Privacy Policy

1. Introduction

Welcome to Qbox AI, operated by Qbox Intelligence, Inc. ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email management and AI assistance service ("Service").

By using Qbox, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Service.

2. Information We Collect

Account Information

• Email address (used for authentication and account identification)
• Name and profile information from your Google account
• Account creation and last login timestamps

Email Data

• Email content, including message bodies and headers
• Email metadata (sender, recipients, timestamps, subject lines)
• Attachments (temporarily stored for processing)
• Email threads and conversation history
• Contact information from your emails

Calendar Data

• Calendar availability and free/busy status
• Meeting schedules and event metadata (obfuscated for privacy)
• Working hours and timezone preferences
• Calendar permissions granted (read-only access)
• Meeting invitation links and scheduling preferences
• Calendar sync state and last sync timestamps

Authentication Data

• OAuth tokens for Gmail and Google Calendar access (encrypted and securely stored)
• Calendar API refresh tokens
• Refresh tokens for maintaining API access
• Session information for login state

Usage Analytics

• Feature usage patterns (e.g., emails sent, AI responses generated)
• Response times and interaction metrics
• Error logs and performance data
• Session duration and activity patterns

AI Training Data

• Edits you make to AI-generated drafts
• Writing patterns and style preferences
• Email categorization and priority settings
• Custom templates and automation rules

Important: AI learning is personalized to your account only. Your writing style, patterns, and email data are never used to train AI models for other users or shared across accounts.

Team and Enterprise Data

For organizations using team or enterprise features:

• Organization administrators can view team member usage and analytics
• Admins can manage team member accounts, roles, and permissions
• Team member email content remains private unless explicitly shared
• Organization owners retain data ownership rights
• Upon member removal, individual data may be retained for organization continuity
• Organization data deletion requests require authorization from organization owner

3. How We Use Your Information

Service Provision

• Synchronize and manage your Gmail inbox
• Generate AI-powered email responses
• Automatically suggest available meeting times from your calendar
• Prevent double-booking and scheduling conflicts
• Generate context-aware email responses with real availability
• Sync calendar data for meeting scheduling assistance
• Adapt to your writing style
• Categorize and prioritize emails
• Provide analytics and insights

Service Improvement

• Enhance AI response quality
• Develop new features based on usage
• Optimize performance and reliability
• Resolve bugs and technical issues

Security and Compliance

• Detect and prevent fraudulent activity
• Maintain service integrity and security
• Comply with legal obligations and requests

4. Third-Party Services and Data Sharing

Google Services

Qbox uses the Gmail API and Google Calendar API in compliance with the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum access needed to operate the Service.

For calendar access, we use calendar.readonly and calendar.freebusy scopes, accessing only availability information, not meeting details. Meeting titles and attendee details are obfuscated for privacy protection.

Google AI (Gemini)

Qbox uses Google's Gemini API to generate email responses. Email content is processed through Google's AI services but is:

• Not used by Google to train their foundation models (per Google Cloud API data usage policy)
• Not retained by Google beyond the API processing time
• Anonymized and stripped of personally identifiable information where possible
• Processed only to generate responses for your specific use
• Subject to Google Cloud's enterprise API terms and Google's AI Principles

Stripe

Qbox uses Stripe for payment processing. When you purchase a subscription:

• Payment card details are processed directly by Stripe (PCI DSS Level 1 certified)
• We never store or access your full credit card number
• We receive only transaction metadata (last 4 digits, card brand, expiry date)
• Billing information (name, email, amount) is stored to manage your subscription
• Stripe may share limited data with us for fraud prevention and compliance

Supabase

Qbox uses Supabase as backend infrastructure. Data is encrypted at rest and in transit, and handled per Supabase's policies.

Data Sharing Principles

• We do not sell personal data.
• We do not share your email content with advertisers.
• We share only with providers essential for operations, under confidentiality agreements.

5. Data Security

We employ industry-standard measures, including:

• Encryption of OAuth tokens and sensitive data
• Calendar data encryption and obfuscation
• Row-Level Security (RLS) for database isolation
• HTTPS encryption for all transmissions
• Regular audits and vulnerability testing
• Access logging and monitoring
• Rate limiting for calendar API access
• Audit logging for all calendar data access
• Automatic expiry of cached calendar data (1-hour TTL)
• Rate limiting and DDoS protection
• Encrypted backups

No system is 100% secure, but we continually work to safeguard your information.

6. Data Retention and Deletion

Retention Periods

• Email data: retained while your account is active
• Calendar availability cache: 1 hour
• Calendar access logs: 90 days
• Calendar sync metadata: While account is active
• Analytics data: 30 days
• Temporary attachments: deleted after 24 hours
• Drafts: deleted after 7 days
• Deleted accounts: permanently erased within 30 days
• Pilot/trial data: automatically deleted 30 days after contract end

Automatic Deletion Schedule

For pilot programs and enterprise trials:

• Data deletion is automatically scheduled 30 days after contract termination
• Email notifications are sent 7 days and 1 day before deletion
• Organizations can request immediate deletion or data export
• All associated user data, emails, and metadata are permanently removed

You may request deletion at any time via in-app settings or by contacting us at privacy@qbox-ai.com.

