What we collect

When you sign in with Google, InboxFlow may collect your Google account email, basic profile data, Gmail message metadata, sender information, labels, dates, selected message identifiers, and limited email content needed to detect repetitive senders, newsletters, and unsubscribe signals. InboxFlow does not collect or store your Gmail password.

How we use data

We use Gmail data only to provide and improve visible user-facing features: inbox analysis, sender grouping, cleanup previews, unsubscribe detection, settings, safety checks, and actions you explicitly confirm.

Gmail access and actions

InboxFlow reads Gmail data to build analysis and previews. Archiving, moving to Trash, marking as read, or opening an unsubscribe flow happens only after you review and confirm. InboxFlow does not automatically delete emails.

Sensitive data protection mechanisms

We treat Gmail data, selected message identifiers, analysis results, and OAuth tokens as sensitive data. Protection mechanisms include Google OAuth, HTTPS/TLS in production, server-side session storage, CSRF protection for state-changing forms, signed action plans, environment-based secret storage, least-privilege operational access, and internal access limited to support, security, abuse investigation, or legal compliance.

Retention and deletion of Google user data

InboxFlow does not store Gmail message bodies in a long-term database. Gmail analysis data, selected message identifiers, OAuth tokens, preferences, cached sender summaries, and action metrics are retained only as long as needed to provide the active service/session functionality. When you disconnect InboxFlow, stop using the service, revoke Google access, or request deletion, we stop using your Google user data and delete or anonymize remaining account/session records unless retention is required for security, abuse prevention, or legal compliance.

Sharing and restricted uses

We do not sell Google user data, use it for advertising, retargeting, credit decisions, or transfer it to data brokers. Humans do not read Gmail data unless you ask for support, give consent, or access is needed for security, abuse investigation, or legal compliance.

Security

InboxFlow uses Google OAuth instead of password sharing. We request only permissions needed for the cleanup features and design cleanup actions so Gmail changes require explicit user confirmation.

Your controls

You can disconnect InboxFlow, stop using the service, and revoke Google access at any time from your Google account permissions. You can contact us to request help with data access, correction, or deletion.

Contact

Questions about this policy: support@joininboxflow.com.

Google API Services

InboxFlow's use and transfer of information received from Google APIs follows the Google API Services User Data Policy, including the Limited Use requirements. Google API Services User Data Policy.