Privacy Policy for InboxAgenda

Name: InboxAgenda
Author: InboxAgenda

Last Updated: March 11, 2026

Thank you for visiting InboxAgenda ("we," "us," or "our"). This Privacy Policy outlines how we collect, use, and protect your personal and non-personal information when you use our website located at https://www.inboxagenda.com (the "Website").

By accessing or using the Website, you agree to the terms of this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Website.

1. Information We Collect

1.1 Personal Data

We collect the following personal information from you:

Name: We collect your name to personalize your experience and communicate with you effectively.
Email Address: We collect your email address to manage your account, send weekly summary emails, and communicate service-related information. We do not use your email address for marketing or sell it to third parties.
Email Content: When you grant Gmail access, we read emails matching your configured school email filters to extract calendar event information. Email metadata (sender, subject) and body content are temporarily stored for processing purposes and automatically deleted after 30 days (see Section 4.2).
Calendar Data: We access your Google Calendar to create and manage events on your behalf.
Google OAuth Tokens: We store OAuth 2.0 tokens to maintain access to your Google account services (Gmail and Calendar) on your behalf.

1.2 Non-Personal Data

We may use web cookies and similar technologies to collect non-personal information such as your IP address, browser type, device information, and browsing patterns. This information helps us to enhance your browsing experience, analyze trends, and improve our services.

2. Purpose of Data Collection

We collect and use your personal data for the purpose of providing our email-to-calendar service. This includes reading emails from your configured school email senders via Gmail API, extracting event information using AI processing, syncing events to your Google Calendar, sending weekly summary emails, and providing customer support.

3. Data Sharing

We do not share your personal data with any third parties except as required for service operation:
- Google Calendar API: to create and manage calendar events on your behalf.
- Google Gmail API: to read emails matching your configured filters.
- AI processing service (Anthropic Claude): to extract event details from email content. Only the relevant email text is sent for processing; no personal identifiers are included.
- Email delivery service (Mailgun): to send weekly summary emails and service notifications to your email address.

We do not sell, trade, or rent your personal information to others.

4. Google User Data

4.1 Use of Google User Data

InboxAgenda accesses Google user data exclusively for the following purposes:
- Gmail: To read emails matching your configured school email filters and extract calendar event information.
- Google Calendar: To create, update, and manage calendar events derived from your emails.
- Gmail Labels and Filters: To organize processed emails in your Gmail account.

InboxAgenda's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements (https://developers.google.com/terms/api-services-user-data-policy).

4.2 Retention of Google User Data

We apply the following data retention policies:

- Email Processing Logs: Email metadata and content retrieved from Gmail (sender, subject, body) are stored temporarily for event extraction and troubleshooting. These logs are automatically deleted after 30 days via an automated cleanup process.
- Extracted Event Data: Calendar events extracted from your emails (title, date, time, location, description) are stored for up to 12 months from the event date to display your agenda and send weekly summaries. Events older than 12 months are automatically deleted.
- OAuth Tokens: Your Google OAuth 2.0 tokens are stored for as long as your account is active to maintain service functionality. Tokens are deleted when you disconnect your Google account or delete your InboxAgenda account.
- Gmail Filter and Label IDs: Stored to manage your email filters. Deleted when you remove a school email filter or delete your account.

4.3 Deletion of Google User Data

You can delete your Google user data at any time:
- Disconnect Gmail: Go to Settings and remove your school email filter. This deletes the Gmail filter, label reference, and associated data from our system.
- Revoke Access: You can revoke InboxAgenda's access to your Google account at any time via your Google Account permissions page (https://myaccount.google.com/permissions). Upon revocation, we will no longer be able to access your Google data.
- Account Deletion: Contact us at support@inboxagenda.com to request full account deletion. We will delete all your data, including OAuth tokens, email logs, extracted events, and any stored preferences, within 30 days of your request.
- Automatic Deletion: Even without manual action, email processing logs are automatically purged after 30 days and extracted events are automatically purged after 12 months.

5. Data Protection Mechanisms

We implement the following measures to protect your personal and sensitive data:

- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
- Encryption at Rest: All data stored in our database is protected by AES-256 encryption at rest, provided by our database hosting provider (MongoDB Atlas).
- Access Control: Access to production databases and infrastructure is restricted to authorized personnel only.
- Secure Infrastructure: Our application is hosted on Vercel with automatic security updates. Our database is hosted on MongoDB Atlas with network isolation and automated backups.
- Automated Data Cleanup: We run automated processes to enforce our retention policies, deleting email processing logs after 30 days and event data after 12 months.
- Token Security: Google OAuth tokens are stored securely and are only used to obtain short-lived access tokens for API calls. Tokens are deleted when you disconnect your account.

6. Children's Privacy

InboxAgenda is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at the email address provided below.

7. Updates to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any updates will be posted on this page, and we may notify you via email about significant changes.

8. Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy or to request data deletion, you can contact us at:

Email: support@inboxagenda.com

For all other inquiries, please visit our Contact Us page on the Website.

By using InboxAgenda, you consent to the terms of this Privacy Policy.