Privacy Policy

Effective date: April 1, 2026

1. Who We Are

InboxBridge is operated by Flow State Labs. When this policy refers to “we,” “us,” or “our,” it means Flow State Labs and the InboxBridge service at inboxbridge.app.

2. What Data We Collect

  • Account information — your email address and display name when you sign in.
  • OAuth tokens — access and refresh tokens granted by your email providers (Gmail, Outlook) so we can connect to your inboxes on your behalf.
  • Email content accessed via providers — when your AI assistant issues a search or read request, we fetch matching messages from your email provider in real time and return them to the AI client. We do not store email content.
  • IMAP credentials — if you connect an IMAP account, we store the server address, username, and password you provide.
  • Usage metadata — request counts and timestamps for billing and rate-limiting purposes.
  • Payment information — processed and stored by Stripe. We never see or store your full credit card number.

3. How We Store Your Data

OAuth tokens and IMAP credentials are encrypted at rest using AES-256-GCM and stored in a SQLite database. Encryption keys are managed server-side and are never exposed to client code. All connections to and from InboxBridge are encrypted in transit via TLS.

4. How We Use Your Data

  • To connect to your email accounts and execute requests made by your AI assistant.
  • To authenticate you and maintain your session.
  • To process subscription billing via Stripe.
  • To monitor service health and prevent abuse.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Period.

5. Email Content Is Not Stored

InboxBridge acts as a pass-through. When your AI assistant requests email data, we fetch it in real time from your email provider and return it directly to the AI client. Email content is not written to disk, cached, or logged on our servers.

6. OAuth Tokens

OAuth tokens are used exclusively to access your email on your behalf. We request only the minimum scopes required (read, send, and manage email). You can revoke access at any time through your email provider’s security settings or by removing the account from InboxBridge.

7. Cookies

We use session cookies to keep you signed in. These are essential cookies required for the service to function — we do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Third-Party Services

9. Data Retention & Deletion

We retain your account data for as long as your account is active. You can delete your account and all associated data at any time from your dashboard settings. Upon deletion, we permanently remove your account information, stored tokens, and all metadata. This action is irreversible.

10. Your Rights (GDPR & CCPA)

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict processing of your data.
  • Export your data in a portable format.
  • Opt out of the sale of personal information (we don’t sell it, but you have the right to confirm).

To exercise any of these rights, contact us at privacy@inboxbridge.app. We will respond within 30 days.

11. Children's Privacy

InboxBridge is not intended for use by anyone under 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or a prominent notice on our website. Your continued use of InboxBridge after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this privacy policy or our data practices, contact us at: privacy@inboxbridge.app