Security & privacy

End-to-end encrypted.
Zero trust by design.

We built the encryption model before we built the features. Here's every layer, in plain English.

TLS 1.2+AES-256 at restKMS field-level tokensOAuth 2.0 onlyGoogle CASA Tier 2GDPR · CCPA
Encryption specifications

Every layer, documented.

Six encryption and access control layers protect your data from the moment it enters our system to the moment you disconnect.

🔐

In transit

TLS 1.2+

All communication uses TLS 1.2 or higher. HSTS enforced. Server-to-server calls also require TLS 1.2+.

🗄

At rest

AES-256

All stored data — database rows, sessions, cached metadata — encrypted with AES-256. Keys managed in cloud KMS.

🗝

Token encryption

KMS

OAuth tokens get additional field-level encryption with a separate KMS key on a documented rotation schedule.

💾

Email bodies

Memory only

Raw email body text is never written to disk — read, normalized, and discarded. Only suggestions persist.

🤖

AI processing

No training

Email text sent to our AI provider has zero data retention and no training, contractually guaranteed.

🚪

Access control

Least privilege

No standing human access. Break-glass access is logged, alerted, and requires written justification.

Your rights

You're in control. Always.

Four things you can do at any time, without contacting us.

📥
Export your data
Download everything as JSON. Settings → Export.
🔌
Disconnect Gmail
Revoke access instantly. Processing stops immediately.
🗑
Delete everything
Account deleted, data purged within 24 hours.
🚫
We never sell data
Never sold, rented, or shared with advertisers.

Found a security issue?

Report it to security@inboxcopilot.com. We acknowledge within 24 hours and give a status update within 5 business days.

📧 security@inboxcopilot.com