What reviewers check
Google's OAuth verification process is a manual review. A human reviewer will look at your consent screen, test your app with a Google account, and verify that your app's behavior matches the scopes you requested.
The most common rejection reasons are: requesting scopes the app doesn't visibly use, privacy policy that doesn't mention the specific data accessed, and consent screen descriptions that are vague or misleading.
Scope justification
For each sensitive scope, you need to explain exactly why it's needed and what user-facing feature it enables. For NexusSend:
gmail.send— required to send emails on behalf of the authenticated user from the compose interfacegmail.readonly— required to display inbox message summaries in the dashboard overview
We do not request https://mail.google.com/ because we do not need full mailbox access. This is a deliberate constraint that simplifies the verification argument.
Legal & privacy pages
Your privacy policy must explicitly name the Gmail scopes you use, describe what data is accessed, how it's stored, and how users can revoke access. Generic privacy policies that don't mention Gmail will fail review.
NexusSend's privacy policy at /legal/privacy covers data categories, Gmail scope usage intent, retention controls, and security measures. It's kept in sync with the actual implementation.
Demo & test accounts
Reviewers will test your app. Prepare a demo account with realistic data, document the exact steps to reproduce the core flows, and make sure the OAuth consent screen description matches what the reviewer will actually see in the app.