Privacy Policy
Version 1.1 — Effective June 2026
1. Who we are
Inboxed is operated as a sole trader registered in the Netherlands.
Inboxed
The Netherlands
KVK: [number after registration]
privacy@in-boxed.com
A Data Protection Officer has not been appointed, as this is not required for organisations of this size under Article 37 GDPR.
2. How Inboxed works
Inboxed does not send unsubscribe requests directly on your behalf. It instructs Gmail to use its native List-Unsubscribe functionality — the same mechanism Gmail itself uses when you click "Unsubscribe" in the Gmail interface. Inboxed is a pass-through layer that automates what you could do manually in Gmail, nothing more.
3. What data we process
We process the minimum data necessary to deliver the service (Article 5(1)(c) GDPR).
| Data | Purpose | Legal basis |
|---|---|---|
| Gmail OAuth token | Grants temporary access to read email headers. Used during your session only. | Art. 6(1)(b) — contract performance |
| Email metadata (sender, List-Unsubscribe header) | To identify newsletters and trigger opt-out requests via Gmail. | Art. 6(1)(b) — contract performance |
| Session cookie | Maintains your authenticated state during your visit. | Art. 6(1)(b) — contract performance |
| Payment confirmation via Stripe | To verify payment and unlock the service. We never see card details. | Art. 6(1)(b) — contract performance |
We never access the content of your emails. We request only the metadata format from the Gmail API, which technically excludes email bodies, subject lines, and attachments.
4. Retention
All data is held in server memory during your active session only. When your session ends — by closing the browser, after 1 hour of inactivity, or on logout — all data is permanently deleted. We operate no database and keep no logs containing personal data. Your Gmail authorisation token is revoked via the Google token revocation API when your session ends.
5. Google OAuth and Gmail API
We use Google OAuth 2.0 with the gmail.readonly scope. Our use of Gmail data complies with the Google API Services User Data Policy, including the Limited Use requirements:
- Gmail data is used solely to provide the service you requested
- Gmail data is not used for advertising
- No human reads your Gmail data
- Gmail data is not shared with third parties beyond what is necessary to operate the service
6. Sub-processors
| Party | Purpose | Transfer basis |
|---|---|---|
| Google LLC | Gmail API — OAuth and header retrieval | Standard Contractual Clauses |
| Stripe Inc. | Payment processing | Standard Contractual Clauses |
| Vercel Inc. | Application hosting | Standard Contractual Clauses |
We do not sell data. We do not use advertisers or data brokers.
7. Your rights (Articles 15–22 GDPR)
You have the right to access, rectify, erase, restrict, and port your data, and to object to processing. Because we retain no data after your session ends, these rights are automatically fulfilled. To exercise them or ask questions, contact privacy@in-boxed.com. We respond within 30 days.
8. Supervisory authority
You may lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or the supervisory authority in your country of residence.
9. Cookies
One strictly necessary session cookie is set after authentication. It contains only a random session identifier, is HTTP-only and SameSite-restricted, and expires after 1 hour. No tracking or advertising cookies are used.