Privacy Policy

Effective June 13, 2026

Inbox Spy helps users collect, organize, and study marketing emails sent to Gmail aliases they create for tracked companies. This policy explains how Inbox Spy accesses, uses, stores, and shares information.

Information we collect

• Account information: your email address and authentication records.
• Workspace information: tracked companies, folders, niches, settings, and read status.
• Google user data: when you connect Gmail, Inbox Spy uses read-only Gmail access to identify messages delivered to your Inbox Spy company aliases and archive their subject, sender, recipient, timestamps, text, HTML, and related email content.
• Connection credentials: Google OAuth refresh tokens are encrypted before storage. Inbox Spy does not receive or store your Google password.
• Operational information: security, authentication, collector-status, and error records needed to operate and protect the service.

How we use information

We use information only to provide, secure, maintain, and improve Inbox Spy; authenticate users; collect matching emails; create HTML, image, and PDF archives; organize workspaces; troubleshoot failures; prevent abuse; and respond to support requests.

Google API Services User Data

Inbox Spy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Inbox Spy requests the Gmail read-only scope because automatic collection requires reading messages delivered to aliases associated with companies in your workspace. Google user data is not used for advertising, sold, transferred to data brokers, or used to train generalized artificial-intelligence or machine-learning models. Humans do not read Google user data except with your affirmative permission for support or security purposes, when required by law, or when necessary to investigate abuse.

How we share information

We share information only with service providers that process it on our behalf to operate Inbox Spy, currently including Google, Render, Supabase, and Cloudflare; when you direct us to; or when legally required. Service providers may use information only to provide their contracted services.

Storage, security, and retention

Workspace metadata is stored in a private database and email archives are stored in private object storage. Gmail refresh tokens are encrypted using AES-256-GCM. Access controls, tenant isolation, HTTPS, and restricted server credentials are used to protect data. No system is completely secure.

We retain information while your account is active and as needed to provide the service, comply with law, resolve disputes, and enforce agreements. Disconnecting Gmail revokes and removes the stored Gmail refresh token. You may request deletion of your account and associated data by contacting support.

Your choices and rights

You may disconnect Gmail at any time from Inbox Setup and revoke access from your Google Account permissions. You may request access, correction, export, or deletion of your information by emailing support@inboxspy.org.

Children

Inbox Spy is not intended for children under 16, and we do not knowingly collect their personal information.

Changes

We may update this policy as the service changes. Material changes will be posted here with a revised effective date.

Contact

Questions or privacy requests: support@inboxspy.org.