Skip to main content

Privacy Policy

Last updated: April 22, 2026

1. Introduction

This Privacy Policy explains how InboxWatch, a product of Papa Corporation (“we,” “us,” or “our”), collects, uses, stores, and protects your information when you use InboxWatch (“the Service”). We are committed to safeguarding your privacy and being transparent about our data practices.

Core commitment: InboxWatch never reads, stores, or accesses the content of your emails or attachments.

2. Information We Collect

2.1 Account Information

When you sign in via OAuth, we receive:

  • Name and email address from your Google or Microsoft account
  • Profile photo URL (if available)
  • OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
  • Account type (personal or organizational) and tenant identifier

2.2 Email Metadata (Not Content)

During scans, we access metadata only:

  • Mailbox settings: Forwarding rules, filters, delegates, send-as aliases, auto-reply configurations
  • Email headers: From, To, Reply-To, Date, Subject line, Message-ID, authentication results (SPF/DKIM/DMARC) — never the message body
  • Sign-in activity: Login timestamps, IP addresses, locations, device information, MFA status
  • OAuth app permissions: Third-party apps with access to your account, their permission scopes
  • Calendar events (only if calendar.events.readonly is granted via incremental consent): Event subject, organizer email, attendee list, start/end time, description, location, and meeting URL — used to flag phishing invites and lookalike-domain organizers. We never write or modify calendar events.
  • Drive / OneDrive sharing (only if drive.metadata.readonly or the Microsoft equivalent is granted via incremental consent): File name, owner, sharing permissions (role, type, domain), last-modified time, and MIME type — used to flag files shared “anyone with the link” or with external domains. We never access file contents, download files, or change sharing settings.

2.3 Scan Results and Security Data

  • Security findings with severity classifications, fingerprints, and remediation status
  • Security scores and grade history
  • Attack chain correlations between related findings
  • AI analysis results (false positive assessments, severity adjustments)
  • Whitelist/trusted sender rules you configure
  • Fix wizard progress and remediation history

2.4 Breach Monitoring Data

  • We check your email address against third-party breach databases
  • We store whether your credentials were found in known breaches, breach sources, and dates
  • We never receive, store, or have access to your actual passwords

2.5 Phishing Simulation Data

  • Simulation campaign configurations and templates
  • Click tracking, credential submission tracking, and report rates
  • Security awareness scores per recipient

2.6 Usage and Technical Data

  • Pages visited, features used, and interaction patterns within the Service
  • Browser type, operating system, and device information
  • IP address and approximate location
  • Error logs and performance metrics

3. OAuth Permissions Requested

We request only metadata-level permissions. Here are the specific scopes:

Google (Gmail / Google Workspace)

  • openid, email, profile — Sign-in and identification
  • gmail.settings.basic — Mailbox settings, forwarding rules, filters
  • gmail.metadata — Email headers only (no body access)
  • calendar.events.readonly — Calendar event scanning (enterprise, incremental consent)
  • drive.metadata.readonly — File sharing audit (enterprise, incremental consent)

Microsoft (Microsoft 365 / Outlook)

  • openid, email, offline_access — Sign-in and token refresh
  • User.Read — Profile information
  • MailboxSettings.Read — Forwarding rules and mailbox configuration
  • Mail.ReadBasic — Email headers only (no body or attachment access)
  • AuditLog.Read.All — Sign-in activity (organizational accounts, separate consent)
  • UserAuthenticationMethod.Read — MFA status (organizational accounts, separate consent)
  • Application.Read.All — OAuth app inventory (organizational accounts, separate consent)
  • Device.Read.All — Device activity analysis (organizational accounts, separate consent)

Enterprise scopes are requested through incremental consent — you are prompted separately and can decline without affecting core scanning functionality.

