INBOXTONIC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension and website (collectively, the "Service").
Please read this Privacy Policy carefully. By using INBOXTONIC, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.
1. Information We Collect
1.1 Information You Provide
Account Information:
Email address (collected via Google OAuth)
Name and profile picture (from your Google account)
Subscription and billing information (if you upgrade to a paid plan)
User-Generated Content:
Email instructions you provide to generate replies
Context you add to customize email generation usage
Tone and model preferences you select
Writing Style Data:
Sample emails you provide for personalization (optional)
Writing patterns detected from your email usage (with your permission)
1.2 Information Collected Automatically
Usage Information:
Number of email credits used
Features accessed within the extension
Tone and model selections
Time and date of usage
Browser type and version
Technical Information:
Chrome extension ID
IP address (for security and fraud prevention)
Device information (operating system, browser version)
Error logs and crash reports
1.3 Information We Do NOT Collect
We want to be crystal clear about what we DO NOT collect:
Email Content Storage:
We do NOT store or permanently retain email content
We do NOT store or permanently retain your email contacts
We do NOT keep email history or message archives or the responses generated by the AI
Authentication Information:
We do NOT collect Gmail credentials - we use Google OAuth and never see your password
We do NOT store any passwords, PINs, or security questions
Other Data:
We do NOT collect health information, financial data, or location data beyond IP addresses for analytics
We do NOT access your web browsing history or other personal data
1.4 Email Content Access Clarification
While we do not store or permanently retain email content, we do temporarily access email data when you use the email generation features:
When you use email generation:
We read the current email thread context (subject, sender, message content) from Gmail
This data is processed in real-time (see Section 3.1 Real-Time Processing)
We automatically scrub and remove personally identifiable information (PII) from email content before processing
This includes names, addresses, phone numbers, email addresses, signature blocks, and other sensitive personal data
The cleaned, anonymized content is sent to our AI service to generate your email content
All data is immediately discarded after email generation
No email content is ever stored in our databases or retained for any other purpose
Key Distinction:
Access/Collect: Yes, temporarily when you use the feature (covered in Section 2.1 To Provide the Service)
Store/Retain: No, email content is never saved, logged, or kept permanently
Your Control:
Email access only occurs when you explicitly use email generation features
You can revoke Gmail permissions anytime through your Google account settings
The extension only works on Gmail pages and requires your active permission
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1 To Provide the Service
Generate AI email responses based on your instructions and context
Personalize your experience by learning your writing style (opt-in only)
Authenticate your account using Google OAuth
Track your usage to enforce plan limits (20/200/500 credits per month)
Process payments for Plus and Pro subscriptions
2.2 To Improve the Service
Analyze usage patterns to improve app functionality and features
Monitor performance and fix bugs
Develop new features based on aggregate user behavior
Conduct A/B testing to optimize user experience
2.3 To Communicate With You
Send service updates and important notices
Provide customer support when you contact us
Send billing notifications and receipts
Request feedback to improve our Service (optional)
2.4 For Security and Compliance
Prevent fraud and abuse of the Service
Enforce our Terms of Service
Comply with legal obligations
Protect our rights and property
3. How We Process Email Generation
3.1 Real-Time Processing
When you use INBOXTONIC to generate an email:
1.You provide instructions (e.g., "Decline meeting politely, suggest next week")
2.We send your instructions to our AI service provider (e.g., OpenAI, Anthropic, Google)
3.AI generates a response based on your instructions and selected tone
4.We return the response to you in the extension
5.We delete the data immediately - Neither your instructions nor the generated email are permanently stored
Retention Period: AI-generated content is processed in real-time and immediately discarded after delivery to you.
3.2 Writing Style Learning (Optional)
If you enable "Personalization" or "Writing Style Learning":
We analyze the emails that you've previously sent to identify your writing patterns
We store anonymized writing patterns (sentence structure, common phrases, tone preferences)
We do NOT store the actual email content
You can disable this feature and delete your writing profile at any time
4. Data Sharing and Disclosure
Important: We only share user data with third-party service providers for the sole purpose of providing and improving the core functionality of the Service. We do not transfer user data to third parties for any other purpose, including marketing, advertising, or data analytics unrelated to Service functionality.
4.1 Third-Party Service Providers
We share your information with trusted third-party service providers who help us operate the Service:
AI Service Providers:
OpenAI (GPT models) - No API data training by policy
Anthropic (Claude models) - No API data training by policy
Google (Gemini models) - No API data training by policy
Mistral AI (Mistral models) - Technical opt-out implemented via API headers
AI21 Labs (Jamba models) - No API data training by policy, explicit Google API compliance
Purpose: To generate AI email responses
Data Shared: Your email instructions, selected tone, and the relevant email context (temporarily, for processing only)
Retention: These providers process data in real-time and do not store it permanently
CRITICAL COMPLIANCE STATEMENT: We use only AI service providers that have committed to NOT using customer data to train their generalized AI models. We have verified that OpenAI, Anthropic, Google, and AI21 Labs do not use data submitted via their APIs to train or improve their models by default.
Technical Safeguards: For providers with opt-out policies, we have implemented technical controls:
Mistral AI: We send explicit "no-training" headers with all API requests to opt out of data usage in model training
Verification: The provider confirms these headers prevent API data from being used for training purposes
Your data is processed solely to generate your email responses and is immediately discarded.
Payment Processing:
Stripe (for billing and subscription management)
Purpose: To process payments for Plus and Pro subscriptions
Data Shared: Email address, payment method, billing information
Privacy Policy: https://stripe.com/privacy
Analytics and Monitoring:
Google Analytics (aggregate usage analytics)
Sentry (error tracking and crash reporting)
Purpose: To provide and improve the Service's functionality by monitoring performance, identifying and fixing technical issues, and ensuring the Service operates reliably
Data Shared: Anonymized usage data, error logs (no personal identifiable information or Google user data)
Note: These services are essential for maintaining and improving the core functionality of the Service. No Google user data is shared with these providers.
Email Communications:
SendGrid (transactional emails)
Purpose: To provide essential Service functionality by sending account-related communications (welcome emails, billing notifications, and support responses)
Data Shared: Email address, name (no Google user data)
4.2 Legal Requirements
We may disclose your information if required to do so by law or in response to:
Court orders or legal processes
Requests from government authorities
Protection of our rights, property, or safety
Prevention of fraud or illegal activities
4.3 Business Transfers
If INBOXTONIC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.
4.4 What We Do NOT Do
We will NEVER:
Sell your personal information to third parties
Share your email content with anyone
Use your data for advertising purposes
Share your data with data brokers
5. Data Security
We implement industry-standard security measures to protect your information:
5.1 Technical Safeguards
Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
Encryption at rest: Sensitive data stored in our databases is encrypted using AES-256.
Secure authentication: We use Google OAuth 2.0 for authentication (we never see your password).
Access controls: Only authorized personnel have access to user data on a need-to-know basis.
5.2 Organizational Safeguards
Regular security audits: To identify and fix vulnerabilities.
Employee training: On data protection and privacy best practices.
Incident response plan: To quickly address any security breaches.
Data minimization: We only collect data necessary to provide the Service.
5.3 Limitations
While we take reasonable measures to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
6. Data Retention
6.1 Active Accounts
Account information: Retained for as long as your account is active
Usage data: Retained for 12 months for analytics purposes, then automatically deleted
Writing style data: Retained until you delete it or close your account (no automatic expiration)
Email data:NOT retained - deleted immediately after processing (within seconds)
Authentication tokens: Access tokens expire after 1 hour, refresh tokens retained until revoked
Payment information: Retained by Stripe per their retention policy (we do not store payment details)
Error logs: Retained for 90 days for debugging purposes, then automatically deleted
Audit logs: Retained for 12 months for security monitoring, then automatically deleted
6.2 Closed Accounts
When you delete your account:
Your account information is deleted within 30 days
Your usage data is anonymized and may be retained for up to 12 months for analytics, then deleted
Your writing style data is permanently deleted immediately
Your payment information is deleted from our systems (Stripe retains it per their retention policy for 7 years for tax/legal compliance)
Your authentication tokens are immediately revoked
Your email address is retained in a suppression list to prevent accidental re-registration (can be removed upon request)
6.3 Legal Retention
We may retain certain information if required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements, preventing fraud).
7. Your Privacy Rights
7.1 Access and Portability
You have the right to:
Access your personal information: Request a copy of the data we hold about you.
Download your data: Export your account information and preferences in a machine-readable format.
How to exercise: Email us at privacy@inboxtonic.com
7.2 Correction and Deletion
You have the right to:
Correct inaccurate information: Update your email address or profile information.
Delete your account: Permanently remove your account and associated data.
How to exercise:
Update information in your account settings
Delete your account: Settings → Account → Delete Account
Or email us at privacy@inboxtonic.com
7.3 Opt-Out Rights
You have the right to:
Opt out of marketing emails: Unsubscribe from promotional emails (you will still receive transactional emails).
Disable writing style learning: Turn off personalization features in Settings.
Opt out of analytics: Use browser plugins like uBlock Origin or Privacy Badger.
7.4 Rights for EU/UK Users (GDPR)
If you are located in the European Union or United Kingdom, you have the following additional rights under GDPR:
Right to object: You can object to processing of your personal data when we rely on legitimate interests
Right to restriction: You can request restriction of processing in specific circumstances (e.g., if you contest data accuracy)
Right to lodge a complaint: You can file a complaint with your local data protection authority about our data practices
When These Rights Apply:
Right to object: Applies to processing based on legitimate interests (service improvement, fraud prevention)
Right to restriction: Applies when you contest accuracy of data, processing is unlawful, or you no longer need the data but we do for legal claims
Right to complain: Always available if you believe we've violated your data protection rights
Legal Basis for Processing:
Contract necessity: Processing required to provide the email generation service
Legitimate interests: Service improvement, security, and fraud prevention
Consent: Optional features like writing style personalization (can be withdrawn anytime)
7.5 Rights for California Users (CCPA)
If you are a California resident, you have the right to:
Know what personal information we collect, use, and disclose.
Delete your personal information (with certain exceptions).
Opt-out of the sale of your personal information (note: we do not sell personal information).
Non-discrimination for exercising your privacy rights.
How to exercise: Email us at privacy@inboxtonic.com with "CCPA Request" in the subject line.
8. Children's Privacy
INBOXTONIC is not intended for use by anyone under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@inboxtonic.com. We will delete such information from our systems within 30 days.
9. International Data Transfers
INBOXTONIC is based in UAE, and your information may be processed in UAE or other countries where our service providers operate.
9.1 Data Processing Locations
Your data is processed and stored in the following locations:
Primary Data Storage:
Supabase (Database): US East region (AWS us-east-1, Virginia, USA)
Vercel (API Hosting): Global edge network with primary region in US East
Third-Party Processors:
OpenRouter (AI Generation): United States
OpenAI (Embeddings): United States
Stripe (Payments): United States and European Union
Google OAuth (Authentication): Global infrastructure
9.2 International Transfer Mechanisms
If you are located in the European Union, United Kingdom, or other jurisdictions with data protection laws, please note that we transfer your personal information to countries that may not provide the same level of data protection as your home country.
We rely on the following mechanisms for international transfers:
Standard Contractual Clauses (EU-approved data transfer agreements) with Supabase and Stripe
Adequacy decisions by the European Commission (where applicable)
Your consent for transfers necessary to provide the Service
Processor agreements with all third-party service providers ensuring GDPR compliance
10. Third-Party Links
Our Service may contain links to third-party websites, plugins, or services that are not operated by us (e.g., Stripe payment pages, AI provider websites).
