Skip to main content

Privacy Policy

Last updated: March 10, 2026

1. Introduction

This Privacy Policy explains how InboxWatch (“we,” “us,” or “our”) collects, uses, stores, and protects your information when you use InboxWatch (“the Service”). We are committed to safeguarding your privacy and being transparent about our data practices.

Core commitment: InboxWatch never reads, stores, or accesses the content of your emails or attachments.

2. Information We Collect

2.1 Account Information

When you sign in via OAuth, we receive:

  • Name and email address from your Google or Microsoft account
  • Profile photo URL (if available)
  • OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
  • Account type (personal or organizational) and tenant identifier

2.2 Email Metadata (Not Content)

During scans, we access metadata only:

  • Mailbox settings: Forwarding rules, filters, delegates, send-as aliases, auto-reply configurations
  • Email headers: From, To, Reply-To, Date, Subject line, Message-ID, authentication results (SPF/DKIM/DMARC) — never the message body
  • Sign-in activity: Login timestamps, IP addresses, locations, device information, MFA status
  • OAuth app permissions: Third-party apps with access to your account, their permission scopes
  • Calendar events (if enterprise scopes granted): Event metadata for calendar-based threat detection
  • Drive/OneDrive sharing (if enterprise scopes granted): File sharing settings and external access

2.3 Scan Results and Security Data

  • Security findings with severity classifications, fingerprints, and remediation status
  • Security scores and grade history
  • Attack chain correlations between related findings
  • AI analysis results (false positive assessments, severity adjustments)
  • Whitelist/trusted sender rules you configure
  • Fix wizard progress and remediation history

2.4 Breach Monitoring Data

  • We check your email address against third-party breach databases
  • We store whether your credentials were found in known breaches, breach sources, and dates
  • We never receive, store, or have access to your actual passwords

2.5 Phishing Simulation Data

  • Simulation campaign configurations and templates
  • Click tracking, credential submission tracking, and report rates
  • Security awareness scores per recipient

2.6 Usage and Technical Data

  • Pages visited, features used, and interaction patterns within the Service
  • Browser type, operating system, and device information
  • IP address and approximate location
  • Error logs and performance metrics

3. OAuth Permissions Requested

We request only metadata-level permissions. Here are the specific scopes:

Google (Gmail / Google Workspace)

  • openid, email, profile — Sign-in and identification
  • gmail.settings.basic — Mailbox settings, forwarding rules, filters
  • gmail.metadata — Email headers only (no body access)
  • calendar.events.readonly — Calendar event scanning (enterprise, incremental consent)
  • drive.metadata.readonly — File sharing audit (enterprise, incremental consent)

Microsoft (Microsoft 365 / Outlook)

  • openid, email, offline_access — Sign-in and token refresh
  • User.Read — Profile information
  • MailboxSettings.Read — Forwarding rules and mailbox configuration
  • Mail.ReadBasic — Email headers only (no body or attachment access)
  • AuditLog.Read.All — Sign-in activity (organizational accounts, separate consent)
  • UserAuthenticationMethod.Read — MFA status (organizational accounts, separate consent)
  • Application.Read.All — OAuth app inventory (organizational accounts, separate consent)
  • Device.Read.All — Device activity analysis (organizational accounts, separate consent)

Enterprise scopes are requested through incremental consent — you are prompted separately and can decline without affecting core scanning functionality.

4. How We Use Your Information

  • Security scanning: Analyze mailbox configuration and metadata to identify vulnerabilities
  • Threat detection: Correlate findings into attack chain patterns
  • AI analysis: Assess finding accuracy and reduce false positives using automated analysis
  • Alerts: Send email and real-time notifications for new critical findings
  • Remediation: Provide fix guides and execute auto-fixes you authorize
  • Breach monitoring: Check credentials against third-party breach databases
  • Service improvement: Improve detection accuracy and reduce false positive rates
  • Customer support: Respond to your inquiries and resolve issues

