Security & Permissions — Outreach by afflu

Overview

Outreach connects to your Gmail or Microsoft Outlook inbox to send emails on your behalf. We request the minimum permissions required to do this — nothing more.

Organizations using Google Workspace or Microsoft 365 may require an IT or security review before employees can connect their inbox. This is expected, supported, and by design. We are happy to provide documentation to assist with any internal review.

Gmail / Google OAuth permissions

Outreach connects to Gmail using Google OAuth 2.0. We request a single scope:

gmail.send — allows Outreach to send emails from your Gmail account on your behalf

We do not request access to read, search, delete, or modify your inbox. We do not access Google Drive, Google Calendar, Google Contacts, or any other Google service. Your existing emails, attachments, and labels are never accessed or stored by Outreach.

Google Workspace admin review

Google Workspace administrators may need to allowlist the Outreach OAuth application before users in your organization can connect their Gmail account. If your organization requires this, we are happy to provide our OAuth client details, app verification documentation, and answer any security questions directly.

Microsoft Outlook / Entra permissions

Outreach connects to Microsoft Outlook using the Microsoft identity platform (OAuth 2.0 / OpenID Connect). We request the following scopes:

Mail.Send — allows Outreach to send emails from your Outlook account on your behalf
offline_access — allows Outreach to refresh your access token without requiring you to sign in again
openid, email, profile — standard identity scopes used to identify your account

We do not request access to read, search, delete, or modify your inbox. We do not access OneDrive, SharePoint, Teams, Calendar, Contacts, or any other Microsoft 365 service. Your existing emails and inbox data are never accessed or stored by Outreach.

Microsoft Entra (Azure AD) admin consent

Organizations using Microsoft 365 may require an IT administrator to grant admin consent for the Outreach application in their Azure AD / Microsoft Entra tenant before employees can connect their Outlook account. This is a standard Microsoft enterprise security control. We support this process and can provide the following on request:

Full OAuth permission manifest listing all requested scopes
Application client ID and publisher details for allowlisting
Data handling documentation for security assessment
Direct contact with our team for any security questions

What we store

Outreach stores the minimum data required to operate the service:

Your name and email address (from Google or Microsoft sign-in)
OAuth access and refresh tokens, stored encrypted, used solely to send emails on your behalf
Email content (subjects and bodies) that you write or generate through the service
Send logs (timestamp, recipient, subject, status) for your own activity history

We do not store, read, or index any existing emails from your inbox. We do not retain email content after your account is deleted. OAuth tokens can be revoked at any time through your Google or Microsoft account security settings, which immediately terminates Outreach's ability to send on your behalf.

Request security documentation

If your organization requires documentation to complete a security review, we are happy to help. Email us at hello@afflu.ca with the subject line "Security review — [your organization name]" and we will respond within 2 business days with the relevant documentation.

For security review requests: hello@afflu.ca — we respond within 2 business days.