Privacy Policy

    Effective Date: September 25, 2025
    Last Updated: July 8, 2026

    1. Introduction

    Welcome to Qbox AI, operated by Qbox Intelligence, Inc. ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email management and AI assistance service ("Service").

    By using Qbox, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Service.

    2. Information We Collect

    Account Information

    • Email address (used for authentication and account identification)
    • Name and profile information from your Google or Microsoft account
    • Account creation and last login timestamps

    Email Data

    • Email content, including message bodies and headers
    • Email metadata (sender, recipients, timestamps, subject lines)
    • Attachments (temporarily stored for processing)
    • Email threads and conversation history
    • Contact information from your emails

    Calendar Data

    • Calendar availability and free/busy status
    • Calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times
    • Meeting content — including agendas, notes, and transcripts — used to power meeting-preparation and follow-up features
    • Working hours and timezone preferences
    • Calendar permissions granted (read and write access)
    • Meeting invitation links and scheduling preferences
    • Calendar sync state and last sync timestamps

    We store calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times — to power scheduling, meeting-preparation, and follow-up features. Calendar data is encrypted in transit and at rest, and is deleted within 30 days after you disconnect your calendar account, or when you delete your Qbox account.

    Authentication Data

    • OAuth tokens for your connected email provider (Google/Gmail or Microsoft/Outlook) and calendar access (encrypted and securely stored)
    • Calendar API refresh tokens
    • Refresh tokens for maintaining API access
    • Session information for login state

    Usage Analytics

    • Feature usage patterns (e.g., emails sent, AI responses generated)
    • Response times and interaction metrics
    • Error logs and performance data
    • Session duration and activity patterns

    AI Training Data

    • Edits you make to AI-generated drafts
    • Writing patterns and style preferences
    • Email categorization and priority settings
    • Custom templates and automation rules

    LinkedIn Data (Professional and Team plans)

    • LinkedIn display name, headline, and account identifier
    • LinkedIn message content, conversation history, and AI-generated drafts stored in your private workspace to power the LinkedIn inbox feature

    Important: AI learning is personalized to your account only. Your writing style, patterns, and email data are never used to train AI models for other users or shared across accounts.

    Team and Enterprise Data

    For organizations using team or enterprise features:

    • Organization administrators can view team member usage and analytics
    • Admins can manage team member accounts, roles, and permissions
    • Team member email content remains private unless explicitly shared
    • Organization owners retain data ownership rights
    • Upon member removal, individual data may be retained for organization continuity
    • Organization data deletion requests require authorization from organization owner

    3. How We Use Your Information

    Service Provision

    • Synchronize and manage your email inbox (Gmail or Outlook)
    • Generate AI-powered email responses
    • Automatically suggest available meeting times from your calendar
    • Prevent double-booking and scheduling conflicts
    • Generate context-aware email responses with real availability
    • Sync calendar data for meeting scheduling assistance
    • Adapt to your writing style
    • Categorize and prioritize emails
    • Provide analytics and insights

    Service Improvement

    • Enhance AI response quality
    • Develop new features based on usage
    • Optimize performance and reliability
    • Resolve bugs and technical issues

    Security and Compliance

    • Detect and prevent fraudulent activity
    • Maintain service integrity and security
    • Comply with legal obligations and requests

    4. Third-Party Services and Data Sharing

    Google Services

    Qbox uses the Gmail API and Google Calendar API in compliance with the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum access needed to operate the Service.

    When you connect a Google account, Qbox requests the following OAuth scopes:

    • openid, email, profile — your identity and basic account information for sign-in
    • gmail.readonly — read your email messages and threads to power inbox views and AI context
    • gmail.send — send replies and new messages on your behalf
    • calendar.readonly — read calendar availability for meeting scheduling
    • calendar.freebusy — check free/busy status without reading event details
    • calendar.events — create and update events when you book or reschedule from Qbox

    We store calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times — to power scheduling, meeting-preparation, and follow-up features. Calendar data is encrypted in transit and at rest, and is deleted within 30 days after you disconnect your calendar account, or when you delete your Qbox account. Full descriptions of each scope are available in the Google OAuth 2.0 Scopes reference.

    Microsoft Services

    When you connect a Microsoft account (Outlook/Microsoft 365), Qbox uses the Microsoft Graph API in compliance with the Microsoft Services Agreement and the Microsoft Privacy Statement. We only request the minimum access needed to operate the Service.

