Privacy Policy

Last updated: 2026-01-27

1. Service Description

SentboxHQ operates as a user-controlled productivity and notification service. It helps users identify email conversations that may require a follow-up.

The service does not autonomously initiate, schedule, or send emails. Any email sent through the service is explicitly triggered by the user and delivered using the user’s connected email account.

The service is not intended for marketing, bulk messaging, automated outreach, or campaign-based communication. It does not send unsolicited or promotional emails.

In short: We surface missed conversations — the user decides what to send.

2. Email Providers & Connection Methods

Users may connect their mailbox using one of the following methods:

• Google Gmail via Google OAuth (Gmail API)
• Microsoft Outlook via Microsoft OAuth (Microsoft Graph API)
• Custom or self-hosted email providers via IMAP (fetching) and SMTP (sending)

Regardless of the connection method, the service follows the same data minimization principles.

3. Data We Access

When connected via Google Gmail OAuth or Microsoft Outlook OAuth, the service accesses email metadata only using the providers’ official APIs.

When connected via a custom provider using IMAP/SMTP, the service retrieves the same category of metadata from email headers.

The metadata accessed may include:

• Sender and recipient email addresses
• Email subject lines
• Message and thread identifiers
• Sent and received timestamps
• Reply-related headers such as In-Reply-To and References

Email body content is not accessed, retrieved, stored, or analyzed for any connection method.

In short: Headers and metadata only — never email content.

4. How We Use Email Data

Email metadata is processed solely to:

• Detect unanswered or stalled email conversations
• Associate replies with previously sent messages
• Display follow-up indicators to the user

The service does not use email data for advertising, behavioral profiling, tracking, or analytics unrelated to follow-ups.

In short: One purpose only: follow-up awareness.

5. What We Do Not Do

The service does not:

• Read, store, or process email bodies
• Modify or delete emails
• Send emails without explicit user action
• Send bulk, promotional, or unsolicited emails
• Sell, rent, or trade email data
• Share email data with advertisers or data brokers
• Use email data to train AI or machine-learning models

In short: No selling, no scraping, no automation abuse.

6. Data Sharing & Disclosure

Email data is not shared, transferred, or disclosed to third parties except where strictly necessary to operate the service.

This includes infrastructure providers (such as hosting and database providers) acting solely as data processors under contractual obligations.

No email data is shared with advertisers, analytics providers unrelated to the service, or other external parties.

In short: Data stays within the service — no third-party reuse.

7. Data Storage & Retention

The service stores only the minimum metadata required to function. Stored data is limited to email headers and system identifiers.

Data is retained only while the user maintains an active account or connected inbox.

When an account is deleted or permissions are revoked, stored data is deleted within a reasonable timeframe.

In short: Disconnect or delete — data is removed.

8. User Control & Consent

Users may connect or disconnect email accounts at any time, revoke OAuth permissions via their email provider, or delete their account entirely.

Revoking access immediately stops further data access and initiates deletion of stored metadata.

In short: Full control always stays with the user.

9. Security & Data Protection

The service applies industry-standard technical and organizational security measures to protect email metadata.

Access is restricted, data is encrypted where applicable, and exposure is minimized by design.

In short: Sensitive data is protected by design, not by promise.

10. Legal Basis

Personal data is processed lawfully, fairly, and transparently.

For users subject to GDPR or similar regulations, processing is based on explicit user consent and the legitimate interest of providing the requested service.

11. Contact

For privacy questions or data requests, contact: info@sentboxhq.com