Home

Privacy Policy

Last updated: 2025-10-15

Inbox Party (“Inbox Party”, “we”, “us”, “our”) helps teams stay on top of shared Gmail inboxes, calendars, and contact workflows while meeting the security expectations of Google’s API Services User Data Policy and the CASA Level 2 framework. This Privacy Policy explains how we collect, use, store, and share personal information when you interact with our products, websites, or support teams.

This policy applies to:

  • Workspace administrators who authorize Inbox Party to access Google services.

  • End users who rely on Inbox Party to triage email, calendar events, tasks, and analytics.

  • Website visitors, applicants, and individuals who contact our team.

You should read this notice alongside our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

1. Information We Collect

1.1 Account & Workspace Details

  • Name, email address, and profile metadata provided by Google Workspace or entered manually.

  • Job role, team assignment, and access level tracked in our Role-Based Access Control (RBAC) system.

  • Billing and subscription context (organization name, billing contact, transaction references—processed by our PCI-compliant payment provider).

1.2 Gmail & Google Workspace Data

Inbox Party connects to Google APIs using OAuth 2.0 scopes approved by the workspace administrator. Depending on the features enabled, we process:

  • Email metadata (headers, thread IDs, labels, timestamps, participants).

  • Email bodies and attachments for classification, shared reply drafting, and analytics.

  • Calendar events, attendees, and reminders (if calendar features are enabled).

  • Contact records (names, email addresses, notes) needed for suggested follow-ups.

Our integration complies with Google’s Limited Use requirements:

  1. Gmail and Google Calendar data are only used to deliver user-facing email, collaboration, and scheduling features.

  2. We do not serve ads or sell Gmail or Google Workspace data.

  3. No humans read Gmail or Calendar data unless:

    • We have explicit end-user consent.

    • It is necessary for security, legal, or compliance investigations.

    • Access is required to resolve a user-requested support ticket.

    • Aggregate dashboards are derived from anonymized signals.

  4. We do not transfer Gmail data to third parties except as required to provide the service or comply with law.

1.3 Product Telemetry & Structured Logs

  • Service requests (route, timestamp, client IP) with per-request request_id for incident response.

  • Performance metrics, queued jobs, retry counts, and rate-limit events.

  • Error details with redacted payloads for troubleshooting.

Structured logging follows CASA guidance (immutable storage, retention ≥ 400 days, alerting on privileged access).

1.4 Support & Communications

  • Conversation transcripts, screenshots, and attachments shared with support.

  • Survey responses or product feedback.

1.5 Website Interactions

We collect limited analytics (device/browser, page paths, referral source) to improve our public website. We do not use third-party advertising cookies.

2. How We Use Information

Purpose Description Legal Basis Service delivery Sync Gmail and calendar data, provide shared inbox functionality, send notifications Performance of contract Intelligent features Generate suggested responses, categorize email, recommend contacts Performance of contract; consent where required Account administration Provision users, enforce access controls, issue invoices Legitimate interest / contract Security & compliance Monitor for abuse, audit access, rotate secrets, satisfy CASA evidence needs Legitimate interest; legal obligations Support Diagnose and resolve tickets, provide onboarding Performance of contract Research & improvement Analyze anonymized metadata to improve performance Legitimate interest

We never use Gmail content for ads. Any machine-learning model that touches Gmail or calendar content is scoped to provide Inbox Party features only.

3. Data Sharing & Processors

We may share personal information with:

  • Google Cloud Platform (GCP) – hosting, secret management, logging.

  • Google Workspace – account provisioning, identity provider, email.

  • Mailgun – outbound transactional email (contact notifications, digests).

  • OpenAI – on-demand AI summarization and drafting restricted to authorized scopes; data retention settings follow enterprise contract terms.

  • PagerDuty / Slack – optional incident and alert integrations configured by customers.

  • Payment processor – PCI-certified provider (e.g., Stripe) for subscription management.

Each vendor is assessed via our vendor risk management program (docs/governance/vendor-assessments.md). We require contractual safeguards including data processing agreements, confidentiality commitments, and sub-processor transparency.

We will disclose information if required by law, court order, or lawful government request. We may also share anonymized or aggregated statistics that cannot identify individuals.

4. Security Measures

Inbox Party implements controls aligned with CASA Level 2:

  • Encryption in transit (TLS 1.2+) and at rest (KMS-managed keys with 90-day rotation).

  • Segregated staging and production environments managed via Terraform and approval-based CI/CD.

  • RBAC, multi-factor authentication enforcement, and quarterly access reviews.

  • Structured logging, immutable storage ≥ 400 days, and automated alerting on abuse signals.

  • Incident response and disaster recovery runbooks with semiannual exercises.

  • Secure coding practices, dependency scanning, and change-management approvals.

Refer to docs/policies/information-security-policy.md and docs/security/*.md for detailed control descriptions.

5. Data Retention

  • Gmail message bodies and attachments: retained while the workspace account is active and for up to 30 days after account termination to support export requests, unless the administrator requests earlier deletion.

  • Metadata (threads, labels, analytics): retained for the life of the service to support product functionality.

  • Structured logs: retained for at least 400 days, after which they are anonymized or deleted.

  • Support interactions: retained for 18 months to meet audit obligations.

Customers can configure shorter retention windows via administrative settings or by contacting support.

6. International Transfers

We primarily process data in the United States using Google Cloud regions. If we transfer data across regions, we rely on appropriate safeguards such as Standard Contractual Clauses or other applicable transfer mechanisms.

7. Your Rights & Choices

  • Access and portability: Administrators can export user data via the Inbox Party dashboard or by contacting akash@inboxparty.com.

  • Correction: Update profile information from account settings or request changes through support.

  • Deletion: Workspace admins can delete individual user data or request full workspace deletion. We will honor verified requests within 30 days, subject to legal retention requirements.

  • Consent withdrawal: Revoking Gmail scopes in the Google Workspace admin console immediately stops future data collection; existing data can be deleted upon request.

  • Opt-out: You may opt out of non-essential communications via the unsubscribe link or by emailing us.

Additional rights may apply depending on your jurisdiction (e.g., GDPR, CCPA, Australian Privacy Act). We respond to rights requests within the applicable statutory timeframe.

8. Children’s Privacy

Inbox Party is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us information, contact us and we will delete it.

9. Updates to This Policy

We may update this Privacy Policy to reflect product changes, legal requirements, or CASA guidance. We will notify administrators of material changes via email or in-app banner. Continued use after the effective date indicates acceptance.

10. Contact Us

  • Email: akash@inboxparty.com

  • Mailing address: Inbox Party, Kanpur, India, 208005

  • Data Protection Officer: Akash Wadhwani

You may also escalate unresolved concerns to your local data protection authority.

11. Additional Notices for Google API Services

Inbox Party’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our engineering and compliance teams conduct quarterly reviews to confirm scope minimization, log retention, and consent flows remain compliant. Evidence of these reviews is tracked in docs/evidence-tracker.csv.

If you disconnect Inbox Party from your Google account, we promptly cease access to your Google data and remove residual data per Section 5.

Contact

If you have any questions or concerns about our Privacy Policy or your data, please contact us at akash@inboxparty.com