What is Compose and how does it work with Gmail?

Compose is a Gmail add-on that analyzes your inbox using multi-tier AI. Every morning, it delivers a Daily Brief with your top priorities, security threats, and recommended actions. It works directly inside Gmail — no separate app needed.

How is Compose different from other email tools?

Most email tools help you write or organize emails faster. Compose is an inbox decision engine — it helps you decide which emails matter and what to do next. Features like Strategic Review provide senior-advisor-level analysis for high-stakes emails, including risk assessment, leverage indicators, and response drafts.

Is my email data safe with Compose?

Yes. Compose uses PALADIN NER to redact all personal information — names, SSNs, bank accounts, phone numbers — before any AI analysis. Your sensitive data never leaves your control. All stored data uses AES-256 encryption, and you can opt for BYOK (bring your own key) for complete data ownership.

How much does Compose cost?

We are finalizing our pricing plans. Join the waitlist to be notified when we launch — all early signups will receive a free trial.

What is the Daily Brief?

The Daily Brief is a prioritized summary of your inbox delivered every morning. It shows your top priorities, blocked threats, pending replies, and recommended actions — organized by impact, not arrival time. It typically takes 60 seconds to review 150+ emails.

What is Strategic Review?

Strategic Review is an on-demand deep analysis for high-stakes emails. It provides a 360-degree assessment including executive snapshot, risk landscape, leverage indicators, recommended posture, tone guidance, and an optional response draft.

April 29, 202610 min read

Is Gemini in Gmail safe for business email? What enterprise users need to know

A factual, non-alarmist look at how Gemini handles your Gmail data, what Google's policies actually say, and what to evaluate when AI reaches your inbox.

Gemini is now embedded in Gmail. The summarise button is one click away. Smart Reply is sharper. The side panel can answer questions about your inbox in plain English. For consumer users, this is a step forward. For business and enterprise users, it raises a different question — one that procurement teams, security officers, and individual operators are quietly asking right now: what happens to my email data when I press that button?

This is a factual walkthrough. Not an attack on Gemini. Google has built one of the most capable AI products in the market and most of its safeguards are real. But there are policies and behaviours that genuinely matter for confidential email — and the right answer for a board member is not the same as the right answer for a personal Gmail user.

1. What Gemini in Gmail actually does with your data

When you trigger Gemini inside Gmail — to summarise a thread, draft a reply, or ask a question in the side panel — your email content is sent to Google's Gemini models for processing. The content includes the body of the email, the sender and recipient information, attachments where relevant, and surrounding thread context.

For consumer accounts, Google states this content is processed in a privacy-preserving manner and is not used to train its models without consent. For Google Workspace accounts, the protections are stronger: Google contractually commits that Workspace data is not used to train generative AI models, and content stays within the customer's Workspace boundary.

That is the official position. The operational reality is that your raw email content — names, account numbers, contract values, names of clients, board discussions — is being read by an AI model running on Google infrastructure every time you click summarise or ask a question.

2. What Google's privacy policy says — and the "don't enter confidential information" advisory

Google's product documentation for consumer Gemini contains a notable line: a recommendation not to enter confidential information into Gemini. This is good practice for any AI service. It is also an interesting acknowledgement, because the entire point of Gmail integration is that Gemini already has access to your inbox — which by definition contains confidential information for most professionals.

For Workspace customers, the contractual safeguards are stronger and the advisory framing is different. But the underlying mechanism — sending the content of an email to a generative AI model for processing — is the same. The protection is contractual and architectural at the boundary, not at the model layer. The model still sees the content.

3. The opt-in-by-default controversy and the California class action

In late 2025, Google rolled out an update to Workspace and consumer Gmail that — in the view of plaintiffs in a California class-action filing — enabled Gemini features by default for some customer segments without prominent re-consent. The lawsuit alleges that the rollout effectively expanded the scope of automated processing on user inboxes without explicit user action. Google has disputed these claims; the case is ongoing.

Whatever the eventual outcome, the controversy crystallised something procurement and security teams had been wrestling with privately: AI features inside email tools tend to be expansive by default, and the boundaries of what data is processed shift over time as features evolve. For an organisation handling regulated or sensitive data, this is a planning problem.

4. Why enterprise and SMB procurement is asking the question right now

Three things have shifted in the past year. First, AI features inside email and document tools are no longer optional add-ons — they are increasingly the default experience. Second, GDPR and emerging US state privacy laws (CPRA, Virginia, Texas) treat AI processing of personal data as a regulated activity in its own right. Third, the cyber insurance market has started asking specific questions about AI processing of customer communications during renewals.

The combined effect is that "does our email tool send raw content to an AI model?" is now a procurement question, not just a security one. Companies handling client confidential information — law firms, accounting firms, financial advisors, healthcare practices, consultants, anyone with a fiduciary or contractual confidentiality obligation — need a defensible answer.

5. What to look for in an AI email tool that handles confidential data

If you are evaluating AI email tools for use in a regulated or confidentiality-sensitive environment, six questions cut through marketing language quickly:

Is raw email content sent to the AI model? If yes, all downstream protections are contractual.
Is PII redacted before the model receives the content? If yes, the model is architecturally unable to see the sensitive parts.
Where does the model run? First-party? Third-party API? US-only? EU-only? Customer-controlled?
Is data retained for training? Get this in writing for your contract tier.
Can you bring your own API key (BYOK) or your own database (BYO DB)? Both shift the trust boundary back to the customer.
What is the audit trail? For each AI-touched email, can you reconstruct what was sent to the model?

6. Pre-AI PII redaction is architecturally different from post-hoc contractual promises

Most AI email tools — including Gemini in Gmail — operate on a contractual privacy model. The raw email content is sent to the model. The protection comes from a contract that says the data won't be retained, won't be used for training, won't be shared. These are real protections, but they are downstream of the moment when the model sees the data.

An architectural privacy model is different. The sensitive data never reaches the model in the first place. Compose uses this approach via PALADIN, a BERT-based named entity recognition layer. Before any email is sent to the AI, PALADIN scans it and replaces every name, email address, phone number, account number, and monetary amount with a typed token. JOHN_PERSON_001. ACME_ORG_004. $AMOUNT_PAID. The model receives the structure and meaning of the email but never the actual personal data.

This is a stronger guarantee than contract language because it doesn't depend on a vendor honouring a promise. The model is structurally incapable of seeing the redacted values. If a Compose contract were silently changed tomorrow, the architectural property would still hold — because it is enforced in code, not in legal text.

This is the privacy-first alternative we built Compose around. See how the Compose Gmail add-on uses PALADIN, or for a more comprehensive native client built on the same architecture, see Compose Gold Standard.

The right tool depends on how sensitive your inbox is

For most personal and small-business uses, Gemini in Gmail is fine. The features are useful, the protections are real, and the residual risk is low for non-confidential traffic. For users whose inbox routinely contains client matter, board communications, M&A discussions, regulated personal data, or anything that would be material to disclose — the calculus is different. The answer is not "don't use AI on email." The answer is "use an AI tool that doesn't need to see the sensitive parts to do its job."

That is what an architectural privacy model gives you. It changes "trust me" into "you don't have to."