7. Your Rights (GDPR/CCPA)

Your Data Protection Rights

Under GDPR (for EU/EEA residents) and CCPA (for California residents), you have the following rights:

• Access: Request a copy of all personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Data Portability: Receive your data in a structured, machine-readable format (JSON)
• Restriction: Request limitation on how we process your data
• Objection: Object to processing based on legitimate interests
• Withdrawal of Consent: Revoke consent for data processing at any time
• Non-discrimination: Not be discriminated against for exercising your rights

How to Exercise Your Rights

To exercise any of these rights:

• Email us at privacy@qbox-ai.com
• Include your account email and specific request
• We will respond within 30 days (45 days for complex requests)
• We may request identity verification for security

Data Export and Deletion

We provide automated tools for:

• Exporting all your personal data in JSON format
• Scheduling account deletion with 30-day grace period
• Immediate deletion upon request (irreversible)

Supervisory Authority

EU/EEA residents have the right to lodge a complaint with their local data protection authority if they believe their rights have been violated.

8. Cookies and Tracking

• Local storage for session and preferences
• Analytics cookies for usage insights
• No third-party advertising cookies

You may disable cookies, though some features may not function properly.

9. Children's Privacy (COPPA Compliance)

Qbox is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If You Are a Parent or Guardian

If you believe your child under 18 has provided us with personal information, please contact us immediately at privacy@qbox-ai.com. We will:

• Investigate the matter promptly
• Delete the child's information from our systems within 30 days
• Terminate the associated account
• Provide confirmation of deletion upon request

Parents have the right to review, request deletion of, and refuse further collection of their child's information.

10. International Data Transfers

Qbox operates globally, and your data may be transferred to, stored, and processed in countries other than your country of residence, including the United States.

Data Storage Locations

• Primary infrastructure: United States (via Supabase/AWS)
• AI processing: United States and global Google Cloud regions (via Google Gemini)
• Payment processing: Global (via Stripe)

Transfer Safeguards

When transferring data internationally, we use appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-U.S. Data Privacy Framework participation (where applicable)
• Adequacy decisions for transfers to countries deemed adequate by the EU
• Explicit consent for transfers where required by law
• Encryption of data in transit and at rest

For EU/EEA residents, you have the right to obtain information about the safeguards we use for international transfers and to obtain a copy of the SCCs by contacting privacy@qbox-ai.com.

11. California Privacy Rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your Rights

• Right to Know: Request disclosure of personal data collected, sources, purposes, and third parties with whom shared
• Right to Delete: Request deletion of personal data we collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale or sharing of personal data
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising privacy rights

Sale of Personal Information

We do not sell your personal information. Under CCPA, "sale" is defined broadly to include sharing personal information for valuable consideration. We do not exchange personal data for money or other valuable consideration. We share data only with service providers necessary to operate our service (Google (including Gmail, Calendar, and Gemini AI), Stripe, Supabase) under strict contractual limitations.

How to Exercise Your Rights

To exercise these rights, contact us at privacy@qbox-ai.com. We will verify your identity and respond within 45 days.

12. Google API Services User Data Policy

Qbox's use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Gmail data is used only to provide email management and AI features
• Calendar data is used only for scheduling assistance
• Calendar event details are obfuscated for privacy
• We don't store full calendar events, only availability slots
• Gmail and Calendar data is never used for advertising
• Human access is prohibited, except with your explicit consent (e.g., support)
• Data is retained only as long as necessary to provide the Service
• Calendar access requires explicit user consent via OAuth
• You can revoke calendar access at any time through your Google account settings

13. Data Breach Notification

In the event of a data breach that may compromise your personal information, we commit to:

• Notifying affected users within 72 hours of discovering the breach
• Notifying relevant regulatory authorities as required by law (e.g., EU supervisory authorities under GDPR)
• Providing detailed information about the breach, including:
  • What data was affected
  • When the breach occurred and was discovered
  • What measures we've taken to contain the breach
  • Steps you should take to protect yourself
  • Contact information for further inquiries
• Offering identity theft protection services if sensitive data was compromised
• Conducting a thorough investigation and implementing additional security measures

You can report suspected security issues to security@qbox-ai.com.

14. Service Limits and Rate Limiting

To ensure fair usage and system stability, we implement various service limits:

Credit Limits

• Each subscription tier includes monthly AI generation credits
• When credits are exhausted, AI features are paused until renewal or credit purchase
• Basic email viewing and management remain available

API Rate Limits

• Gmail sync: Limited by Google's API quotas
• Calendar availability: Rate-limited to prevent abuse
• AI generation: Rate-limited based on subscription tier
• Email sending: Subject to daily sending limits to prevent spam

When Limits Are Reached

When you reach a service limit, you will be notified in-app. You may:

• Wait for automatic limit reset (daily or monthly depending on limit type)
• Purchase additional credits for AI features
• Upgrade to a higher subscription tier for increased limits
• Contact support for enterprise custom limits

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be communicated by:

• Updating this page with the new policy
• Adjusting the "Last Updated" date at the top of this page
• Emailing you at your registered email address if changes are material
• Displaying an in-app notification for significant changes

For material changes that require consent, we will obtain your explicit consent before the changes take effect. Continued use of Qbox after non-material changes indicates acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Us

For privacy-related inquiries: