Summary: We collect only what's necessary to provide our email service.
We never sell your data, never use it for advertising, and you can delete everything at any time.
1. Information We Collect
Account Information
When you create an account, we collect your email address, name, and password (stored securely hashed).
If you use OAuth to sign in (Google, Microsoft), we receive your email and profile information from those providers.
Email Data
When you connect an email account, we sync email metadata (sender, subject, date, read status) to enable
our unified inbox features. Email content is fetched on-demand when you view a message and is not stored
permanently on our servers unless you enable AI features that require processing.
Usage Information
We collect basic usage analytics (pages visited, features used) to improve our service.
This data is anonymized and aggregated. We do not track individual user behavior across the web.
Device & Security Information
We log IP addresses, browser type, and device information for security purposes (fraud prevention,
suspicious login detection). This data is retained for 90 days.
2. How We Use Your Information
Provide our service: Sync and display your emails, enable search, AI classification, and automation features.
Security: Protect your account from unauthorized access, detect fraud, and maintain service integrity.
Communication: Send service-related emails (password resets, security alerts, important updates).
Improve our service: Analyze aggregated, anonymized usage patterns to enhance features and fix issues.
We DO NOT: Sell your data to third parties, use your emails for advertising,
share your data with data brokers, or mine your emails for marketing purposes.
3. AI Data Processing
InflowMail uses AI to classify emails, generate summaries, suggest replies, and power automation features.
Here is how your data is handled in the context of AI processing:
Metadata only by default: AI classification operates on email metadata (sender, subject, date, recipient count) rather than full email body content. Full body content is only sent to AI when you explicitly use features that require it, such as generating a reply or requesting a summary.
No training on your data: Your emails and metadata are never used to train AI models. AI providers process your data solely to return a result and do not retain it for model improvement.
User control via Bring Your Own AI: You can choose your preferred AI provider (Anthropic, OpenAI, or Google Gemini) and optionally use your own API key. When using your own key, AI requests go directly to your chosen provider under your own API agreement.
Organization-level configuration: Organization administrators can configure AI settings for all members, including disabling AI features entirely.
Email rules are user-controlled: Classification rules you create run locally on our servers and do not involve AI processing. Your rules always take priority over AI classification.
Our commitment: We will never use your email content or metadata to train AI models,
and we will never sell AI-derived insights about your email to third parties.
4. Data Sharing & Third Parties
We share your data only in these limited circumstances:
Service providers: AWS (infrastructure), email providers (Gmail, Microsoft) via OAuth. These providers are bound by strict data processing agreements.
Legal requirements: When required by law, court order, or to protect safety and rights.
Business transfers: If InflowMail is acquired, your data would transfer to the new owner under the same privacy protections.
5. Data Security
We implement industry-leading security measures:
Encryption at rest: All data encrypted with AES-256-GCM. Each organization has unique encryption keys.
Encryption in transit: TLS 1.3 for all connections.
OAuth tokens: Encrypted per-account, never stored in plain text.
Email metadata: Retained while your account is active. Deleted within 30 days of account deletion.
Security logs: Retained for 90 days for fraud detection and security analysis.
Audit logs: Retained for 1 year for compliance purposes.
Backups: Encrypted backups retained for 30 days, then permanently deleted.
Expired tokens: OAuth tokens that are no longer valid are automatically deleted during routine maintenance. Disconnected account credentials are purged immediately.
7. Your Rights (GDPR & CCPA)
You have the following rights regarding your data:
Essential cookies: Required for authentication and security. Cannot be disabled.
Preference cookies: Remember your settings (theme, language). Optional.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
9. International Transfers
Our servers are located in the United States (AWS us-east-2). If you are located outside the US,
your data will be transferred to the US. We ensure appropriate safeguards through AWS's compliance
with EU-US Data Privacy Framework and Standard Contractual Clauses.
10. Children's Privacy
InflowMail is not intended for children under 13. We do not knowingly collect personal information
from children. If you believe we have collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this policy periodically. We will notify you of material changes via email or
in-app notification at least 30 days before they take effect. Continued use after changes
constitutes acceptance of the updated policy.
12. Contact Us
For privacy-related questions or to exercise your data rights: