Privacy Policy

Inbox OS (“we”, “us”, or “our”) takes your privacy seriously. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to your data when you use the Inbox OS service.

Account data. When you register, we collect your email address and any profile information you provide. This is stored in our authentication provider (Supabase) and our own database.

Microsoft OAuth tokens. To connect your Microsoft 365 mailbox, we store encrypted OAuth access and refresh tokens. These are encrypted at rest using AES-256-GCM and are used only to process your mailbox.

Email metadata and content. When Inbox OS processes an email from your connected mailbox, it reads the email’s subject, body, and sender address to perform triage, routing, and draft generation. Processed email records (including subjects and AI-generated drafts) are stored in our database associated with your tenant.

Knowledge base documents. Any text you upload to your knowledge base is stored and indexed in our database to enable AI-grounded reply drafting.

Billing data. If you subscribe, payment is handled by Stripe, Inc. We do not store your card details. We receive a Stripe customer ID and subscription status from Stripe’s webhooks.

Usage and log data. We collect application logs for debugging, security monitoring, and service improvement. Logs may include anonymised email metadata (e.g., triage category, AI confidence score) but do not include full email body text unless needed for debugging a specific reported issue.

We use your data to:

• Authenticate and authorise access to your account.
• Connect to your Microsoft 365 mailbox and process incoming emails.
• Generate AI-assisted email triage, routing decisions, and draft replies using the knowledge base documents you have provided.
• Manage your subscription via Stripe.
• Send you transactional emails (e.g., account confirmation, billing receipts).
• Monitor service health and investigate security incidents.

We do not use your email content to train AI models, and we do not sell your data to third parties.

To generate triage decisions and draft replies, Inbox OS sends relevant email content (subject and body) and knowledge base excerpts to the OpenAI API. OpenAI processes this data in accordance with their API usage policies. Email content sent to OpenAI is not used to train OpenAI’s models under their standard API terms.

You can review OpenAI’s privacy practices at openai.com/privacy.

Your data is stored on infrastructure hosted by Railway (API and worker) and Supabase (authentication and PostgreSQL database). We apply the following security measures:

• OAuth tokens are encrypted at rest using AES-256-GCM.
• All traffic is transmitted over HTTPS/TLS.
• Tenant isolation is enforced at the database level — each organisation’s data is scoped to their tenant ID.
• Access to production systems is restricted to authorised personnel.

Processed email records are retained for the lifetime of your account to support audit, review, and analytics features within the Service. Knowledge base documents are retained until you delete them. You may request deletion of all your data by contacting us at hello@inboxos.io.

On account closure, we will delete your data within 30 days, except where retention is required by law.

Depending on your location, you may have rights under applicable data protection law (such as GDPR) including:

• Access. Request a copy of the personal data we hold about you.
• Rectification. Ask us to correct inaccurate data.
• Erasure. Ask us to delete your data (subject to legal retention obligations).
• Portability. Request your data in a machine-readable format.
• Objection. Object to certain types of processing.

To exercise any of these rights, email us at hello@inboxos.io. We will respond within 30 days.

Inbox OS uses only essential session cookies required for authentication. We do not use advertising cookies or third-party tracking cookies.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy questions or to exercise your data rights, contact us at hello@inboxos.io.