Start Dash setup

Privacy and security

Google user data

Dispatch lets you connect one personal Google account so your Dispatch agents can help with Gmail, Drive, and Calendar. Access is private to your Dispatch identity, happens only when you ask for it or approve a user-attributed workflow, and can be disabled or disconnected at any time.

Last updated July 14, 2026

Permissions Dispatch requests

Dispatch asks for identity first, then requests each product only when you authorize it. Dispatch uses these exact OAuth scopes:

Identity

openid email profile

Identify the Google account you chose and display its email.

Gmail

gmail.readonly gmail.send

Search and read messages you request. Send a message only after you repeat a short-lived confirmation phrase bound to the exact recipient, subject, and body.

Google Drive

drive.file

Read files you deliberately select with Google Picker and create a file only after exact confirmation. Dispatch does not receive broad access to all Drive files.

Google Calendar

calendar.events

Read event details and create an event only after exact confirmation. Destructive calendar actions are not enabled.

How access works

  • OAuth refresh tokens are encrypted and stored server-side.
  • Agents call a Dispatch broker and never receive Google credentials.
  • Google Picker receives one short-lived access token in browser memory so you can select a file. It is not written to browser storage, Dispatch logs, prompts, or artifacts.
  • Each operation is checked against your identity, enabled service, granted scope, and write-confirmation policy.

How data is used and shared

Dispatch retrieves Google content on demand to complete your request. Relevant excerpts may be sent to the AI provider configured for your Dispatch workspace so the agent can answer or act. OAuth credentials are never sent to the AI provider.

Dispatch does not sell Google user data, use it for advertising, or use it to train a general-purpose model. It does not continuously crawl or bulk-sync personal Google data by default.

Retention and deletion

Provider content is not copied into a separate integration database by default. Content you intentionally keep in a chat, work item, document, or workflow artifact follows that workspace's retention controls. Security audit records retain the actor, operation type, status, timestamp, and limited provider object identifier—not message bodies, file contents, event descriptions, tokens, or raw responses.

Disconnecting Google revokes the project grant when Google is reachable and deletes the stored refresh token locally immediately. You can also revoke Dispatch from your Google Account permissions.