SpyPry

• 

• 

• 

Inspiration

There was a lot that made us passionate towards this project:

• Continuous Data Breaches (Source 1Password & Pkware ) What to do about the 16 billion password data leak
  Biggest Data Breaches in 2025
  
• Companies making removal and deletion of your account hard — (Source The Markup) We caught companies making it harder to delete your data

Biggest Reason:

• We care about our data.
  

What it does

SpyPry is a privacy cleanup tool that helps you discover old accounts you forgot existed and gives you a simple, trustworthy way to remove your data.

How it works (user flow):

1. Sign in with Google (secure OAuth).
2. Connect Gmail (read-only access) so SpyPry can scan for “account signals” like welcome emails, verification links, receipts, password resets, and security alerts.
3. SpyPry builds a dashboard of services/domains that likely have an account/profile on you.
4. For each service, SpyPry offers two actions:
   • View Delete Options: SpyPry finds the official on-domain deletion/deactivation instructions (and provides step-by-step guidance).
   • Request Opt-Out: SpyPry generates a privacy request letter asking the company to stop selling/sharing your personal data (focused on PIPEDA compliance).

PIPEDA context

PIPEDA: Personal Information Protection and Electronic Document Act (PIPEDA) is the Canadian jurisdiction that governs the privacy laws for users in Canada. PIPEDA determines the use of information and places rules on businesses' process of collection, use and disclosing personal information of individuals living in Canada. There are also governing bodies in other parts of the World such as the GDPR which applies within European Union, as well CCPA which is specific to California.

Note: The company can be based anywhere in the world but if their application operates and is accessible to Canadians, their company is also subject to PIPEDA laws.

How we built it

Frontend

• React + TypeScript dashboard that lists discovered domains and actions.
• Clean UI workflow: Connect Gmail → Scan Accounts → View Delete Options → Request Opt-Out letter.

Backend

• FastAPI service that handles:
  • Google OAuth sign-in
  • Gmail OAuth connection + Gmail API read-only queries (scopes limited to what we need)
  • A scan pipeline that extracts likely account domains from Gmail signals

Delete-options lookup (LLM-assisted)

• Given a domain (ex: devpost.com, discord.com), we call an OpenAI model with web search to find:
  • the best on-domain “delete account / close account / deactivate” link
  • step-by-step instructions summarized in plain language
  • confidence + evidence so we can “lead with honesty” and show when we’re not sure

How we align with 1password's Security & Values alignment

• Keep it Simple: Minimal clicks, we tried to make so mainly everything is in one dashboard.
• Lead with Honesty: We return a confidence score and avoid inventing links, if we don't know it, we don't pretend we do.
• Put People First: We want users to be in control of their data.

Challenges we ran into

It was not easy competing with tech companies hiding their data.

Some of the biggest challenges we faced was:

• OAuth + redirect URLs : getting Google/Gmail consent flow stable with localhost cookies and redirects.
• Session management: ensuring tokens are handled correctly and requests include credentials (cookies) between frontend and backend.

• Gmail parsing is messy: the “From” field, subdomains, and transactional email services can make domain extraction noisy.

• And whole lot of merge conflicts

Accomplishments that we're proud of

Working Google Auth + Gmail OAuth end-to-end.

• A dashboard that populates with account domains inferred from real inbox data.
• A “View Delete Options” feature that produces:
  • a best official link (when available)
  • clean, usable deletion steps
  • a clear confidence signal
• A “Request Opt-Out” path that generates a PIPEDA-focused letter to help users advocate for their privacy rights.

• A UI that prioritizes clarity, simplicity, and user control.

  What we learned

• OAuth flows are deceptively tricky: redirect URIs, cookies, CORS, and “credentials: include” matter a lot.

• Gmail data is powerful but imperfect; extracting structured identity signals requires careful heuristics and conservative assumptions.

• Privacy automation must be transparent: users need to know what’s happening, what data is used, and how confident the system is.

• Security isn’t just encryption and auth—it’s also reducing the number of places your data lives.

What's next for SpyPry

Currently SpyPry is best geared for current PIPEDA laws and regulation in place, but more than that SpyPry as a proactive tool for the incoming stricter regulations coming under Bill-C-27 which would make our tool more effective.

Built With

• fast-api
• google-cloud
• python
• react
• typescript