4. How We Use Your Information

  • Security scanning: Analyze mailbox configuration and metadata to identify vulnerabilities
  • Threat detection: Correlate findings into attack chain patterns
  • AI analysis: Assess finding accuracy and reduce false positives using automated analysis
  • Alerts: Send email and real-time notifications for new critical findings
  • Remediation: Provide fix guides and execute auto-fixes you authorize
  • Breach monitoring: Check credentials against third-party breach databases
  • Service improvement: Improve detection accuracy and reduce false positive rates
  • Customer support: Respond to your inquiries and resolve issues

5. What We Never Do

  • Never read the body or content of your emails
  • Never access or store email attachments
  • Never sell, rent, or trade your data to third parties
  • Never use your data for advertising or marketing profiling
  • Never use your data to train AI/ML models (AI analysis is per-finding, results are not fed back into training)
  • Never access your passwords (we use OAuth — your password is never transmitted to us)

6. Compliance with Google API Services User Data Policy

InboxWatch’s use and transfer of information received from Google APIs to any other app adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to Google user data:

  • We access Google user data (mailbox settings, email headers, and — only if you grant enterprise scopes — calendar and Drive metadata) solely to provide the user-facing security features you have consented to in the Service.
  • We do not use Google user data to serve advertisements or to build advertising profiles.
  • We do not sell, rent, lease, or transfer Google user data to data brokers, information resellers, or any party for independent use.
  • We do not allow humans to read Google user data, except: (a) with your affirmative consent for a specific message or finding; (b) for security investigations, abuse handling, or to comply with applicable law; (c) when the data has been aggregated and anonymized for internal operations; or (d) as strictly necessary to provide user-requested customer support.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models. Automated analysis runs against individual findings in a stateless manner, and its outputs are not fed back into model training.
  • We transfer Google user data only to the subprocessors listed in Section 7, and only to operate the features you use.

7. Sharing, Transferring, and Disclosing Your Data

We do not sell your data. We share, transfer, or disclose your information — including Google user data — only as described in this section.

7.1 Service Providers (Subprocessors)

We share the minimum data necessary with the following service providers to operate the Service. Each processes data on our behalf under contractual confidentiality and security obligations, and is prohibited from using the data for any other purpose.

ProviderPurposeData SharedReceives Google User Data?Location
Google LLCOAuth authentication and API access (Gmail, Calendar, Drive metadata)OAuth tokens, scope grantsSource of dataGlobal (Google regions)
Microsoft CorporationOAuth authentication and Microsoft Graph API accessOAuth tokens, scope grantsNoGlobal (Microsoft regions)
Vercel Inc.Application hosting, serverless runtime, edge middlewareRequest/response data in transit, access logsYes (in transit only; not persisted by Vercel)United States
Neon Inc.Managed PostgreSQL databaseEncrypted OAuth tokens, scan findings, account records, email metadata extracted during scansYes (encrypted at rest)United States
Google LLC (Gemini API)Real-time AI classification of security findings (false-positive triage, severity adjustment). Replaced Groq Inc. on April 21, 2026Email header fields (From, Subject, authentication results) and finding metadata — never message body or attachmentsYes (header-level only; processed within Google infrastructure)United States
Stripe, Inc.Payment processing and subscription billingEmail address, billing usage metricsNoUnited States
Resend, Inc.Transactional and alert email deliveryRecipient email address, alert subject/body contentNo (only your own email address as recipient)United States
Upstash, Inc.Rate-limit enforcement and short-lived caching (optional; falls back to in-memory when unavailable)Hashed email, request counts, cached cron-debounce keysNo (hashed only)United States
Pusher Ltd.Real-time WebSocket notifications of new findingsUser channel identifier, alert type and severityNoUnited States (mt1 cluster)
Inngest, Inc.Durable background job orchestration (scheduled scans, nightly jobs)Job metadata, user IDs, finding IDsIndirectly (job references, not raw Google data)United States
Vercel Analytics & Speed InsightsAggregate, anonymized product and performance analyticsPage views, Core Web Vitals, anonymized user agent — no user identifiersNoUnited States
XposedOrNotCredential-breach monitoring (user-facing /breach-check and daily cron)Email address only — never passwords, tokens, message content, or any other account dataYes (email address only, when the signed-in Google account email is checked)International (vendor-hosted)

7.2 Transfers Outside the United States

All primary processing and storage occurs in the United States. If you access the Service from outside the United States, your data is transferred to the United States for processing. For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) with each subprocessor listed above, and on your informed consent to the transfer, as the legal basis under Article 46 GDPR.

7.3 Legal Disclosures

We may disclose your information — including Google user data — when we have a good-faith belief that disclosure is necessary to: (a) comply with a subpoena, court order, or other legally binding request from a governmental authority; (b) enforce our Terms of Service or investigate potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect against imminent harm to the rights, property, or safety of InboxWatch, our users, or the public. Where not prohibited by law, we will notify the affected user before disclosing their data in response to legal process, and we will challenge requests that are overbroad or that conflict with applicable law.

7.4 Business Transfers

If InboxWatch is involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or receivership, personal information may be transferred as part of that transaction. Any successor entity will be bound by this Privacy Policy with respect to the data transferred, and we will notify affected users by email and on this page before any such transfer takes effect.

7.5 Other Disclosures

We will disclose your data to additional parties only with your affirmative, revocable consent obtained at the time of that specific disclosure — for example, if you choose to share a scan report with a collaborator, or authorize a connected integration.

8. Data Security

We implement the following security measures:

  • Encryption in transit: All data transmitted via TLS 1.2+
  • Encryption at rest: OAuth tokens encrypted with AES-256-GCM using authenticated encryption
  • CSRF protection: __Host- prefixed cookie with constant-time comparison
  • Content Security Policy: Per-request nonce-based CSP headers (no unsafe-inline)
  • Security headers: HSTS, X-Frame-Options (DENY), X-Content-Type-Options
  • Parameterized queries: All database queries via Prisma ORM (no raw SQL)
  • Rate limiting: Sliding window rate limiting on all endpoints
  • Audit logging: All security-relevant actions logged with timestamps and actor identification

9. Data Storage and Location

All data is stored in PostgreSQL databases hosted in the United States (Neon, via Vercel). Application hosting is provided by Vercel (US regions). Redis caching is provided by Upstash (US region).

We do not transfer personal data outside the United States except as described in the third-party services table above. If you are located outside the US, you consent to the transfer of your data to the US by using the Service.

10. Data Retention

Data TypeRetention Period
Scan results and findings14 days (minimum 10 most recent scans kept per user)
AI analysis records14 days (orphaned records)
Audit logs90 days
Account informationUntil account deletion
OAuth tokensUntil access revoked or account deleted
Phishing simulation resultsUntil campaign deleted or account deleted

You can request immediate deletion of all your data at any time through your account settings or by contacting us at nicholas@inboxwatch.ai.

11. Cookies and Local Storage

We use the following cookies:

  • Session cookie (NextAuth): JWT-based authentication session, 48-hour lifetime. Strictly necessary for the Service to function.
  • CSRF cookie (__Host-csrf-token): Security token for cross-site request forgery protection. Strictly necessary.

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use any third-party tracking scripts.

12. Automated Decision-Making

InboxWatch uses automated processing to:

  • Severity scoring: Findings are automatically assigned severity levels (critical, high, medium, low, info) based on detection rules
  • AI analysis: Automated AI analysis reviews findings to assess false positive likelihood. If a finding type exceeds an 80% false positive rate across 10+ analyses, it may be auto-suppressed
  • Security scoring: Your overall security score is computed algorithmically from finding severity and count

Automated decisions affect how findings are displayed and prioritized within the Service. They do not make decisions about your account access, pricing, or eligibility. You can override any automated suppression via your whitelist settings.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data and account
  • Portability: Export your scan results and security data
  • Revocation: Revoke OAuth access at any time through your provider's settings
  • Objection: Object to specific processing activities
  • Opt-out: Disable automated monitoring, email alerts, or AI analysis in your settings

To exercise these rights, contact us at nicholas@inboxwatch.ai. We will respond within 30 days.

14. Children's Privacy

InboxWatch is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to the address associated with your account. The “Last updated” date at the top indicates the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

16. Contact

Questions or concerns about this Privacy Policy?

InboxWatch — a product of Papa Corporation

Coconut Grove, Florida, United States

nicholas@inboxwatch.ai