Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to “remain confident that Google will keep privacy and security paramount.”

But the internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools. Google does little to police those developers, who train their computers—and, in some cases, employees—to read their users’ emails, a Wall Street Journal examination has found.

One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software, people familiar with the episode say.

In another case, employees of Edison Software, another Gmail developer that makes a mobile app for reading and organizing email, personally reviewed the emails of hundreds of users to build a new feature, says Mikael Berner, the company’s CEO.

FACEBOOK DATA SCANDAL: PROBE OF TECH GIANT AND CAMBRIDGE ANALYTICA WIDENS

Letting employees read user emails has become “common practice” for companies that collect this type of data, says Thede Loder, the former chief technology officer at eDataSource Inc., a rival to Return Path. He says engineers at eDataSource occasionally reviewed emails when building and improving software algorithms.

“Some people might consider that to be a dirty secret,” says Mr. Loder. “It’s kind of reality.”

Neither Return Path nor Edison asked users specifically whether it could read their emails. Both companies say the practice is covered by their user agreements, and that they used strict protocols for the employees who read emails. eDataSource says it previously allowed employees to read some email data but recently ended that practice to better protect user privacy.

Google, a unit of Alphabet Inc., says it provides data only to outside developers it has vetted and to whom users have explicitly granted permission to access email. Google’s own employees read emails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the company said in a written statement.

Click here for more from The Wall Street Journal.