Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and password (stored securely hashed). If you use OAuth to sign in (Google, Microsoft), we receive your email and profile information from those providers.

Email Data

When you connect an email account, we sync email metadata (sender, subject, date, read status) to enable our unified inbox features. Email content is fetched on-demand when you view a message and is not stored permanently on our servers unless you enable AI features that require processing.

Usage Information

We collect basic usage analytics (pages visited, features used) to improve our service. This data is anonymized and aggregated. We do not track individual user behavior across the web.

Device & Security Information

We log IP addresses, browser type, and device information for security purposes (fraud prevention, suspicious login detection). This data is retained for 90 days.

2. How We Use Your Information

• Provide our service: Sync and display your emails, enable search, AI classification, and automation features.
• Security: Protect your account from unauthorized access, detect fraud, and maintain service integrity.
• Communication: Send service-related emails (password resets, security alerts, important updates).
• Improve our service: Analyze aggregated, anonymized usage patterns to enhance features and fix issues.

3. Data Sharing

We share your data only in these limited circumstances:

• Service providers: AWS (infrastructure), email providers (Gmail, Microsoft) via OAuth. These providers are bound by strict data processing agreements.
• Legal requirements: When required by law, court order, or to protect safety and rights.
• Business transfers: If InflowMail is acquired, your data would transfer to the new owner under the same privacy protections.

4. Data Security

We implement industry-leading security measures:

• Encryption at rest: All data encrypted with AES-256-GCM. Each organization has unique encryption keys.
• Encryption in transit: TLS 1.3 for all connections.
• OAuth tokens: Encrypted per-account, never stored in plain text.
• Access controls: Role-based access, multi-factor authentication, session management.
• Infrastructure: SOC 2 compliant AWS data centers with strict physical and logical access controls.

For more details, see our Security Documentation.

5. Data Retention

• Email metadata: Retained while your account is active. Deleted within 30 days of account deletion.
• Security logs: Retained for 90 days for fraud detection and security analysis.
• Audit logs: Retained for 1 year for compliance purposes.
• Backups: Encrypted backups retained for 30 days, then permanently deleted.

6. Your Rights (GDPR & CCPA)

You have the following rights regarding your data:

To exercise these rights, go to Account Settings > Data Protection or email [email protected].

7. Cookies

We use minimal cookies:

• Essential cookies: Required for authentication and security. Cannot be disabled.
• Preference cookies: Remember your settings (theme, language). Optional.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. International Transfers

Our servers are located in the United States (AWS us-east-2). If you are located outside the US, your data will be transferred to the US. We ensure appropriate safeguards through AWS's compliance with EU-US Data Privacy Framework and Standard Contractual Clauses.

9. Children's Privacy

InflowMail is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

10. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Continued use after changes constitutes acceptance of the updated policy.

11. Contact Us