5. What We Never Do

  • Never read the body or content of your emails
  • Never access or store email attachments
  • Never sell, rent, or trade your data to third parties
  • Never use your data for advertising or marketing profiling
  • Never use your data to train AI/ML models (AI analysis is per-finding, results are not fed back into training)
  • Never access your passwords (we use OAuth — your password is never transmitted to us)

6. Data Sharing and Third-Party Services

We do not sell your data. We share data only with the following service providers, strictly for operating the Service:

ProviderPurposeData Shared
Google OAuthAuthenticationOAuth tokens
Microsoft OAuthAuthenticationOAuth tokens
StripePayment processingEmail, usage metrics
VercelHosting (US)Application data in transit
PostgreSQL (Neon)Database (US)All persistent data, encrypted
UpstashRate limiting enforcement (optional, falls back to in-memory)Email hash, request counts
PusherReal-time notificationsUser channel IDs, alert types
ResendTransactional emailEmail address, alert content
Breach databasesCredential monitoringEmail address
Threat intel APIsURL/domain reputationURLs, domains, IP addresses

Legal disclosure: We may disclose information if required by law (court order, subpoena, government request). We will notify you unless prohibited by law.

7. Data Security

We implement the following security measures:

  • Encryption in transit: All data transmitted via TLS 1.2+
  • Encryption at rest: OAuth tokens encrypted with AES-256-GCM using authenticated encryption
  • CSRF protection: __Host- prefixed cookie with constant-time comparison
  • Content Security Policy: Per-request nonce-based CSP headers (no unsafe-inline)
  • Security headers: HSTS, X-Frame-Options (DENY), X-Content-Type-Options
  • Parameterized queries: All database queries via Prisma ORM (no raw SQL)
  • Rate limiting: Sliding window rate limiting on all endpoints
  • Audit logging: All security-relevant actions logged with timestamps and actor identification

8. Data Storage and Location

All data is stored in PostgreSQL databases hosted in the United States (Neon, via Vercel). Application hosting is provided by Vercel (US regions). Redis caching is provided by Upstash (US region).

We do not transfer personal data outside the United States except as described in the third-party services table above. If you are located outside the US, you consent to the transfer of your data to the US by using the Service.

9. Data Retention

Data TypeRetention Period
Scan results and findings14 days (minimum 10 most recent scans kept per user)
AI analysis records14 days (orphaned records)
Audit logs90 days
Account informationUntil account deletion
OAuth tokensUntil access revoked or account deleted
Phishing simulation resultsUntil campaign deleted or account deleted

You can request immediate deletion of all your data at any time through your account settings or by contacting us at nicholas@inboxwatch.ai.

10. Cookies and Local Storage

We use the following cookies:

  • Session cookie (NextAuth): JWT-based authentication session, 48-hour lifetime. Strictly necessary for the Service to function.
  • CSRF cookie (__Host-csrf-token): Security token for cross-site request forgery protection. Strictly necessary.

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use any third-party tracking scripts.

11. Automated Decision-Making

InboxWatch uses automated processing to:

  • Severity scoring: Findings are automatically assigned severity levels (critical, high, medium, low, info) based on detection rules
  • AI analysis: Automated AI analysis reviews findings to assess false positive likelihood. If a finding type exceeds an 80% false positive rate across 10+ analyses, it may be auto-suppressed
  • Security scoring: Your overall security score is computed algorithmically from finding severity and count

Automated decisions affect how findings are displayed and prioritized within the Service. They do not make decisions about your account access, pricing, or eligibility. You can override any automated suppression via your whitelist settings.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data and account
  • Portability: Export your scan results and security data
  • Revocation: Revoke OAuth access at any time through your provider's settings
  • Objection: Object to specific processing activities
  • Opt-out: Disable automated monitoring, email alerts, or AI analysis in your settings

To exercise these rights, contact us at nicholas@inboxwatch.ai. We will respond within 30 days.

13. Children's Privacy

InboxWatch is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to the address associated with your account. The “Last updated” date at the top indicates the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

15. Contact

Questions or concerns about this Privacy Policy?

InboxWatch

nicholas@inboxwatch.ai