Privacy Policy
Last updated: April 11, 2026
inb0x.ai ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our mobile application, our website (inb0x.ai), and related services (collectively, the "Service").
Controller
The data controller responsible for your personal data is:
WebRehab
Korenweg 25
7064 BW Silvolde
the Netherlands
KvK: 52338193
Contact: privacy@inb0x.ai
1. Information We Collect
When you use the Service, we collect:
- Account Information: Your email address and name from Google Sign-In
- Email Data: We access your email content through the Gmail API, including subject lines, message body text, sender and recipient information, and timestamps. This is not limited to metadata—we process the full content of your emails to provide our AI-powered features.
- Device Tokens: Your Firebase Cloud Messaging (FCM) token to deliver push notifications about your inbox activity
- Usage Data: App usage patterns, feature interactions, and error reports to improve the service
- Early Access / Waitlist Data: If you sign up for early access or our waitlist, we collect your email address, the source or campaign that referred you, and the time of your submission. This data is used solely to manage the waitlist and notify you when the service becomes available.
2. How We Use Your Information
We use your information to provide the following AI-powered features:
- Email classification and prioritization: We analyze email content to categorize messages and rank them by importance
- Draft response generation: We use your writing style and email context to suggest replies
- Writing style learning: We learn your communication patterns from sent emails to personalize suggestions
- Knowledge extraction: We identify key information, facts, and commitments from email conversations
- Contact memory: We build context about your contacts based on communication history
Legal basis: We process your email data under Article 6(1)(b) GDPR (performance of a contract) — the processing is necessary to deliver the AI-powered features you signed up for. For usage analytics and service improvement, we rely on Article 6(1)(f) GDPR (legitimate interest in improving our service).
3. AI Processing and Service Providers
To provide our AI-powered features, we route email content to third-party AI service providers via API. We do not sell or monetize your email content. We do not use your email data to train AI models.
When processing your emails, the following applies to all AI providers we use:
- We select providers whose API terms include data privacy and security obligations, and we configure privacy controls (such as zero-data-retention flags) where the provider supports them
- Provider-specific data handling may vary by provider and plan tier; we review provider terms to ensure they meet our privacy standards before integration
- Providers may retain API request data for security and abuse monitoring for up to 30 days, after which it is automatically deleted
- Each provider's API terms prohibit them from using customer data for purposes beyond delivering the requested service
4. Google API Services Compliance
Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only request Gmail API access to the extent necessary to deliver the features described in this policy
- We do not use Gmail data for advertising, ad targeting, or ad retargeting
- We do not sell Gmail data or transfer it to data brokers or advertising platforms
- We do not use Gmail data for credit or lending determinations
- We do not use Gmail data to train general-purpose AI or machine-learning models
- Human access to Gmail-derived data is limited as described in the "Human Access" section below
5. Human Access to Your Data
We do not allow human review of your email content except in the following limited circumstances:
- With your explicit consent: For example, when you contact support and share specific emails to resolve an issue
- Security and abuse prevention: To investigate suspected violations of our Terms of Service or to protect users and the integrity of the service
- Legal obligations: When required by applicable law, regulation, legal process, or enforceable governmental request
6. Data Storage, Security, and Infrastructure
Your data is stored securely using industry-standard encryption and security practices:
- TLS encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Secure cloud infrastructure with industry-standard security controls
- Email body handling: Email body text is temporarily stored in our database to enable AI classification and draft generation. After processing, email bodies are archived to encrypted object storage and cleared from the database. Archived email bodies are retained for a default period of 90 days, after which they are automatically deleted. Archived bodies are also permanently deleted when you delete your account.
In addition to AI processing providers, we use infrastructure services to operate the app, including Google (authentication, Gmail API access, push notifications) and cloud hosting and database providers. These providers act as data processors under our instructions.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right to access: Request a copy of your personal data through the app settings (Settings → Legal → Download my data) or by contacting privacy@inb0x.ai
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Delete your account and associated personal data through the app settings. Note: knowledge base documents shared within an organization may be subject to separate retention obligations at the organization's discretion.
- Right to data portability: Export all your personal data in a structured, machine-readable JSON format directly from the app (Settings → Legal → Download my data)
- Right to restriction: Request limitation of data processing
- Right to object: Opt out of non-essential data processing
To exercise any of these rights, contact privacy@inb0x.ai.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
8. Data Retention
Account data, email metadata, classification results, writing style profiles, contact memory, and knowledge base documents are retained while your account is active and deleted when you delete your account.
Exceptions:
- Knowledge base documents shared within an organization may be retained as required by that organization
- AI provider API logs: Providers may retain API request data for security monitoring for up to 30 days
- Backup copies: Deleted data may persist in encrypted backups for up to 90 days
9. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States, where our service providers operate. We require these providers to maintain appropriate technical and organizational measures to protect your personal data. Where required by applicable law (for example, under EU GDPR), we rely on appropriate data transfer mechanisms, which may include standard contractual clauses as approved by the European Commission.
10. Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect data from children under 16.
11. Data Provision
Providing your email data is necessary to use our service. If you do not grant Gmail access or do not consent to AI processing during onboarding, you will not be able to use the core features of inb0x.ai. You may withdraw consent or delete your account at any time through the app settings.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.
13. Governing Law
This Privacy Policy is governed by the laws of the Netherlands.
14. Contact Us
If you have questions about this Privacy Policy, please contact us at: