Privacy Policy
Version 1.1 — Effective June 2026
This policy is provided in English only. The English version is the legally binding version. In case of any discrepancy between this document and any translation, this English version prevails.
1. Who we are
Inboxed is operated as a sole trader registered in the Netherlands.
Bon Digital (trading as Inboxed)
The Netherlands
KVK: 42079017
privacy@in-boxed.com
A Data Protection Officer has not been appointed, as this is not required for organisations of this size under Article 37 GDPR.
2. How Inboxed works
Inboxed does not send unsubscribe requests directly on your behalf. It instructs Gmail to use its native List-Unsubscribe functionality — the same mechanism Gmail itself uses when you click "Unsubscribe" in the Gmail interface. Inboxed is a pass-through layer that automates what you could do manually in Gmail, nothing more.
3. What data we process
We process the minimum data necessary to deliver the service (Article 5(1)(c) GDPR).
| Data | Purpose | Legal basis |
|---|---|---|
| Gmail OAuth token | Grants temporary access to read email headers. Used during your session only. | Art. 6(1)(b) — contract performance |
| Email metadata (sender, List-Unsubscribe header) | To identify newsletters and trigger opt-out requests via Gmail. | Art. 6(1)(b) — contract performance |
| Session cookie | Maintains your authenticated state during your visit. | Art. 6(1)(b) — contract performance |
| Payment confirmation via Stripe | To verify payment and unlock the service. We never see card details. | Art. 6(1)(b) — contract performance |
We never access the content of your emails. We request only the metadata format from the Gmail API, which technically excludes email bodies, subject lines, and attachments.
4. Retention
Your Gmail data is processed entirely within your own browser and is never transmitted to, stored on, or logged by our servers. The scan reads email headers locally on your device and keeps the results in your browser tab only. When you close the tab the data is gone; the short-lived Gmail access token (valid for about one hour, with no refresh token) also lives only in your browser. We operate no database and keep no logs containing personal data, and you can revoke access at any time from your Google Account permissions page.
5. Google OAuth and Gmail API
We use Google OAuth 2.0 with the gmail.readonly scope. The Gmail API is called directly from your browser to Google; restricted-scope data never passes through our servers. Our use of Gmail data complies with the Google API Services User Data Policy, including the Limited Use requirements:
- Gmail data is used solely to provide the service you requested
- Gmail data is not used for advertising
- No human reads your Gmail data
- Gmail data is not shared with third parties beyond what is necessary to operate the service
6. Sub-processors
| Party | Purpose | Transfer basis |
|---|---|---|
| Google LLC | Gmail API — OAuth and header retrieval | Standard Contractual Clauses |
| Stripe Inc. | Payment processing | Standard Contractual Clauses |
| Vercel Inc. | Application hosting | Standard Contractual Clauses |
We do not sell data. We do not use advertisers or data brokers.
7. Your rights (Articles 15–22 GDPR)
You have the right to access, rectify, erase, restrict, and port your data, and to object to processing. Because we retain no data after your session ends, these rights are automatically fulfilled. To exercise them or ask questions, contact privacy@in-boxed.com. We respond within 30 days.
8. Supervisory authority
You may lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or the supervisory authority in your country of residence.
9. Cookies
One strictly necessary session cookie is set after authentication. It contains only a random session identifier, is HTTP-only and SameSite-restricted, and expires after 1 hour. No tracking or advertising cookies are used.
10. Third-party trademarks
Gmail is a trademark of Google LLC. Apple and Apple Mail are trademarks of Apple Inc. Inboxed is not affiliated with, endorsed by, or sponsored by Google LLC or Apple Inc. Use of these names is solely for descriptive purposes to indicate compatibility.
11. Not legal advice
References to GDPR, CAN-SPAM, or other laws on this website are for informational purposes only and do not constitute legal advice. Results depend on sender compliance. If you have legal questions, consult a qualified attorney.