Privacy Policy

Privacy Policy

Ginkgo respects and protects the privacy of all users. This policy explains what information we collect, how we use and protect it, and how we handle data when connecting third-party mailboxes such as Gmail.

1. About This Policy

This Privacy Policy applies to the family-office wealth-management platform and related websites, applications and services (the "Services") provided by Ginkgo (operated by WEALTH PULSE PTE. LTD., a company incorporated in Singapore, UEN 202320351N, "we", "us").

By using our Services, you acknowledge that you have read and understood the data practices described in this policy. If you do not agree, please stop using the relevant features.

2. Information We Collect

To provide the Services, we may collect:

  • Account and identity information: e.g. name, contact details, organization, used for account provisioning and identification;
  • Financial and business data: e.g. positions, transactions, statements, used for wealth-management features;
  • Usage and diagnostic data: e.g. product interactions, crash and performance data, used to maintain and improve the Services;
  • Third-party data you explicitly authorize: e.g. when you connect an Exchange or Gmail mailbox for transaction-email ingestion, the email content and attachments in that mailbox (see Section 4).

3. How We Use Information

  • To provide, maintain and improve user-facing features of the Services;
  • To identify and ingest transaction information and generate structured wealth-management records;
  • To keep the Services secure and to investigate abuse and faults;
  • To comply with applicable laws and regulations.

4. Google User Data (Gmail)

When a tenant administrator connects a Gmail mailbox to Ginkgo for the transaction-email ingestion feature, the application requests the following Google OAuth scopes: openid, email and profile (to confirm the identity of the authorizing account), and https://www.googleapis.com/auth/gmail.modify (to read messages and apply a label). Note that gmail.modify technically permits reading, composing and sending email; however, this application uses it only to read messages and apply the "Ginkgo-Processed" label, and never composes or sends email.

We use this scope solely to power the tenant transaction-email ingestion feature. Specifically, the application reads messages in the connected mailbox’s inbox, including message bodies and attachments, to identify and extract transaction-related information (e.g. trade confirmations, account statements); and applies a label ("Ginkgo-Processed") to messages we have already processed, so that each message is handled only once and is not read again on subsequent runs. We do not send email on the user’s behalf, and we do not access messages outside the connected mailbox.

How we use the data: email content retrieved through this scope is used only to provide the user-facing transaction-ingestion feature. To automatically identify and extract transaction information, message bodies and attachments (including images, which may require OCR) are processed by our AI service and by third-party AI / large-language-model and OCR service providers (see Section 5); where masking rules are configured, content is first processed through our data-masking pipeline, and then used to derive structured transaction records that appear in the tenant’s account. We do not use this data for advertising, and we do not use it to train or improve generalized artificial-intelligence or machine-learning models.

How we store and retain it: the Google refresh token used to maintain the connection is stored in our access-controlled server-side infrastructure. Processed message content and derived transaction data are stored within our application to provide the feature and are retained for the duration of your account and deleted or anonymized within 90 days after account closure. A tenant may disconnect the mailbox at any time; the administrator may also revoke access at any time via the user’s Google Account security settings (https://myaccount.google.com/permissions).

Limited Use: our use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

  • We only use Google user data to provide or improve the user-facing feature described above;
  • We do not transfer Google user data to others except as necessary to provide or improve the feature (e.g. cloud-infrastructure sub-processors bound by equivalent data-protection obligations), for security purposes, or to comply with applicable law;
  • We do not use Google user data for any advertising purposes;
  • We do not use Google user data to determine creditworthiness or for lending purposes;
  • We do not allow humans to read Google user data except: (a) with the user’s explicit consent for specific messages; (b) as necessary for security purposes (such as investigating abuse); (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized.

5. Sharing and Sub-processing

We do not sell your personal information. We share or entrust processing to third parties only: to sub-processors necessary to provide the Services (bound by contract to equivalent protection obligations), where required by law, or with your separate consent.

To automatically identify and extract transaction information, email content (including OCR processing for images/PDFs) is sent to third-party AI / large-language-model (LLM) and OCR service providers for processing. We contractually require these providers to act solely as our processors, handling the data only to provide the feature to you, and not to use it to train their own models or for any other purpose.

  • Cloud infrastructure / storage providers (such as cloud storage and key-management services);
  • Third-party AI / large-language-model (LLM) and OCR service providers (for automated transaction extraction and image/PDF text recognition, acting as our processors).

6. Storage and Retention

We retain information only for as long as necessary to provide the relevant feature: processed data is retained for the duration of your account and deleted or anonymized within 90 days after account closure.

7. Security

We apply industry-standard technical and organizational measures (such as encryption in transit (TLS), access controls, least privilege, and auditing) to protect information. Credentials (such as OAuth tokens) are stored in a server-side environment with strictly limited access.

8. Your Rights

Subject to applicable law, you have the right to access, correct, or delete your personal information, or to withdraw prior authorization. For mailbox connections, you may disconnect at any time within the Services, or revoke this application’s access in your Google Account security settings.

9. International Transfers

We and our service providers may be located in several countries/regions, including Singapore. To provide the Services, your information may be transferred to, and stored and processed in, locations outside your country/region (including where our cloud and AI/OCR sub-processors operate). For such cross-border transfers, we apply appropriate safeguards — such as data-processing agreements and standard contractual clauses — to ensure the transferred information receives protection consistent with this policy and complies with applicable data-protection laws.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by appropriate means. Please review this page periodically; the last-updated date is shown at the end of this policy.

11. Contact Us

If you have any questions about this policy or our handling of personal information, please contact: privacy@iginkgo.com.

Last updated: 2026-07-09