Inbox3inbox3Get Started Free

Data Security

Your email, protected at every step

Inbox3 is built on a simple principle: minimum access, maximum protection. Read-only. Encrypted. No email bodies stored. Ever.

Read-Only Access

We use the gmail.readonly OAuth scope. We literally cannot send, delete, or modify any email. Google enforces this at the API level.

No Email Bodies Stored

Email content is processed in memory during classification and immediately discarded. Only sender, subject, date, and AI summaries are kept.

AES-256 Encryption

OAuth tokens encrypted at rest via AWS KMS. Decrypted only at the moment of API calls. Even with database access, tokens are unusable.

No AI Training

We use Anthropic and OpenAI APIs with data processing agreements. Your email content is never used to train their models.

One-Click Deletion

Delete your account and all associated data instantly. Zero retention, zero backup. When it's gone, it's gone.

No Third-Party Sharing

Your data is never sold, shared with advertisers, or provided to data brokers. It exists solely to generate your personal digest.

Data Pipeline

What happens to your email

Click each step to see exactly what data goes in and out.

Gmail API

IN MEMORY

Read-only access via OAuth. Email headers and snippets fetched.

Pre-Filter

STORED

Rule-based removal of newsletters, automated senders, blocked domains.

AI Classification

IN MEMORY

Claude AI reads email content in memory, determines if action is required.

Personalized Scoring

IN MEMORY

Combines reply rate, sender importance, urgency, content similarity, engagement signals.

Your Digest

STORED

Top items selected. AI summaries and scores stored. Email content discarded.

Stored (encrypted)
In memory only (discarded)

Transparency

What we store vs. what we don't

Stored (encrypted)

  • Sender email address & name
  • Email subject line
  • Short snippet (~100 chars)
  • Date & time received
  • AI-generated action summary
  • Urgency classification & score
  • Your actions (done, snoozed, etc.)
  • Sender profiles & importance
  • OAuth tokens (AES-256)

Never stored

  • Full email body text
  • Email attachments
  • Images or embedded content
  • Email thread history
  • Contacts or address book
  • Calendar, Drive, or other Google data
  • Passwords (only bcrypt hash)
  • Browsing or tracking data
  • Data sold to third parties

Infrastructure

Technical details

Token EncryptionAES-256-GCM via AWS KMS
TransportTLS 1.3 everywhere
DatabasePostgreSQL with encryption at rest
Passwordsbcrypt + SHA-256 pre-hash
Email ProcessingIn-memory only — never written to disk
AI ProvidersAnthropic & OpenAI (DPAs in place)
HostingAWS (ap-south-1)
MonitoringSentry (no PII in error reports)

Your Data Rights

You're in control

Delete Everything

One-click account deletion permanently removes all data. Zero retention.

Disconnect Anytime

Revoke Gmail access instantly. Also revocable from your Google security settings.

Export Your Data

Request a full export of your data in JSON format anytime.

No AI Training

Data processing agreements with all AI providers. Your data trains nothing.

Responsible Disclosure

Found a vulnerability? Report it to security@inbox3.app. We respond within 24 hours and will not take legal action against responsible reporters.

Privacy PolicyTerms of ServiceSecurity Overview

Ready to take back your morning?

Connect your Gmail in 60 seconds. See your first AI-curated digest tomorrow morning.

Get Started FreeSee All Comparisons