Data Safety
Last Updated: January 10, 2025
Our Commitment to Your Security
At Inbox Copilot, we understand that your email contains sensitive and personal information. This page explains exactly how we protect your data and earn your trust.
What We Access (And Why We Need It)
We're Transparent About Data Access
To provide AI-powered email categorization and summarization, we need to read your email content. We believe in being completely honest about this.
What we access:
- ✓ Email subject lines and body content
- ✓ Sender and recipient information
- ✓ Timestamps and metadata
- ✓ Attachment names (not attachment content)
Why we need this access:
- To determine if an email is urgent, routine, or low priority
- To generate 1-2 sentence summaries of each email
- To understand context for proper categorization
- To draft suggested responses (planned feature)
We cannot provide the Service without reading email content. However, we've built extensive safeguards to protect sensitive information.
How We Protect Sensitive Data
Automatic Sensitive Data Filtering
Before any email is processed by our AI, our system automatically detects and filters out:
1. Authentication Credentials
- ✓ Passwords (e.g., "your password is: xyz123")
- ✓ Password reset links
- ✓ Two-factor authentication codes
- ✓ Security questions and answers
2. Financial Information
- ✓ Credit card numbers (all major card types)
- ✓ Bank account numbers and routing numbers
- ✓ Social security numbers
- ✓ Tax ID numbers (EIN, ITIN)
- ✓ Cryptocurrency wallet addresses
3. API Keys and Tokens
- ✓ API keys and secret keys
- ✓ OAuth tokens and access codes
- ✓ Private encryption keys
- ✓ Authentication tokens
4. Personal Identifiers
- ✓ Passport numbers
- ✓ Driver's license numbers
- ✓ National ID numbers
- ✓ Medical record numbers
- ✓ Insurance policy numbers
How it works:
Our filtering system uses:
- Advanced pattern matching (regex-based)
- Machine learning classifiers trained on sensitive data patterns
- Real-time redaction before AI processing
Security Infrastructure
1. Encryption
Data in Transit:
- TLS 1.3 encryption for all network communications
- Certificate pinning to prevent man-in-the-middle attacks
Data at Rest:
- AES-256 encryption for all stored data
- Encrypted database backups
- Secure key management system
Authentication:
- OAuth 2.0 (we never see or store your Google password)
- Encrypted token storage
- Automatic token rotation
2. Access Controls
No Human Access:
- Only automated AI systems process your emails
- No employees can read your email content
- All system access is logged and audited
Data Isolation:
- Your data is completely isolated from other users
- Separate database partitions per user
- No cross-user data access
3. Infrastructure Security
Cloud Security:
- Hosted on enterprise-grade infrastructure (Vercel, Supabase/Neon)
- SOC 2 Type II certified providers
- Regular security audits and penetration testing
Network Security:
- Firewalls and intrusion detection systems
- DDoS protection
- Regular vulnerability scanning
Data Retention and Deletion
Temporary Storage
Email Content:
- Stored for maximum 30 days
- Automatically and permanently deleted after 30 days
- Used only for categorization and summarization
Permanent Deletion
When you disconnect:
- All email content deleted immediately
- All categorization data deleted within 24 hours
- OAuth tokens revoked
When you cancel:
- All data permanently deleted within 24 hours
- Backups purged within 30 days
- No data retention after cancellation
Your Control and Transparency
You Are Always in Control
Revoke Access Anytime:
- Go to your Google Account settings
- Navigate to "Apps with access to your account"
- Find "Inbox Copilot" and click "Remove Access"
- Access is immediately revoked
Delete Your Data:
- From account settings: One-click data deletion
- Via email: Contact info@aiforthebiz.com
- Via Google: Revoke access (triggers automatic deletion)
Google's Oversight
- We use Google's official Gmail API
- Google monitors all API access for abuse
- Google can revoke our API access if we violate policies
- You can see our permissions in your Google Account
What We DON'T Do
We want to be crystal clear about what we don't do with your data:
- ❌ We don't sell your data - Ever. To anyone.
- ❌ We don't share emails with third parties - Except AI processing (OpenAI API) with no permanent storage
- ❌ We don't use your emails to train public AI models - Your data stays private
- ❌ We don't store emails permanently - 30-day maximum, then deleted
- ❌ We don't allow human access - No employees read your emails
- ❌ We don't use data for advertising - No ads, no tracking, no profiling
Breach Notification
In the unlikely event of a security breach:
We will:
- Notify you within 72 hours of discovery
- Explain what happened and what data was affected
- Detail the steps we're taking to resolve the issue
- Provide guidance on protecting your account
- Notify relevant authorities as required by law
You can:
- Immediately revoke access via Google Account settings
- Request detailed information about the breach
- Request immediate data deletion
Our Promise: We built Inbox Copilot because we believe AI can make email less overwhelming. But we also believe that convenience should never come at the cost of your privacy and security. Your trust is our most valuable asset.
Questions and Transparency
We believe in open communication about security.
Have questions?
- Email: info@aiforthebiz.com
- We respond to security questions within 24 hours
Report a vulnerability?
- Email: info@aiforthebiz.com
- We take all reports seriously
- Responsible disclosure program