Privacy Policy

Last updated: 2026-06-04

1. What we collect

When you connect a Gmail or Google Workspace account to Inboxchat, we request the gmail.readonly OAuth scope. This lets us read message metadata (sender, recipients, subject, timestamps, labels) and the full body of messages. We do not request gmail.send, gmail.modify, or any write scope.

We store these copies inside our infrastructure (hosted by Supabase, region us-east-1) so we can render conversations as clean chronological chat threads without re-fetching Gmail on every page load.

2. How long we keep it

We keep metadata and the most recent 90 days of full message content indexed for fast search. Older messages are fetched on demand when you open a thread, and the full body is cached for up to 90 days from the time you opened it. Metadata (subject, participants, timestamps) is retained for the lifetime of your account so the unified inbox stays usable.

3. OpenAI and AI processing

When you click the Summarise button on a thread or ask a follow-up question in the transcript Q&A panel, the relevant thread content is sent to OpenAI (gpt-4o-mini for summaries, gpt-4o for Q&A) to generate the response. We never send email content to OpenAI in the background. We never auto-summarise. AI processing happens only on your explicit click.

OpenAI is configured to not retain prompt data via their Zero Data Retention policy where available on the API tier we use.

4. Deletion

You can delete your Inboxchat account at any time from Settings. When you do, all stored email content, OAuth tokens, and connected-account records are purged from our database within 24 hours. Backups containing your data are rotated within 30 days.

You can also disconnect individual Gmail accounts without deleting your Inboxchat account. Disconnecting an account triggers the same 24-hour purge for that account is data.

5. Security

OAuth refresh tokens are encrypted at rest using AES-256-GCM with a server-held key that never reaches your browser. Database access is enforced by Postgres Row Level Security policies tied to your authenticated identity, so other Inboxchat users cannot read your data.

All traffic to lagible.com and the Supabase API uses TLS 1.2 or higher. Production secrets live in Vercel environment variables. The Service Role key never appears in any client-side bundle (enforced by CI scan on every deploy).

6. International transfers

Inboxchat is operated from India by a sole proprietor. Compute and storage run on Vercel (us-east-1 by default) and Supabase (us-east-1). If you are located outside the United States, your data is transferred to and processed in the US. By using Inboxchat you consent to this transfer.

7. Affiliate program

If you arrive via a referral link, we set a 60-day cookie that attributes any paid subscription back to the referring affiliate. The affiliate receives a percentage of your subscription. Affiliates see anonymous counts (number of referrals, number of paid conversions, payout amounts) and never see your email address or any thread content.

8. Your rights

You can request a copy of your data, correction of inaccuracies, or full deletion at any time. Email ayushopchauhan@gmail.com with the subject "privacy request".

9. Changes to this policy

We will notify you by email at least 14 days before any material change takes effect. The current version is always visible at this URL.

10. Contact

Inboxchat is operated by Ayush Chauhan, Vadodara, India. For privacy questions, email ayushopchauhan@gmail.com.