We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
Examples of third-party services:
Google OAuth (for authentication).
Stripe (for payment processing).
AI service providers (for email generation).
11. Cookies and Tracking Technologies
11.1 Cookies We Use
INBOXTONIC uses minimal cookies and tracking technologies:
Essential Cookies (Required):
Authentication cookies: To keep you signed in (session-based, expires when you close browser)
Security cookies: To prevent CSRF attacks and ensure secure connections
Analytics Cookies (Optional):
Google Analytics: To understand how users interact with our website (anonymized)
You can opt out using browser settings or privacy extensions
No Advertising Cookies:
We do NOT use cookies for advertising, tracking, or marketing purposes
We do NOT share cookie data with third parties for advertising
11.2 Cookie Management
You can control cookies through:
Browser settings: Most browsers allow you to refuse cookies or delete existing cookies
Privacy extensions: Use tools like uBlock Origin, Privacy Badger, or Cookie AutoDelete
Opt-out links: Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout
Note: Disabling essential cookies may prevent you from using certain features of the Service.
11.3 Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Currently, there is no industry standard for responding to DNT signals, and INBOXTONIC does not respond to DNT signals.
You can control tracking through browser settings and privacy-focused browser extensions.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
We will notify you of material changes by:
Posting the updated Privacy Policy on our website with a new "Last Updated" date.
Sending an email notification to your registered email address.
Displaying a prominent notice in the extension.
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@inboxtonic.com
Website: https://inboxtonic.com/contact
Mailing Address:
eConsult Networks LLC dba INBOXTONIC
Shams Business Center, Sharjah Media City Free Zone,
Al Messaned, Sharjah, UAE
Response Time: We will respond to your inquiry within 30 days (or as required by applicable law).
14. Data Protection Officer
For users in the European Union or United Kingdom, you can contact our Data Protection Officer (DPO) at:
Email: dpo@inboxtonic.com
15. Specific Disclosures
15.1 Google API Services User Data Policy
INBOXTONIC's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
The use of information received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
Technical Implementation:
We implement provider-specific opt-out mechanisms where available
Mistral AI requests include "no-training" headers
API configurations enforce opt-out settings by default
Regular compliance audits verify technical controls are effective
Mistral AI: Technical opt-out via API headers + policy commitments
All providers: Verified compliance with Google Limited Use requirements
What this means:
We only use Google user data (email, profile) for authentication and personalization purposes
We do not use Google user data for serving ads.
We do not transfer Google user data to third parties except to our approved AI service providers (OpenAI, Anthropic, Google, Mistral AI, AI21 Labs) solely for real-time email generation.
WE DO NOT USE GOOGLE USER DATA OR ANY USER DATA TO DEVELOP, IMPROVE, OR TRAIN GENERALIZED AI OR ML MODELS.
WE DO NOT RETAIN USER DATA OBTAINED THROUGH WORKSPACE APIs BEYOND THE IMMEDIATE PROCESSING REQUIRED TO GENERATE EMAIL RESPONSES.
All email content accessed via Gmail API is processed in real-time, with PII automatically scrubbed, and immediately discarded after response generation.
15.2 Google Workspace APIs
The use of information received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
Health, financial, or location data (beyond IP for analytics).
Web browsing history.
How we use your data:
To generate AI email responses (PII scrubbed, deleted immediately after processing).
To personalize your experience (optional).
To improve the Service.
Your rights:
Access your data.
Delete your account.
Opt out of optional features.
Contact us with questions.
We NEVER:
Sell your data.
Share your email content.
Use your data for advertising.
Store email content permanently.
By using INBOXTONIC, you acknowledge that you have read, understood, and agree to this Privacy Policy.
If you do not agree with this Privacy Policy, please do not use our Service.
This Privacy Policy is effective as of February 14, 2026 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.