Security & Trust
Your email data, protected
Inbox3 is built on a simple principle: we should have the minimum access needed to generate your digest, and nothing more.
Read-only access
Inbox3 uses the gmail.readonly OAuth scope. We literally cannot send, delete, modify, or move any email in your inbox. We can only read metadata and content for processing.
No email body storage
Email content is processed in memory during digest generation and immediately discarded. We never persist the full text of your emails to disk or database. Only metadata (sender, subject, date) and AI-generated summaries are stored.
AES-256 encryption
OAuth tokens are encrypted at rest using AES-256-GCM via AWS KMS. Encryption keys are managed by AWS and never exposed to application code. Tokens are decrypted only at the moment of Gmail API calls.
One-click data deletion
Delete your account from Settings at any time. This permanently removes your account, OAuth connections, digests, sender profiles, and all associated data. Zero retention, no questions asked.
No third-party data sharing
We never sell, share, or provide your email data to advertisers, data brokers, or any third party. Your data is used exclusively to generate your personal digest.
No AI training on your data
We use Anthropic Claude and OpenAI APIs for email classification and draft generation. Your email content is processed via their APIs but is not used to train their models. We use data processing agreements with all AI providers.
Infrastructure
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to security@inbox3.app. We take every report seriously and will respond within 24 hours.