Privacy Policy — Inbox Copilot

The short version

We never read or store the full text of your emails
We never see your Gmail password — only an OAuth token
We never sell, rent, or share your data
Your data is deleted within 24 hours if you disconnect
Export or delete everything anytime from Settings

1. What we collect

When you sign up: name, email, timezone. Via Google OAuth we receive your account name and email — never your password.

When you connect Gmail we receive a read-only OAuth 2.0 token (encrypted with a KMS-managed key). From your emails we read body text in memory for extraction, plus metadata (sender, subject, date, thread ID, read state) which we store encrypted. Attachments are never fetched.

2. How we use it

Solely to provide features: calendar suggestions, your morning brief, inbox health score, cleanup clustering, and follow-up detection. No advertising or profiling.

3. What we never do

Sell, rent, or share your email data
Use your email content to train AI models
Allow staff to read your email content without logged, justified break-glass access
Send email without your explicit tap
Permanently delete — cleanup goes to Trash

4. Storage & encryption

In transit: TLS 1.2+. At rest: AES-256. OAuth tokens get additional field-level KMS encryption. Encrypted backups retained 30 days.

5. Third parties

Provider	Purpose	Data shared
Google	Gmail & Calendar	OAuth token; events you approve
Anthropic	AI extraction	Normalized text — zero retention, no training
AWS	Hosting	Encrypted data only
Stripe	Payments	Name, email, card (never stored by us)

6. Your rights

Export: download a JSON of everything we hold
Delete: purged within 24 hours, tokens revoked
Disconnect: revoke Gmail anytime
Restriction: disable features individually

EU/UK users have additional GDPR rights including the right to lodge a complaint with a supervisory authority.

7. Contact

Email: privacy@inboxcopilot.com — we respond within 5 business days.