    When you connect a Microsoft account, Qbox requests the following Microsoft Graph delegated permissions:

    • email — your email address
    • offline_access — issue a refresh token so we can maintain sync after initial sign-in without repeated consent
    • User.Read — sign in and read your basic user profile (name, email)
    • Mail.ReadWrite — read and write email messages (does not include permission to send mail)
    • Mail.Send — send mail as the signed-in user

    Full descriptions of each permission are available in the Microsoft Graph permissions reference.

    AI Services (Google Gemini and OpenAI)

    To generate drafts and analyze your email, we send relevant email content (including message bodies and participant names) to our AI service providers — Google (Gemini API) and OpenAI (API) — over encrypted connections. Under the terms governing our use of these services, your content is not used to train their models. Providers may retain API inputs for a limited period (for example, up to approximately 55 days) solely for abuse and misuse detection, after which they are deleted. We never use your email content to build or train models for other customers.

    We use OpenAI's API for text embeddings (used to search and match your emails and templates), voice-input transcription, and extracting text from documents you add to your knowledge base. Voice input is processed for transcription and is not stored. Use of these services is subject to Google Cloud's enterprise API terms and Google's AI Principles, and to OpenAI's API data usage and privacy terms.

    Resend (Transactional Email)

    We use Resend to deliver transactional email, such as team invitations and responses to contact-form submissions. The names and email addresses included in those messages are processed by Resend solely to deliver them.

    Jina AI (Website Content Import)

    When you ask us to import content from a website into your knowledge base, we use Jina AI to fetch and extract the text of the page. Only the URLs you submit and the fetched page content are processed for this purpose.

    Marketing-Site Analytics

    Google Analytics and HubSpot run on our public marketing website only, to understand visitor engagement. They are never loaded inside the Qbox application and do not have access to your email, calendar, or account data.

    Subprocessors

    The complete, current list of our subprocessors is maintained at /subprocessors. We will update that page at least 30 days before adding or replacing a subprocessor that processes customer personal data.

    Stripe

    Qbox uses Stripe for payment processing. When you purchase a subscription:

    • Payment card details are processed directly by Stripe (PCI DSS Level 1 certified)
    • We never store or access your full credit card number
    • We receive only transaction metadata (last 4 digits, card brand, expiry date)
    • Billing information (name, email, amount) is stored to manage your subscription
    • Stripe may share limited data with us for fraud prevention and compliance
    • When you delete your account, Stripe retains billing and transaction records it is legally required to keep under financial and tax law, as permitted by GDPR Art. 17(3)(b) — this data is not erased on request for the duration of that legal obligation
    • We keep a copy of incoming Stripe payment webhook events (which may contain billing details such as your email) only for a short retention window for reconciliation and fraud-prevention purposes, after which they are automatically purged

    Supabase

    Qbox uses Supabase as backend infrastructure. Data is encrypted at rest and in transit, and handled per Supabase's policies.

    Unipile (LinkedIn Integration)

    LinkedIn authentication and message delivery for Professional and Team plan users is powered by Unipile, a third-party integration platform. When you connect your LinkedIn account, your LinkedIn credentials and session tokens are managed by Unipile. LinkedIn message content is routed through Unipile's API to enable inbox sync, message sending, and webhook delivery. Unipile does not use your data for any purpose beyond providing this integration service. Use of Unipile is subject to Unipile's Privacy Policy.

    LinkedIn

    When you connect your LinkedIn account, Qbox accesses your LinkedIn messages and conversations via the Unipile integration. This access is governed by LinkedIn's User Agreement. We do not post to LinkedIn, modify your profile, or access your connections list. We only read and send messages on your behalf as explicitly directed by you within the Qbox interface.

    Data Sharing Principles

    • We do not sell personal data.
    • We do not share your email content with advertisers.
    • We share only with providers essential for operations, under confidentiality agreements.

    5. Data Security

    We employ industry-standard measures, including:

    • Encryption of OAuth tokens and sensitive data
    • Calendar data encryption in transit and at rest
    • Row-Level Security (RLS) for database isolation
    • HTTPS encryption for all transmissions
    • Regular audits and vulnerability testing
    • Access logging and monitoring
    • Rate limiting for calendar API access
    • Audit logging for all calendar data access
    • Automatic expiry of cached calendar data (1-hour TTL)
    • Rate limiting and DDoS protection
    • Encrypted backups

    No system is 100% secure, but we continually work to safeguard your information. For more detail on our security measures, see our Security page.

