Legal

Privacy Policy

Last updated: June 2026

1. Overview

HealthInbox ("we", "our", "the extension") is designed from the ground up to respect your privacy. The core principle is simple: your email data never leaves your device. All classification, analysis, and storage happens locally in your browser.

2. Data We Do Not Collect

We never collect, transmit, or store any of the following:

  • Email content (bodies, attachments)
  • Email metadata (subjects, sender addresses, timestamps)
  • Gmail access tokens or refresh tokens
  • Your Google account credentials
  • Any AI classification results
  • Your browsing history or activity

3. Data We Do Collect

The only personal data we handle is your email address, provided voluntarily when you purchase a Pro license or activate one. This is used exclusively to:

  • Validate your license against our Stripe customer records
  • Allow you to access the Stripe customer portal to manage your subscription

This email address is stored securely by Stripe (our payment processor) and in our license database. We do not use it for marketing without your explicit consent.

4. Gmail API Access

HealthInbox uses the official Gmail REST API with the gmail.readonly scope. This scope allows the extension to read email headers (From, Subject, Date, List-Unsubscribe) but never email bodies. Access tokens are stored in browser memory only and are never persisted to disk or transmitted to any server other than Google's own OAuth endpoints.

Our use of Gmail data complies with the Google API Services User Data Policy , including the Limited Use requirements.

5. Local Storage

Classification results, scan progress, and user preferences are stored locally using chrome.storage.local. This data never leaves your device. You can delete all local data at any time from the Settings view inside the extension dashboard.

6. Third-Party Services

We use the following third-party services, none of which receive email data:

  • Stripe — payment processing and subscription management. Subject to Stripe's Privacy Policy.
  • Supabase — license database (stores email address and license status only).
  • Vercel — hosts the license validation API endpoint.
  • Google Fonts — loads the Plus Jakarta Sans and Instrument Serif typefaces. Subject to Google's Privacy Policy.

7. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Object to or restrict processing
  • Data portability

To exercise any of these rights, contact us at privacy@healthinbox.app. We will respond within 30 days.

8. Children's Privacy

HealthInbox is not directed at children under 13. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes by updating the "Last updated" date above. Continued use of the extension after changes constitutes acceptance of the revised policy.

10. Contact

Questions about this policy? Email us at privacy@healthinbox.app.