Skip to main content

Data Use Policy

Version 2.3
Last revised on: April 11th, 2026

Leto processes school and PTA emails to extract tasks, events, and deadlines for your family calendar. Email content, linked newsletters, PDF attachments, and images are processed and deleted immediately after extraction. This page explains what data we access, how we use it, and how you control it.

What Data We Use

  • Parent Emails: Only emails already provided to your PTA are used to verify signup.
  • Tasks & Events: Leto extracts relevant information (like deadlines, events, and sign-ups) from PTA-distributed emails and / or email accounts connected by Premium subscribers.
  • Minimal Family Info: Parents may optionally add children's first names and grade levels to organize their family calendar.

Organization Signup Pages

Your PTA may provide a dedicated signup link for parents to join Leto.

What We Collect

  • Your email: Captured before you create your account, used to pre-fill signup and track if you complete registration
  • Your IP address: Recorded for security purposes (preventing abuse)

Why We Collect It

  • To connect you to your PTA automatically when you complete signup
  • To follow up if you start but don't complete registration
  • To prevent automated abuse of signup pages

Security

  • Signup links contain a security token—only links from your PTA will work
  • Organizations can rotate or revoke signup links if a link is shared beyond the intended community.
  • Pages are not indexed by search engines
  • Rate limiting prevents automated signups

Retention

  • If you complete signup, your lead data is linked to your account
  • If you don't complete signup, your data is automatically deleted after 30 days
  • You can request immediate deletion by emailing [email protected]

Email Inbox Connection (Premium Feature)

Premium users can connect their Gmail inbox to automatically discover organization-related emails and extract tasks and events. Here's how it works:

What We Access

  • Email Metadata (past 45 days): Sender addresses, subject lines, and dates to identify and map organization-related senders to organizations.
  • Email Content (past 14 days): We temporarily read email body content from recognized organization senders to extract tasks, events, and deadlines.
  • Linked web pages: When emails from approved senders contain links to external pages (such as online newsletters or school event pages), we follow those links and fetch the page content to extract task and event information. This is done directly by Leto's servers — the content is never sent to a third-party scraping service.
  • PDF attachments: PDF files attached to emails from approved senders are processed to extract text and dates. Image-based PDFs are analyzed by AI.
  • Images: Images embedded in or attached to emails from approved senders are analyzed by AI to extract text content such as event dates and announcements.
  • All content extraction — email body, web pages, PDFs, and images — is performed by Anthropic's Claude AI.

What We Don't Access

  • We do not access your drafts or sent mail.
  • We do not read who you emailed (recipients/CC/BCC).
  • We do not access email metadata older than 45 days, or email content older than 14 days.
  • We do not access links or attachments from senders you have not approved.

How Long We Keep Email Data

  • Email content is deleted immediately: After we extract tasks and events, the actual email content is deleted immediately. In the event of a processing failure, content is deleted within 24 hours. We only keep extracted tasks and events with their context snippets.
  • Sender mappings and email fingerprints are organizational: When you delete your account, we remove everything personal to you. The only data we retain is organization-level sender mappings and email fingerprints, which help other families and cannot be traced back to you. See our Privacy Policy for full details.
  • Extracted tasks persist: The tasks, events, and deadlines we extract become part of your Leto account and stay until you delete them.

Connecting Multiple Inboxes

Families can connect up to 3 email accounts (for example, both parents' inboxes). Each connected account is private to the parent who connected it—we never share one parent's inbox address with another family member.

Premium Subscription & Payment

Leto Premium is a paid subscription that unlocks email inbox connection and multi-organization support.

What Payment Data We Collect

  • We do NOT store your credit card number. Payments are processed by Stripe.
  • We receive only a reference token and the last 4 digits of your card for display purposes.
  • We record your subscription status, plan type, and billing dates to manage your account.
  • Stripe may collect device information and IP addresses for fraud prevention purposes.

Trial Period

  • Premium includes a 21-day free trial
  • Your card is validated but not charged during the trial
  • Your bank may show a temporary $0 authorization to verify your card. No charge is made during your trial.
  • Your subscription automatically starts after the trial unless you cancel
  • You can cancel anytime before the trial ends with no charge

Price Changes

  • Prices are subject to change
  • Price changes apply at your next renewal
  • We will notify you in advance where required by law

Refunds

  • Annual subscriptions: Full refund available within 14 days of purchase or renewal
  • Trials: Cancel before the trial ends and you won't be charged
  • Refunds are issued to the original payment method and typically appear within 5-7 business days

Pioneer Program

  • Some families receive promotional Premium access for one year as "Pioneers"
  • Pioneers help identify school-related email senders for their community
  • No credit card required for pioneer enrollment
  • After one year, pioneers may continue with a paid subscription
  • Existing pioneers keep their full 12-month access even if we stop offering the program to new users

How We Process Your Emails

When you connect your email inbox, here's what happens:

What We Process

  • Sender addresses and subject lines: To match emails to organizations you follow
  • Email body content: To extract tasks, events, and relevant context
  • Linked web pages: URLs in emails from approved senders are followed and the page content is fetched and processed to capture information not included in the email body (e.g., online newsletters, school event pages). Web page content is fetched directly by Leto's servers — it is not sent to any external scraping service. Fetched content is processed in memory and deleted after extraction.
  • PDF attachments: Text is extracted from PDFs. Image-based PDFs (e.g., scanned flyers) are sent to Anthropic for visual text recognition. Original PDF files are deleted after extraction.
  • Images (inline and attached): Images in emails from approved senders are analyzed by Anthropic's AI to identify text content (dates, event titles, deadlines). Original images are deleted after extraction.

