Inbox3inbox3Get Started Free

Privacy Policy

How Inbox3 collects, uses, and protects your data. We believe in transparency — no legalese where plain language will do.

Last updated April 12, 2026

Inbox3 ("we", "our", "us") operates the inbox3.app website and service. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Password (hashed — we never store plaintext passwords)
  • Authentication provider (Google or email/password)

1.2 Email Data (via Gmail or Outlook API)

When you connect your Gmail or Outlook account, we access your email using read-only permissions. Specifically:

  • What we read: Email metadata — sender address, recipient addresses, subject line, date, snippet (first ~200 characters), and headers (including List-Unsubscribe).
  • What we temporarily process: Email body content is fetched on-demand when you request an AI reply draft. This content is sent to our AI provider for draft generation and is not stored in our database.
  • What we never do: We never send, delete, modify, or archive your emails. We use the gmail.readonly scope which makes it technically impossible for our application to alter your inbox.

1.3 Usage Data

We collect anonymised usage data including: pages visited, features used (mark done, snooze, draft reply), digest open rates, and performance metrics. This is collected via PostHog and is used to improve the product.

1.4 Payment Information

Payment processing is handled entirely by Stripe. We never see or store your full card number, CVV, or bank details. We store only your Stripe Customer ID to manage your subscription.

2. How We Use Your Information

  • Email classification: We scan email metadata to classify urgency and determine which emails require your action. This is the core function of the service.
  • AI reply drafts: When you request a draft, the original email content is sent to our AI provider (Anthropic) for generation. The content is processed in-flight and not stored.
  • Sender learning: We track how you interact with emails from specific senders (mark done, snooze, draft) to build a personal importance model that improves your digest over time.
  • Service delivery: To send your daily digest email, manage your account, process billing, and send transactional notifications.

3. Google API Services — Limited Use Disclosure

Inbox3's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve the user-facing features of Inbox3 (email classification, digest generation, and reply drafting).
  • We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
  • We do not allow humans to read your email data unless: (a) you have given affirmative consent for a specific message (e.g., for support debugging), (b) it is necessary for security purposes, or (c) it is required to comply with applicable law.
  • We do not sell Google user data to third parties.
  • We do not use Google user data for credit-worthiness determinations or lending qualifications.

4. Data Storage and Security

4.1 What We Store

  • Account information (email, name, plan, preferences)
  • OAuth tokens (encrypted at rest with AES-256-GCM via AWS KMS — hardware-backed key management)
  • Digest results (sender, subject, AI-generated action summary, urgency score — no email body content)
  • Sender interaction scores (for personalisation)
  • User settings (VIP senders, blocked senders, digest time)

4.2 What We Never Store

  • Raw email body content
  • Email attachments
  • Full email headers beyond what is needed for classification
  • Plaintext passwords
  • Payment card details

4.3 Infrastructure Security

All data is hosted on Amazon Web Services (AWS) in the US-East-1 region. Our infrastructure includes: encrypted databases (RDS PostgreSQL with encryption at rest), private VPC networking (database is not internet-accessible), HTTPS-only connections via CloudFront, and encrypted secrets via AWS Secrets Manager with KMS.

5. Data Sharing

We share data only with the following third-party processors:

  • Anthropic — AI processing for email classification and reply drafting. Email metadata and content are sent via API for processing and are subject to Anthropic's Privacy Policy. Anthropic does not use API inputs to train their models.
  • Stripe — Payment processing.
  • AWS SES — Transactional email delivery (digest emails, account notifications).
  • PostHog — Anonymised product analytics.
  • Sentry — Error monitoring (may include anonymised technical context, never email content).

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Digest history: Retained for 90 days, then archived. You can delete your history at any time from settings.
  • OAuth tokens: Deleted immediately when you disconnect an email account or delete your Inbox3 account.
  • Sender scores: Deleted when you delete your account.
  • Analytics data: Anonymised and retained for up to 12 months.

7. Your Rights

You have the right to:

  • Access your data — view all stored data from your account settings.
  • Correct your data — update your name, email, and preferences.
  • Delete your data — one-click account deletion from settings permanently removes all your data.
  • Export your data — request a full export of your data in JSON format.
  • Revoke access — disconnect your email account at any time from settings. You can also revoke access directly from your Google or Microsoft account settings.
  • Object to processing — contact us to object to specific data processing activities.

To exercise any of these rights, email us at privacy@inbox3.app.

8. Cookies

We use only essential cookies required for authentication (session cookies). We do not use advertising cookies or third-party tracking cookies. PostHog analytics uses first-party cookies only.

9. Children's Privacy

Inbox3 is not directed at children under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. International Data Transfers

Your data is processed and stored in the United States (AWS US-East-1). If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses and AWS's compliance certifications for lawful data transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before they take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your rights:

Ready to take back your morning?

Connect your Gmail in 60 seconds. See your first AI-curated digest tomorrow morning.

Get Started FreeSee All Comparisons