Skip to content

Version 1.2 · Last updated 22 May 2026

This document is provided as a plain-language draft and is pending legal review. If you spot an issue, email legal@inboxdesk.ai.

Privacy Policy

This Privacy Policy explains how InboxDesk collects, uses, stores and shares personal data when you use the InboxDesk service. We aim to be plain about what we do and don't do with your data.

1. Who we are

InboxDesk is operated by Rohan Ellis, a sole trader based in the United Kingdom, trading as InboxDesk ("we", "us", "our"). InboxDesk may transition to a UK limited company in the future; if that happens, the controller's name will change but the substance of this policy will not, and we will publish a new version with an updated effective date.

If you need to contact us about your data:

  • Email: privacy@inboxdesk.ai
  • Postal address: available on request

We are the data controller for the personal data covered by this policy, which includes your account information, billing data and product telemetry. For email content that you forward into the service, see Section 6 — for that material we typically act as a data processor on your behalf.

2. Scope

This policy applies to:

  • The InboxDesk web application at inboxdesk.ai
  • Our marketing pages, landing pages and signup flow
  • Email content you forward to InboxDesk's inbound address for AI-assisted drafting

It does not apply to third-party services we link to (e.g. Stripe, Anthropic) — those services have their own privacy policies, listed in Section 7.

3. What personal data we collect

We try to collect only what we need to operate the service. The categories below are everything we hold about you.

3.1 Account data

  • Email address you sign in with
  • Name (only if you choose to enter it during onboarding)
  • Account creation date, last login, security audit events (sign-in, sign-out, OAuth grant)

3.2 Mailbox connection data

  • The email address of the Gmail account you connect
  • OAuth refresh tokens (encrypted at rest) authorising InboxDesk to send replies via your Gmail
  • The OAuth scopes you granted us
  • Connection status (active, revoked)

We do not read your inbox via Gmail's API. The service operates on emails you forward into our inbound address, not by polling your mailbox.

3.3 Email content

  • The full body and headers of customer emails you forward to InboxDesk
  • AI-generated draft replies, including the model's reasoning trace where the model produced one
  • Edits you make to drafts before sending
  • Sent message identifiers used to thread replies correctly in Gmail

Email content includes any personal data your customers shared in their messages — names, contact details, order references, descriptions of issues, etc. We process this only to draft a reply and to learn from your edits.

3.4 Tenant configuration

  • Universal rules and context-specific rules you create or accept
  • Knowledge-base documents you upload (FAQs, product docs, voice samples)
  • Voice profile distilled from your training samples
  • Embeddings generated from your knowledge base for semantic retrieval

3.5 Billing data

  • For paying customers: billing email, plan, last four digits of card, country (held by Stripe — we do not store full card numbers)
  • Invoices and payment history

3.6 Product telemetry

  • Page views, feature usage events, error reports
  • Browser type, IP address (truncated), device class
  • Crash and exception reports with stack traces

We use this to fix bugs and understand which features need work. We do not sell telemetry, and we do not use it for advertising.

4. How we use your data — and why we're allowed to

Under UK GDPR, we have to identify a "lawful basis" for each kind of processing. Here's ours.

| Purpose | Data | Lawful basis | |---|---|---| | Authenticate your account and provide the service | Account, mailbox, email content, tenant config | Performance of a contract (Article 6(1)(b)) | | Bill paying customers | Billing data | Performance of a contract (Article 6(1)(b)) | | Improve the service, fix bugs, monitor abuse | Product telemetry, error reports | Legitimate interests (Article 6(1)(f)) | | Send service emails (e.g. flagged-email alerts, billing notifications) | Account email, alert metadata | Performance of a contract (Article 6(1)(b)) | | Comply with legal obligations | Account, billing, audit logs | Legal obligation (Article 6(1)(c)) | | Marketing emails (if you opt in) | Account email | Consent (Article 6(1)(a)) |

We do not use your customer email content for any purpose other than producing drafts for you and improving your tenant's own ruleset. We do not use it to train shared models, and we do not pool it across tenants.

5. AI processing

InboxDesk uses third-party AI models (currently Anthropic Claude) to:

  • Classify inbound emails (customer question, marketing noise, etc.)
  • Draft replies in your voice using your rules and knowledge base
  • Suggest new rules based on your edits
  • Summarise voice samples into a concise voice profile

When a customer email is sent to a model, only the parts relevant to drafting are included — typically the email body, the in-thread history, your active rules and matched knowledge chunks. The model provider does not retain the data for training and does not share it with other customers (per Anthropic's API terms — see their privacy policy linked in Section 7).