What We Send to Our AI Provider

  • Email body text, linked web page content, PDF documents, and images from approved senders are processed by Anthropic's Claude AI to extract tasks and events
  • Anthropic does not retain your content or use it for model training
  • Text content: We redact family member names before sending to Anthropic to minimize personal information shared
  • Images and PDFs: Name and personal information redaction is not technically possible before visual analysis. Images and PDFs may contain names or contact information that is sent to Anthropic as part of visual processing. This is a necessary limitation of image-based content extraction.
  • Anthropic is the only third-party service that receives your email content, attachments, or linked page content. No web scraping service or other vendor receives this data.
  • We review Anthropic's data handling practices regularly and will notify you of any material changes that affect how your data is processed
  • See Anthropic's Privacy Policy for details

What We Store

  • Extracted tasks and events: The actionable items we find in your emails
  • Task/event context snippets: A short excerpt limited to the information needed to explain the extraction (e.g., the sentence containing the date, deadline, or action item)
  • Email fingerprints: Cryptographic hashes generated per email message for deduplication (cannot be reversed to recover content). Maintained at the organization level.
  • Sender mappings: Which email senders are associated with which organizations. Maintained at the organization level.

What We Delete

  • Email body content: Deleted immediately after successful processing. In the event of a processing failure, deleted within 24 hours.
  • Fetched web page content: Processed in memory and never stored beyond the duration of the processing pipeline. No web page content is retained after extraction.
  • PDF attachments: Deleted immediately after successful processing. In the event of a processing failure, deleted within 24 hours.
  • Images: Deleted immediately after successful processing. In the event of a processing failure, deleted within 24 hours.

What We Retain as Organizational Data

Organization-level sender mappings and email fingerprints are retained to help other families and prevent duplicate processing. This data cannot be traced back to you. See our Privacy Policy for full details.

What We Do NOT Store

  • Full email bodies (deleted immediately after processing)
  • Email-level summaries

Organization Email Addresses (PTA Partnerships)

Some organizations receive a Leto-provided email address (such as [email protected]) for distributing organization communications.

How This Works

  • Emails sent to Leto-provided organization addresses are organization-wide communications shared by your PTA or school
  • These are not private family emails — they are communications the organization intends to share with all member families
  • These emails are processed on behalf of the organization and distributed to member families as tasks and events
  • Email content is deleted after processing (or within 24 hours if processing fails)

This Is Different From Your Personal Inbox

  • When you connect your personal Gmail inbox, only you control which emails are processed
  • Organization email addresses are managed by the organization, not individual families

Organization Partnerships

Leto partners with PTAs (Parent-Teacher Associations) and PAs (Parent Associations) to distribute organization communications to families. These partnerships are provided at no cost to the organization.

What Organizations Receive

  • Organizations may receive aggregated engagement metrics (such as overall completion percentages) when sufficient users exist to prevent individual identification
  • We do not share metrics for groups with fewer than 10 users
  • We may further withhold metrics if the cohort is small or the metric is sensitive
  • Aggregated metrics are designed to reduce re-identification risk
  • Organizations do not receive access to:
    • Your email content
    • Your personal tasks or family data
    • Your connected inbox information
    • Any individually identifiable information
  • Note: While sender mappings and email fingerprints are maintained at the organization level, organizations cannot view, access, or export this data. It is used internally by Leto only.

Premium Subscription Independence

Your decision to subscribe to Leto Premium is independent of any organization partnership. Premium subscriptions allow you to connect your email inbox directly to Leto and specify which emails to process, regardless of whether an organization has partnered with Leto.

Marketing Emails

During signup, you can choose to receive occasional emails about product updates and new features.

  • You control this — it's opt-in during registration
  • You can unsubscribe anytime using the link at the bottom of any marketing email
  • Unsubscribing won't affect important emails like billing confirmations or task notifications
  • We never sell or share your email address with third parties for their marketing purposes

Deleting Your Data

Deleting Individual Tasks

You can delete individual tasks at any time through your account. Deleted tasks are moved to your Deleted Tasks page, where you can permanently remove them.

Deleting Your Account

When you delete your account, we delete your personal data, including:

  • Your personal information
  • Extracted tasks and events
  • Your connection credentials and sync history

Data is removed from active systems within 30 days of your deletion request. Backup data may be retained for up to 90 days before being fully purged.

Organization-level sender mappings and email fingerprints are retained as described in our Privacy Policy.

Third-party processors (such as Stripe) retain records as required by their policies and applicable law. Aggregated, anonymized metrics that cannot identify you may be retained for service improvement.

Google API Services Disclosure

When you connect your Gmail account to Leto, we access your email data through Google's APIs. Our use of this data is governed by Google's policies:

  • Limited Use: Leto's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
  • Purpose: We only use your Gmail data to identify school-related senders and extract tasks, events, and deadlines for your family calendar.
  • No Advertising: We never use your email data for advertising, and we never share it with advertisers or data brokers.
  • AI Processing: Your email content, images, PDF attachments, and linked web page content are processed by Anthropic's Claude AI to extract tasks and events. Anthropic is our only third-party data processor for this content, and they are bound by our data processing agreement. Your content is not shared with any other third parties. Web page content from linked newsletters is fetched directly by Leto's servers — no third-party scraping service is involved.
  • Revoke Anytime: You can disconnect your Gmail account from Leto at any time in your account settings, or directly through Google's security settings.
  • Direct Integration: Leto accesses your Gmail data directly through Google's APIs using our own Google Cloud Platform project. No third-party email middleware or intermediary processes your Gmail data.

What We Don't Do

  • We do not store or process student grades, report cards, or sensitive educational records.
  • We do not sell or share personal data with third parties.
  • We do not allow outside advertisers or trackers.
  • We do not use your email data for advertising or marketing purposes.
  • We do not share your email data with data brokers or information resellers.
  • We do not permanently store email body content, PDF attachments, images, or fetched web page content — all are deleted immediately after processing (or within 24 hours if processing fails).
  • We do not send your data to any third-party web scraping service. Web page content from linked newsletters is fetched directly by Leto's servers.
  • We do not read drafts or sent mail.

How Data Is Protected

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access is limited to essential Leto team members only.
  • PTA verification rosters (lists of parent emails for signup verification) are encrypted using AES-256-GCM before storage. The original uploaded file is not retained—only encrypted email data is stored for ongoing verification of new signups. Rosters from inactive organizations are automatically purged. This is separate from the Premium email inbox feature, which has its own retention policy described above.
  • Email Data Security: Sender email addresses are encrypted using AES-256-GCM encryption before storage. Email content is deleted immediately after processing.
  • Secure Search: We use "blind indexing" to search encrypted data without decrypting it, adding an extra layer of protection.

Parent Control

  • Families explicitly opt in to use Leto.
  • Parents can opt out at any time; their data will be fully deleted within 30 days.
  • PTAs act as initial gatekeepers for access—Leto never overrides their official roster.
  • Email Connection Control: You can disconnect your email account at any time from your Leto settings. Disconnecting immediately stops all email processing and deletes your connection credentials.
  • Data Deletion: When you disconnect your email, your extracted tasks and events remain in your account. Organization-level sender mappings and email fingerprints are retained as described in our Privacy Policy.
  • Google Account Control: You can also revoke Leto's access directly through your Google Account security settings.

Data Ownership and Usage Rights

Raw Data Ownership

Leto does not claim ownership over content from users' connected email inboxes. This includes emails, attachments, and metadata accessed via inbox integrations. Users may disconnect their inboxes at any time; disconnecting deletes connection credentials and sync history. Organization-level sender mappings and email fingerprints are retained as described in our Privacy Policy.

Transformed Data Ownership

Leto retains intellectual property rights over the structured format and system-generated metadata of transformed data (including tasks, events, sender mappings, and engagement metadata), not the underlying content. This applies solely when:

  • (a) The original email was sent to a Leto inbox; or
  • (b) The email was sent to a Leto-provided organization address via a PTA partnership.

Use of Transformed Data

Transformed data is used to provide and improve the Leto service. For PTA-supported families, task and event data may be shared across verified family accounts to support coordination (e.g., both parents seeing the same signup task). No personal content is shared outside the family unit unless explicitly authorized.

Limitation on Private Emails

Leto does not process or retain direct one-on-one communications between families and organizations unless a user connects their inbox. Such content is treated as private and subject to deletion on request.

Requesting Deletion or Export

Families can request deletion or export of both raw and transformed data associated with their account at any time by contacting [email protected].

AI Processing Consent

By using email extraction features, you consent to the use of artificial intelligence (AI) to analyze email content, PDF attachments, images, and linked web page content for task and event identification, including visual analysis of images and documents. Leto uses Anthropic's Claude AI for this purpose under a binding data processing agreement.

Data Portability

Users may request an export of extracted task and event data and sender mappings in human-readable format (e.g., CSV or JSON). We do not retain or export raw email content after deletion.

Location & Compliance

  • All data is securely stored on U.S.-based servers.
  • Leto follows U.S. privacy laws and security standards, including encryption, access controls, and parent-first account management.
  • Our practices are designed to support the needs of PTAs, organizations, and families.

Contact Information

Keith Harper
444 E 82nd St #17F
New York, New York 10028
Telephone: 206-351-4765
Email: [email protected]