Data Security

Your email, protected at every step

Inbox3 is built on a simple principle: minimum access, maximum protection. Read-only. Encrypted. No email bodies stored. Ever.

Read-Only Access

We use the gmail.readonly OAuth scope. We literally cannot send, delete, or modify any email. Google enforces this at the API level.

No Email Bodies Stored

Email content is processed in memory during classification and immediately discarded. Only sender, subject, date, and AI summaries are kept.

AES-256 Encryption

OAuth tokens encrypted at rest via AWS KMS. Decrypted only at the moment of API calls. Even with database access, tokens are unusable.

No AI Training

We use Anthropic and OpenAI APIs with data processing agreements. Your email content is never used to train their models.

One-Click Deletion

Delete your account and all associated data instantly. Zero retention, zero backup. When it's gone, it's gone.

No Third-Party Sharing

Your data is never sold, shared with advertisers, or provided to data brokers. It exists solely to generate your personal digest.

Data Pipeline

What happens to your email

Click each step to see exactly what data goes in and out.

Gmail API

IN MEMORY

Read-only access via OAuth. Email headers and snippets fetched.

Pre-Filter

STORED

Rule-based removal of newsletters, automated senders, blocked domains.

AI Classification

IN MEMORY

Claude AI reads email content in memory, determines if action is required.

Personalized Scoring

IN MEMORY

Combines reply rate, sender importance, urgency, content similarity, engagement signals.

Your Digest

STORED

Top items selected. AI summaries and scores stored. Email content discarded.

Stored (encrypted)

In memory only (discarded)

Transparency

What we store vs. what we don't

Stored (encrypted)

Sender email address & name
Email subject line
Short snippet (~100 chars)
Date & time received
AI-generated action summary
Urgency classification & score
Your actions (done, snoozed, etc.)
Sender profiles & importance

Infrastructure

Technical details

Token EncryptionAES-256-GCM via AWS KMS

TransportTLS 1.3 everywhere

DatabasePostgreSQL with encryption at rest

Passwordsbcrypt + SHA-256 pre-hash

Email ProcessingIn-memory only — never written to disk

AI ProvidersAnthropic & OpenAI (DPAs in place)

HostingAWS (ap-south-1)

MonitoringSentry (no PII in error reports)

Your Data Rights

You're in control

Delete Everything

One-click account deletion permanently removes all data. Zero retention.

Disconnect Anytime

Revoke Gmail access instantly. Also revocable from your Google security settings.

Export Your Data

Request a full export of your data in JSON format anytime.

No AI Training

Data processing agreements with all AI providers. Your data trains nothing.

Responsible Disclosure

Found a vulnerability? Report it to security@inbox3.app. We respond within 24 hours and will not take legal action against responsible reporters.

Your email, protected at every step

Read-Only Access

No Email Bodies Stored

AES-256 Encryption

No AI Training

One-Click Deletion

No Third-Party Sharing

What happens to your email

Gmail API

Pre-Filter

AI Classification

Personalized Scoring

Your Digest

What we store vs. what we don't

Technical details

You're in control

Delete Everything

Disconnect Anytime

Export Your Data

No AI Training

Responsible Disclosure

Ready to take back your morning?