AI output is suggested, not authoritative. You review each draft before it's sent. We take no responsibility for the accuracy or appropriateness of unedited AI-generated content; you do.

5.1 Google Workspace API data — Limited Use disclosure

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

InboxDesk requests one Google Workspace API scope: https://www.googleapis.com/auth/gmail.send. We use it solely to send AI-drafted reply emails on the user's behalf, after the user has reviewed and approved each draft in our dashboard. We do not request gmail.modify, gmail.readonly, or any other Workspace scope.

In line with Google's Limited Use restrictions, we explicitly do not:

  • Sell any data received from Google Workspace APIs to anyone.
  • Use it for advertising of any kind, including ad targeting, ad personalisation, retargeting, or interest-based profiling.
  • Allow human reading of Google user data, except: (a) where the user gives explicit consent (for example, asking us to debug a specific draft), (b) where required by applicable law, or (c) where strictly necessary to ensure security or fix user-reported bugs.
  • Use it to train, develop, or improve any AI/ML models — neither generalised nor non-personalised models, including those of our sub-processors. Anthropic's API terms confirm that data submitted via their API is not retained for training. We do not have any internal AI/ML models that consume customer data.
  • Pool Google user data across tenants. Each tenant's data is segregated via row-level security in our database.
  • Transfer Google user data to anyone outside the sub-processors listed in Section 7 below, who each receive only the minimum data required to provide their specific service.

Where you forward customer emails to InboxDesk's inbound address (a separate flow that does not use a Workspace API scope), the same Limited Use restrictions apply by policy.

For the full policy, see the Google API Services User Data Policy.

6. Where we sit in the data flow — controller vs processor

For your account, billing and telemetry data, we are the data controller and decide how it's processed.

For the customer email content you forward into the service, we act as a data processor on your behalf — you are the controller, deciding which emails to send us and what we can do with them. Our processor obligations are set out in our Data Processing Agreement (see /dpa) and form part of our standard terms for paying customers.

7. Sub-processors

We use the following third-party services to operate InboxDesk. Each has its own privacy policy; we link them so you can read them.

| Sub-processor | Purpose | Data location | Privacy policy | |---|---|---|---| | Supabase | Database, authentication, file storage | EU (eu-west-2) | https://supabase.com/privacy | | Vercel | Application hosting, edge network | EU + US (with SCCs for US edge) | https://vercel.com/legal/privacy-policy | | Anthropic | AI model provider (Claude) | US (with SCCs) | https://www.anthropic.com/legal/privacy | | Voyage AI | Embeddings for knowledge-base retrieval | US (with SCCs) | https://www.voyageai.com/privacy | | Resend | Transactional email (inbound webhook + outbound alerts) | EU + US | https://resend.com/legal/privacy-policy | | Stripe | Subscription billing and card processing | UK + US (with SCCs) | https://stripe.com/privacy | | Sentry | Error monitoring | US (EU residency available) | https://sentry.io/privacy | | PostHog | Product analytics | EU (eu.i.posthog.com) | https://posthog.com/privacy | | Cloudflare Turnstile | Anti-bot challenge on the signup form | Cloudflare global edge (US / EU) | https://www.cloudflare.com/privacypolicy/ | | Upstash Redis | Anti-abuse signup rate limit (stores SHA-256 hash of visitor IP with a per-environment pepper, 1-hour TTL) | EU (eu-west-1, Ireland) | https://upstash.com/trust/privacy.pdf |

We don't use general-purpose advertising or marketing networks, and we don't share data with them.

7.1 Sub-processors that receive Google user data

For transparency on Google Workspace API data specifically: of the sub-processors listed above, the following may receive Google user data (defined as: data obtained from Google Workspace APIs, including OAuth refresh tokens for the gmail.send scope and the content of emails sent through Gmail using that scope):

  • Anthropic (US, under UK IDTA / EU SCCs). Receives the customer email body being replied to, your tenant rules, and matched knowledge-base context, only for the purpose of generating a draft reply. Anthropic does not retain this data for training, per their API terms.
  • Supabase (EU, eu-west-2). Stores Gmail OAuth refresh tokens (encrypted at rest) and email content you forward into the inbound address. Row-level security enforces tenant isolation.
  • Resend (EU + US, under UK IDTA / EU SCCs). Receives forwarded inbound emails from your Gmail filter and webhooks them to our application. Resend is not used to send customer-facing replies; those go through gmail.send via your own Gmail.
  • Vercel (EU + US edge). Routes API requests in transit. Serverless functions are stateless; Google user data is not persisted at Vercel.