    6. Data Retention and Deletion

    Retention Periods

    • Email data: retained while your account is active
    • Email and thread data synced from a mailbox you disconnect: permanently deleted within 30 days of disconnection
    • Calendar events synced from a mailbox you disconnect: permanently deleted within 30 days of disconnection
    • LinkedIn messages synced via our third-party messaging provider: permanently deleted within 30 days after you disconnect LinkedIn, and the connection is removed from the provider
    • AI drafts: retained while your account is active; purged within 30 days of disconnecting the associated mailbox
    • Calendar availability cache: 1 hour
    • OAuth token access logs, Gmail push notification logs, and provider webhook logs: 30 days
    • Stripe payment webhook event records: 180 days
    • Voice input: processed in memory for transcription and never stored
    • Calendar sync metadata: retained while your account is active; deleted within 30 days of disconnecting the mailbox
    • Analytics data: 30 days
    • Email attachment files in storage: deleted after 24 hours
    • Drafts: retained while your account is active and removed when you send or discard them
    • Deleted accounts: your personal data in Qbox is permanently erased within 30 days, except for a limited set of billing and transaction records that our payment processor (Stripe) is legally required to retain under applicable financial and tax law (GDPR Art. 17(3)(b)), and short-lived payment webhook logs (see the Stripe section above), which are purged on a rolling retention schedule
    • Pilot/trial data: scheduled for deletion when your pilot or contract ends and permanently removed within 30 days

    Automatic Deletion Schedule

    For pilot programs and enterprise trials:

    • When a pilot or contract ends, deletion of your organization's data is scheduled and completed within 30 days
    • The deletion schedule includes reminder checkpoints at 7 days and 1 day beforehand
    • Organizations can request immediate deletion or data export
    • All associated user data, emails, and metadata are permanently removed

    You may request deletion at any time via in-app settings or by contacting us at privacy@qbox-ai.com.

    7. Your Rights (GDPR/CCPA)

    Your Data Protection Rights

    Under GDPR (for EU/EEA residents) and CCPA (for California residents), you have the following rights:

    • Access: Request a copy of all personal data we hold about you
    • Rectification: Request correction of inaccurate personal data
    • Erasure ("Right to be Forgotten"): Request deletion of your personal data
    • Data Portability: Receive your data in a structured, machine-readable format (JSON)
    • Restriction: Request limitation on how we process your data
    • Objection: Object to processing based on legitimate interests
    • Withdrawal of Consent: Revoke consent for data processing at any time
    • Non-discrimination: Not be discriminated against for exercising your rights

    How to Exercise Your Rights

    To exercise any of these rights:

    • Email us at privacy@qbox-ai.com
    • Include your account email and specific request
    • We will respond within 30 days (45 days for complex requests)
    • We may request identity verification for security

    Data Export and Deletion

    We provide automated tools for:

    • Exporting all your personal data in JSON format
    • Scheduling account deletion with 30-day grace period
    • Immediate deletion upon request (irreversible)

    Supervisory Authority

    EU/EEA residents have the right to lodge a complaint with their local data protection authority if they believe their rights have been violated.

    8. Cookies and Tracking

    • Local storage for session and preferences
    • Analytics cookies for usage insights
    • No third-party advertising cookies

    You may disable cookies, though some features may not function properly.

    9. Children's Privacy (COPPA Compliance)

    Qbox is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

    If You Are a Parent or Guardian

    If you believe your child under 18 has provided us with personal information, please contact us immediately at privacy@qbox-ai.com. We will:

    • Investigate the matter promptly
    • Delete the child's information from our systems within 30 days
    • Terminate the associated account
    • Provide confirmation of deletion upon request

    Parents have the right to review, request deletion of, and refuse further collection of their child's information.

    10. International Data Transfers

    Qbox operates globally, and your data may be transferred to, stored, and processed in countries other than your country of residence, including the United States.

    Data Storage Locations

    • Primary infrastructure: United States (via Supabase/AWS)
    • AI processing: United States and global Google Cloud regions (via Google Gemini) and the United States (via OpenAI)
    • Payment processing: Global (via Stripe)

    Transfer Safeguards

    When transferring data internationally, we use appropriate safeguards including:

    • Standard Contractual Clauses (SCCs) approved by the European Commission
    • EU-U.S. Data Privacy Framework participation (where applicable)
    • Adequacy decisions for transfers to countries deemed adequate by the EU
    • Explicit consent for transfers where required by law
    • Encryption of data in transit and at rest

    For EU/EEA residents, you have the right to obtain information about the safeguards we use for international transfers and to obtain a copy of the SCCs by contacting privacy@qbox-ai.com.

