How inbox access works.

Short version: the Money Leak Report is an inbox audit, not a takeover. We review the project email scope you approve, flag likely dollars-at-risk and open actions, and give you the report. We do not send, delete, move, or modify your email.

The access boundary

• Access method is agreed in scope: read-only OAuth where available, a scoped shared inbox, label, folder, export, or sample data for lower-access scoping.
• No accounting system, bank, payroll, personal email, or admin access.
• No final-send authority. We draft and organize; the owner approves any outbound message.
• NDA/DPA before access. Vendor stack and subprocessor details are identified before full diagnostic access.
• E&O and cyber certificate before any full diagnostic inbox access.
• Standard deletion target is 30 days after report delivery or engagement end unless contract or legal requirements say otherwise; certificate language is available on request.

What we look for

We classify project threads for estimate follow-ups, AR aging, change-order triggers, RFI and submittal aging, client questions, and owner decisions. The report cites the source thread so you can verify every line item before acting.

What we do not touch

The standard diagnostic does not require QuickBooks, bank accounts, payroll, project management admin access, or your personal inbox. If an item is not visible in the scoped project email, it stays outside the report unless you separately provide it.

Vendor and access details

The exact access method is set in the signed scope before kickoff: read-only OAuth where available, a scoped forwarding/export path, or sample data for the $250 Scoping Deposit. The onboarding package identifies the vendor stack and any subprocessors used for the engagement before full diagnostic access is granted.

Security questions

Security, DPA, insurance, retention, and subprocessor questions go through admin@aecdesign.ai. The access scope is written down before any diagnostic workspace is opened.