Privacy Policy

This policy describes how Inbox OS (“we”, “us”) handles information when you use our service. It is written for a small SaaS product; it does not cover every edge case or every jurisdiction.

To operate Inbox OS, the service may process data you or your organisation provide or that flows through a connected Microsoft 365 mailbox, including:

• Account identifiers (such as email address) and session data for sign-in.
• Email metadata and content needed to triage, route, and draft replies (for example subject, body, sender), when you connect a mailbox and mail is processed.
• Files or text you upload to the knowledge base.
• Billing-related identifiers and status from our payment provider (we do not store full card numbers).

Depending on how you use the product, we may store for example:

• Profile and tenancy records in our application database.
• Microsoft sign-in and consent so the product can work on your connected mailbox and related workspace features on your behalf. Credential material (such as OAuth tokens) is stored in encrypted form only as needed to keep that connection working automatically, so you are not asked to reconnect on every visit. You can disconnect the integration in the product where supported, and you can also remove or restrict access from your Microsoft account settings.
• Records of processed messages and generated drafts as needed for the in-app workflow (e.g. review, audit).
• Knowledge base content you upload.
• Stripe customer and subscription identifiers; not your full payment card details.

We use the data above to:

• Provide authentication and workspace access.
• Connect to Microsoft 365 and run the automation and review features you configure.
• Generate triage suggestions and draft replies using your knowledge base where applicable.
• Process subscriptions and show billing status.
• Operate, secure, and troubleshoot the service.

We do not sell your personal information. We do not use your mailbox content to train our own models. Third-party AI APIs (where used) are governed by their terms - see below.

Payments are handled by a third-party processor (Stripe). Card data is collected and stored by that processor, not by us. We receive limited billing metadata (such as customer id and subscription state) needed to enable access. Operational contact about unusually high usage or fair-use questions may use your account email - see the Terms of Service.

Content you upload is stored to power retrieval and drafting features for your workspace. You are responsible for not uploading unlawful content and for having appropriate rights or consent to use that material. Remove sensitive material you do not want stored.

Like most web services, we generate technical and operational logs (errors, requests, performance). We aim to minimise sensitive personal data in routine logs; in some cases (for example investigating a specific support issue), limited message-related detail may appear. Retention of logs is driven by operational need and provider defaults unless we shorten it.

We use industry-common practices such as encryption in transit (HTTPS) and access controls intended to separate one customer workspace from another. No online service is risk-free; we do not guarantee uninterrupted security or that unauthorised access will never occur.

Microsoft connection data is handled as described in section 3 above. Implementation details may change as the product evolves - this section is a high-level summary, not an audit or certification statement.

We rely on cloud and SaaS vendors (for example hosting, database, authentication, payments). Their processing is subject to their respective terms and privacy policies.

Where the product uses an AI API provider to analyse or draft text, content needed for that request may be sent to that provider. Review the provider’s documentation for how they handle API data. A common provider is OpenAI; see openai.com/privacy if that integration applies to your workspace.

We keep data while your account is active and as needed to provide the service. If you ask to delete your account or specific data, we will work with you in good faith within a reasonable timeframe, except where we must retain something to meet legal obligations or resolve disputes.

For access, correction, or deletion requests, contact us at the email below. We may need to verify your identity before acting.

Depending on where you live, privacy laws may give you rights (for example access, deletion, or objection). Those laws vary. Nothing in this policy grants rights beyond what the law provides, and nothing here is legal advice about your situation.

To exercise a request, email legal@inboxosmail.com. We will respond as promptly as we reasonably can.

We use cookies or similar technologies needed for authentication and session management. We do not use third-party advertising cookies on the product for behavioural tracking as part of this policy’s intent; third-party embeds (if any) may set their own cookies - check your browser settings if that matters to you.

The service is not directed at children under 13 (or the minimum age in your jurisdiction).

We may update this policy. For material changes, we will try to give notice in the product or by email where practical. Continued use after the effective date means you accept the updated policy.

For privacy questions, data requests, or general help: the Support page lists how to reach us. You can also email legal@inboxosmail.com.

Also see our Terms of Service.