Susan Molinari, Google's vice president for public policy and government affairs for the Americas said in the letter, "Developers may share data with third parties so long as they are transparent with the users about how they are using the data". Developers can also share information with outside companies, meaning information gleaned via email scanning could be used to inform advertisements, for example.
Google said in a letter to US senators made public on Thursday that it relies on automated scans and reports from security researchers to monitor add-ons after launch, but did not respond to lawmakers' request to say how many have been caught violating the company's policies.
Alphabet Inc's Google gave details about its policies for third-party Gmail add-ons but stopped short of fully addressing questions from USA senators about developers who break its email-scanning rules.
Last year, Google made a big thing of announcing that it would no longer scan people's Gmail emails for keywords that could be used to target ads at them.
The Republican Senate Commerce Committee chairman fired off a letter to Google in July after being alarmed by a report that it is common for employees of third-party app developers to access Gmail content.
Once users agree, it's almost impossible to audit what data is being shared with apps as they use them, let alone what else is being done with the data or who it is being shared with.
Business owners who use Gmail for company email can prevent employees from installing apps that have not been approved by the company, according to Google.
Next week, the tech giants, including Google, Amazon, Apple and Twitter will be addressing the Senate over increased concerns over online privacy and to examine the safeguards in place to protect consumers.
According to a CNNMoney report on Thursday, Gmail lets third-party developers integrate services into its email platform.
But the results still infringe on users' privacy.
"No humans at Google read users' Gmail, except in very specific cases where they ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse", the company said.