Privacy Policy
Effective date: April 1, 2026
Last updated: April 19, 2026
1. Who We Are
InboxBridge is operated by Flow State Labs. When this policy refers to “we,” “us,” or “our,” it means Flow State Labs and the InboxBridge service at inboxbridge.app.
2. What Data We Collect
- Account information — your email address and display name when you sign in.
- OAuth tokens — access and refresh tokens granted by your email providers (Gmail, Outlook) so we can connect to your inboxes on your behalf.
- Email content accessed via providers — when your AI assistant issues a search or read request, we fetch matching messages from your email provider in real time and return them to the AI client. We do not store email content.
- IMAP credentials — if you connect an IMAP account, we store the server address, username, and password you provide.
- Usage metadata — request counts and timestamps for billing and rate-limiting purposes.
- Payment information — processed and stored by Stripe. We never see or store your full credit card number.
3. How We Store Your Data
OAuth tokens and IMAP credentials are encrypted at rest using AES-256-GCM and stored in a SQLite database. Encryption keys are managed server-side and are never exposed to client code. All connections to and from InboxBridge are encrypted in transit via TLS.
4. How We Use Your Data
- To connect to your email accounts and execute requests made by your AI assistant.
- To authenticate you and maintain your session.
- To process subscription billing via Stripe.
- To monitor service health and prevent abuse.
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Period.
5. Email Content Is Not Stored
InboxBridge acts as a pass-through. When your AI assistant requests email data, we fetch it in real time from your email provider and return it directly to the AI client. Email content is not written to disk, cached, or logged on our servers.
6. OAuth Tokens
OAuth tokens are used exclusively to access your email on your behalf. We request only the minimum scopes required (read, send, and manage email). You can revoke access at any time through your email provider’s security settings or by removing the account from InboxBridge.
7. Google API Services User Data Policy — Limited Use
InboxBridge’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data obtained through Google APIs (including Gmail message content, metadata, labels, and user profile information):
- is used onlyto provide or improve user-facing features of InboxBridge that are prominent in the application’s user interface;
- is not transferred to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
- is not used or transferred for serving advertisements, including retargeting, personalized, or interest-based advertising;
- is not sold to data brokers, information resellers, advertising networks, or any other party;
- is not used to determine credit-worthiness or for lending purposes;
- is notread by humans, except (a) with the user’s affirmative agreement for specific messages, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations;
- is notused to develop, improve, or train generalized or non-personalized AI/ML models. InboxBridge acts purely as a pass-through that returns data from Google APIs to the MCP-compatible AI client the user has chosen. We do not train models on Google user data, and the third-party AI clients that users connect (e.g., Claude, ChatGPT, Gemini) receive data under those providers’ own published privacy terms.
8. Cookies
We use session cookies to keep you signed in. These are essential cookies required for the service to function — we do not use tracking cookies, analytics cookies, or third-party advertising cookies.
9. Third-Party Services & Sub-Processors
We use the following third parties to operate InboxBridge. Each processes limited data on our behalf, subject to contractual confidentiality and security obligations:
- Stripe, Inc. — payment processing and subscription management. Subject to the Stripe Privacy Policy.
- Google LLC (Gmail & Google APIs) — email provider access via OAuth 2.0. Subject to Google’s Privacy Policy.
- Microsoft Corporation (Outlook & Microsoft Graph) — email provider access via OAuth 2.0. Subject to Microsoft’s Privacy Statement.
- Cloud hosting provider — InboxBridge application servers and encrypted database storage. Our hosting provider has no access to plaintext tokens (they are encrypted with AES-256-GCM before being written to disk).
- Transactional email provider — delivery of magic sign-in links and service notifications to the email address you register with.
We do not sell personal data and we do not use advertising networks or analytics providers that profile users.
10. Data Retention & Deletion
We retain your account data for as long as your InboxBridge account is active. You may disconnect individual email accounts or delete your entire InboxBridge account at any time from your dashboard settings.
Upon account deletion, we:
- Revoke every stored OAuth refresh token with the issuing provider (Google, Microsoft).
- Permanently delete your user record, connected email accounts, encrypted credentials, API keys, and OAuth state entries from our production database within 7 days.
- Remove your data from encrypted, rolling database backups within 30 days, after which it is unrecoverable.
Some anonymized or aggregated records (e.g., billing totals required for tax/accounting) may be retained longer where required by law. These records do not contain email content and are not linked to an individual’s identity.
You can also revoke InboxBridge’s access to any connected provider account at any time, independently of your InboxBridge account:
- Google: myaccount.google.com/permissions
- Microsoft: account.microsoft.com/privacy/app-access
11. Your Rights (GDPR & CCPA)
Depending on your location, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data.
- Object to or restrict processing of your data.
- Export your data in a portable format.
- Opt out of the sale of personal information (we don’t sell it, but you have the right to confirm).
To exercise any of these rights, contact us at privacy@inboxbridge.app. We will respond within 30 days.
12. Children's Privacy
InboxBridge is not intended for use by anyone under 16. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you via email or a prominent notice on our website. Your continued use of InboxBridge after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this privacy policy or our data practices, contact us at: privacy@inboxbridge.app