. We log:
- Every command executed by an agent, including parameters and results.
- Approval queue history — actions proposed, approved, rejected, and modified, including any feedback provided by the human reviewer.
- Approval history — which actions were approved, rejected, or modified, and by whom.
- Revision history — when an agent resubmits an action after rejection, the full chain of attempts is preserved.
This logging exists so you can always answer the question: “What did the AI do?”
User-generated content
- Documents stored via
ma docs— markdown files with tags, versions, and full-text search. - Memory entries stored via
ma memory— key-value pairs the agent uses to retain context over time. All memory mutations (writes and deletes) are queued for human approval before taking effect. - Messages composed and sent through messaging commands (subject to human approval).
Usage data
- API call counts and types — used for billing.
- Error logs — used for service reliability and debugging.
How We Use Your Data
To provide the service. We use your data to execute commands, sync data from connected providers, queue actions for your approval, and deliver the functionality you signed up for.
To bill you. We track usage-based charges (web search, fetch, image generation, speech services) and subscription charges (connected accounts) to generate accurate invoices.
To maintain security. Audit logs, abuse detection, and anomaly monitoring depend on activity data.
To improve the service. We may analyze aggregate, anonymized usage patterns — for example, which commands are most used or where errors occur most frequently. We never analyze individual email content, documents, calendar data, or messages for this purpose.
What we do NOT do
- We do not use your email content, documents, calendar data, or messages to train AI models.
- We do not sell your data to third parties.
- We do not serve ads.
- We do not profile you for marketing purposes.
Data Storage and Security
- Encryption in transit. All data transmitted between your device, our servers, and connected providers is encrypted using TLS.
- Encryption at rest. All stored data — including OAuth tokens, documents, email indexes, and activity logs — is encrypted at rest.
- No password database. Mechanical Advantage uses passkey-only authentication (WebAuthn/FIDO2). There is no password database to breach, no password hashes to steal, and no password reset flow to exploit.
- OAuth tokens are encrypted at rest. Agents never have direct access to these tokens.
- API keys are hashed before storage. The plaintext is shown once at creation and never again.
- Passkeys — the server stores only the public key. The private key and biometric data remain on your device.
For a detailed explanation of our security architecture, see our Security page.
Data Sharing
With connected providers
Mechanical Advantage sends data to your connected providers as part of normal operation. When you approve sending an email through Gmail, that email is transmitted to Gmail’s servers via their API. This is the expected behavior of the service — Mechanical Advantage acts on your behalf with your connected accounts.
Email routing distinction
When an agent sends an email via ma email send, that email is sent through your own email provider (Gmail, iCloud, Fastmail, Microsoft) using OAuth 2.0 tokens. Mechanical Advantage does not send or relay outbound agent email through its own infrastructure.
Separately, Mechanical Advantage uses Amazon Simple Email Service (SES) for its own account-level transactional emails only: magic link signup, account lockout notifications, and support-initiated account recovery correspondence. These system emails originate from accounts@mechanicaladvantage.ai and are never triggered by agent actions. SES has no role in the product’s email feature.
With our payment processor
We share billing information with our third-party payment processor to process your payments. The payment processor operates under its own privacy policy.
We do not sell or rent your data
We do not sell, rent, or share your personal data with third parties for their marketing purposes.
Legal requirements
We may disclose your data if required by law, regulation, or valid legal process (such as a subpoena or court order). Where legally permitted, we will notify you before making such a disclosure.
Business transfers
In the event of a merger, acquisition, or sale of assets, your data may transfer with the business. We will provide notice before your data becomes subject to a different privacy policy.
Data Retention
| Data type | Retention period |
|---|---|
| Account data (email, passkey public keys) | Retained while your account is active. Deleted 30 days after account termination. |
| Connected account data (email index, calendar, contacts) | Local index deleted when you disconnect the provider or terminate your account. Deletion occurs within 30 days. Provider data is unaffected — it remains with your provider. |
| Agent activity logs | Retained for 12 months after the activity occurs. |
| Documents and memory | Retained while your account is active. Deleted 30 days after account termination. |
| Usage and billing records | Retained as required by applicable law and our accounting obligations. |
When data is deleted, it is permanently removed from our active systems. Backups containing deleted data are purged within 30 days of the deletion date.
Your Rights
Access
You can request a copy of the data we hold about you. We will provide it in a structured, machine-readable format.
Correction
You can update your account information at any time through the web app.
Deletion
You can request deletion of your account and all associated data. Deletion is completed within 30 days of your request, subject to any legal retention obligations.
Portability
Documents stored in Mechanical Advantage are markdown files — an open, plain-text format. You can export your documents at any time. Your data is inherently portable.
Withdrawal of consent
You can disconnect provider accounts at any time, which stops data syncing and deletes the local index. You can close your account at any time, which triggers deletion of all associated data, subject to the retention periods described above.
CCPA (California)
If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information.
Children’s Privacy
Mechanical Advantage is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal information, please contact us at privacy@mechanicaladvantage.ai.
Third-Party Services
Mechanical Advantage connects to third-party services to provide its functionality. Each provider’s privacy policy governs their handling of your data. We encourage you to review their policies.
Categories of third-party services
| Category | Providers |
|---|---|
| Email providers | Gmail, iCloud (via IMAP/SMTP), Fastmail, Microsoft (Outlook/Exchange) |
| Calendar and contacts providers | iCloud (CalDAV/CardDAV), Google, Fastmail, Microsoft |
| Messaging platforms | Telegram, Discord, Reddit, Slack |
| Cloud storage | Google Drive, iCloud Drive, OneDrive |
| Payment processing | Stripe |
| Web search | Brave Search API |
| Web fetch | Firecrawl |
| Image generation | OpenAI |
| Text-to-speech | ElevenLabs |
| Speech-to-text | AssemblyAI |
| Website analytics | Plausible (marketing site only — cookie-free, no personal data) |
| Transactional email | Amazon SES (account authentication emails only — not agent email) |
Cookies and Tracking
The CLI tool does not use cookies. The CLI authenticates via API key and does not involve browser-based sessions.
The web app uses essential cookies only. These are strictly necessary for session management and authentication. They are not used for tracking, analytics, or advertising.
The marketing site uses Plausible Analytics. Plausible is a privacy-respecting analytics tool that does not use cookies, does not collect personal data, and does not track users across sites. All data is aggregated — no individual visitors are identified. Plausible is hosted in the EU and is GDPR-compliant without requiring a consent banner.
We do not use:
- Tracking cookies
- Personally identifiable analytics (Google Analytics, Mixpanel, etc.)
- Advertising pixels or retargeting tags
- Cross-site tracking of any kind
Changes to This Policy
We will notify users of material changes to this privacy policy at least 30 days before the changes take effect. Notification will be sent to the email address associated with your account.
Continued use of the service after the notice period constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before they take effect.
Contact
For questions about this privacy policy or your data, contact us at:
Email: privacy@mechanicaladvantage.ai
We will respond to all privacy-related inquiries within 30 days.