    11. California Privacy Rights (CCPA/CPRA)

    California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

    Your Rights

    • Right to Know: Request disclosure of personal data collected, sources, purposes, and third parties with whom shared
    • Right to Delete: Request deletion of personal data we collected
    • Right to Correct: Request correction of inaccurate personal information
    • Right to Opt-Out: Opt-out of sale or sharing of personal data
    • Right to Limit: Limit use and disclosure of sensitive personal information
    • Right to Non-Discrimination: Not be discriminated against for exercising privacy rights

    Sale of Personal Information

    We do not sell your personal information. Under CCPA, "sale" is defined broadly to include sharing personal information for valuable consideration. We do not exchange personal data for money or other valuable consideration. We share data only with service providers necessary to operate our service (including Google (Gmail, Calendar, Gemini AI), Microsoft (Outlook, Microsoft Graph), OpenAI, Stripe, Supabase, Unipile, Resend, and Jina AI) under strict contractual limitations. The complete, current list is maintained at /subprocessors.

    How to Exercise Your Rights

    To exercise these rights, contact us at privacy@qbox-ai.com. We will verify your identity and respond within 45 days.

    12. Google API Services User Data Policy

    Qbox's use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    • Gmail data is used only to provide email management and AI features
    • Calendar data is used only for scheduling, meeting-preparation, and follow-up features
    • Gmail and Calendar data is never used for advertising
    • Human access is prohibited, except with your explicit consent (e.g., support)
    • Data is retained only as long as necessary to provide the Service
    • Calendar access requires explicit user consent via OAuth
    • You can revoke calendar access at any time through your Google account settings

    In particular, we do not use Google Workspace data (including Gmail and Google Calendar data) to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models. AI features that process your Google user data operate solely on your own data, to provide user-facing features to you.

    13. Data Breach Notification

    In the event of a data breach that may compromise your personal information, we commit to:

    • Notifying affected users within 72 hours of discovering the breach
    • Notifying relevant regulatory authorities as required by law (e.g., EU supervisory authorities under GDPR)
    • Providing detailed information about the breach, including:
      • What data was affected
      • When the breach occurred and was discovered
      • What measures we've taken to contain the breach
      • Steps you should take to protect yourself
      • Contact information for further inquiries
    • Offering identity theft protection services if sensitive data was compromised
    • Conducting a thorough investigation and implementing additional security measures

    You can report suspected security issues to security@qbox-ai.com.

    14. Service Limits and Rate Limiting

    To ensure fair usage and system stability, we implement various service limits:

    Credit Limits

    • Each subscription tier includes monthly AI generation credits
    • When credits are exhausted, AI features are paused until renewal or credit purchase
    • Basic email viewing and management remain available

    API Rate Limits

    • Gmail sync: Limited by Google's API quotas
    • Outlook sync: Limited by Microsoft Graph API quotas
    • Calendar availability: Rate-limited to prevent abuse
    • AI generation: Rate-limited based on subscription tier
    • Email sending: Subject to daily sending limits to prevent spam

    When Limits Are Reached

    When you reach a service limit, you will be notified in-app. You may:

    • Wait for automatic limit reset (daily or monthly depending on limit type)
    • Purchase additional credits for AI features
    • Upgrade to a higher subscription tier for increased limits
    • Contact support for enterprise custom limits

    15. Changes to This Policy

    We may update this Privacy Policy from time to time. Changes will be communicated by:

    • Updating this page with the new policy
    • Adjusting the "Last Updated" date at the top of this page
    • Emailing you at your registered email address if changes are material
    • Displaying an in-app notification for significant changes

    For material changes that require consent, we will obtain your explicit consent before the changes take effect. Continued use of Qbox after non-material changes indicates acceptance of the updated policy.

    We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

    16. Contact Us

    For privacy-related inquiries:

    Privacy inquiries: privacy@qbox-ai.com (our privacy team)

    Qbox is operated from the United States. We are in the process of appointing EU and UK representatives under Article 27 GDPR / UK GDPR; this policy will be updated with their contact details once appointed.