The following sub-processors do not receive Google user data:

  • Voyage AI. Receives only knowledge-base text and rule text for embedding generation. Receives no email content and no OAuth tokens.
  • Sentry. Receives error stack traces and minimal request metadata. Email bodies are explicitly scrubbed from error reports before transmission.
  • PostHog. Receives only pseudonymous usage events (page views, feature interactions). Receives no email content and no OAuth tokens.
  • Stripe. Subscription billing only. Receives no Google user data.

We do not transfer, sell, or otherwise disclose Google user data to any third party that is not on the sub-processor list above.

8. International data transfers

The primary database for InboxDesk is hosted in the European Union (Supabase EU, region eu-west-2). However, some of our sub-processors are based in the United States. Where personal data is transferred outside the UK or EEA, we rely on:

  • The UK International Data Transfer Addendum (IDTA) and/or
  • EU Standard Contractual Clauses (SCCs) with appropriate safeguards

We don't transfer personal data to countries that lack an adequacy decision unless one of the above mechanisms is in place.

9. How long we keep data

| Data | Retention | |---|---| | Account and tenant config | While your account is active | | Email content (inbound + drafts + sent) | While your account is active, then deleted under the rules below | | Audit log (sign-in events, exports, deletions) | 12 months from the event | | Billing records | 7 years (UK accounting requirements) | | Marketing consent records | Until withdrawn, plus 12 months | | Backups | Up to 7 days after a record is deleted from the live database |

If you request account deletion, we hard-delete your tenant after a 30-day grace period (during which you can cancel). Backups age out within a further 7 days. Some records — billing and certain audit-log entries — are retained for the periods above to meet legal obligations.

10. Your rights

Under UK GDPR you have the following rights. You can exercise any of them by emailing privacy@inboxdesk.ai or, where we've built self-service tools, from the Settings page in the app.

  • Access — get a copy of the personal data we hold about you. The Settings page lets you export your full tenant data as JSON in one click.
  • Rectification — ask us to correct data that's wrong.
  • Erasure ("right to be forgotten") — ask us to delete your data. The Settings page initiates a 30-day deletion process.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — get your data in a structured, machine-readable format. The same JSON export covers this.
  • Objection — object to processing based on legitimate interests (telemetry).
  • Withdraw consent — withdraw any consent you previously gave (e.g. marketing).
  • Complain — lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk if you believe we've handled your data improperly. We'd appreciate the chance to put things right first, but the right to complain is unconditional.

We aim to respond to rights requests within 30 days.

11. Cookies and similar technologies

InboxDesk uses a small number of cookies. They are listed below.

  • Authentication cookies (essential) — set by Supabase Auth to keep you signed in.
  • CSRF tokens (essential) — protect form submissions from cross-site request forgery.
  • Analytics cookies (consent-required) — set by PostHog to track product usage. We will not set these without your consent where required by law.

We do not use cookies for advertising or for tracking you across other websites.

12. Security

We take reasonable steps to protect your data, including:

  • Encryption in transit (TLS 1.2+ everywhere)
  • Encryption at rest for the database, file storage and OAuth refresh tokens
  • Row-Level Security policies in our database that scope every query to the tenant of the requesting user
  • Access controls on the small number of accounts that can reach production systems
  • Audit logging of administrative actions
  • Vulnerability monitoring of dependencies

No service is completely secure. If we discover a personal data breach affecting you, we will notify you and (where required) the ICO within 72 hours of becoming aware.

13. Children

InboxDesk is intended for business users and is not designed for or directed at children under 16. We do not knowingly collect personal data from children. If you believe we've inadvertently collected such data, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. The version and effective date are shown at the top of this page. If we make a material change, we will notify active users by email and/or in-app banner at least 14 days before the change takes effect.

15. Contact

Questions about this policy or about the data we hold on you:

  • Email: privacy@inboxdesk.ai
  • Regulator: UK Information Commissioner's Office — https://ico.org.uk