Privacy Policy
Effective Date: September 25, 2025
Last Updated: July 8, 2026
1. Introduction
Welcome to Qbox AI, operated by Qbox Intelligence, Inc. ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email management and AI assistance service ("Service").
By using Qbox, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Service.
2. Information We Collect
Account Information
- Email address (used for authentication and account identification)
- Name and profile information from your Google or Microsoft account
- Account creation and last login timestamps
Email Data
- Email content, including message bodies and headers
- Email metadata (sender, recipients, timestamps, subject lines)
- Attachments (temporarily stored for processing)
- Email threads and conversation history
- Contact information from your emails
Calendar Data
- Calendar availability and free/busy status
- Calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times
- Meeting content — including agendas, notes, and transcripts — used to power meeting-preparation and follow-up features
- Working hours and timezone preferences
- Calendar permissions granted (read and write access)
- Meeting invitation links and scheduling preferences
- Calendar sync state and last sync timestamps
We store calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times — to power scheduling, meeting-preparation, and follow-up features. Calendar data is encrypted in transit and at rest, and is deleted within 30 days after you disconnect your calendar account, or when you delete your Qbox account.
Authentication Data
- OAuth tokens for your connected email provider (Google/Gmail or Microsoft/Outlook) and calendar access (encrypted and securely stored)
- Calendar API refresh tokens
- Refresh tokens for maintaining API access
- Session information for login state
Usage Analytics
- Feature usage patterns (e.g., emails sent, AI responses generated)
- Response times and interaction metrics
- Error logs and performance data
- Session duration and activity patterns
AI Training Data
- Edits you make to AI-generated drafts
- Writing patterns and style preferences
- Email categorization and priority settings
- Custom templates and automation rules
LinkedIn Data (Professional and Team plans)
- LinkedIn display name, headline, and account identifier
- LinkedIn message content, conversation history, and AI-generated drafts stored in your private workspace to power the LinkedIn inbox feature
Important: AI learning is personalized to your account only. Your writing style, patterns, and email data are never used to train AI models for other users or shared across accounts.
Team and Enterprise Data
For organizations using team or enterprise features:
- Organization administrators can view team member usage and analytics
- Admins can manage team member accounts, roles, and permissions
- Team member email content remains private unless explicitly shared
- Organization owners retain data ownership rights
- Upon member removal, individual data may be retained for organization continuity
- Organization data deletion requests require authorization from organization owner
3. How We Use Your Information
Service Provision
- Synchronize and manage your email inbox (Gmail or Outlook)
- Generate AI-powered email responses
- Automatically suggest available meeting times from your calendar
- Prevent double-booking and scheduling conflicts
- Generate context-aware email responses with real availability
- Sync calendar data for meeting scheduling assistance
- Adapt to your writing style
- Categorize and prioritize emails
- Provide analytics and insights
Service Improvement
- Enhance AI response quality
- Develop new features based on usage
- Optimize performance and reliability
- Resolve bugs and technical issues
Security and Compliance
- Detect and prevent fraudulent activity
- Maintain service integrity and security
- Comply with legal obligations and requests
4. Third-Party Services and Data Sharing
Google Services
Qbox uses the Gmail API and Google Calendar API in compliance with the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum access needed to operate the Service.
When you connect a Google account, Qbox requests the following OAuth scopes:
openid,email,profile— your identity and basic account information for sign-ingmail.readonly— read your email messages and threads to power inbox views and AI contextgmail.send— send replies and new messages on your behalfcalendar.readonly— read calendar availability for meeting schedulingcalendar.freebusy— check free/busy status without reading event detailscalendar.events— create and update events when you book or reschedule from Qbox
We store calendar event details — including event titles, descriptions, participant names and email addresses, and meeting times — to power scheduling, meeting-preparation, and follow-up features. Calendar data is encrypted in transit and at rest, and is deleted within 30 days after you disconnect your calendar account, or when you delete your Qbox account. Full descriptions of each scope are available in the Google OAuth 2.0 Scopes reference.
Microsoft Services
When you connect a Microsoft account (Outlook/Microsoft 365), Qbox uses the Microsoft Graph API in compliance with the Microsoft Services Agreement and the Microsoft Privacy Statement. We only request the minimum access needed to operate the Service.
When you connect a Microsoft account, Qbox requests the following Microsoft Graph delegated permissions:
email— your email addressoffline_access— issue a refresh token so we can maintain sync after initial sign-in without repeated consentUser.Read— sign in and read your basic user profile (name, email)Mail.ReadWrite— read and write email messages (does not include permission to send mail)Mail.Send— send mail as the signed-in user
Full descriptions of each permission are available in the Microsoft Graph permissions reference.
AI Services (Google Gemini and OpenAI)
To generate drafts and analyze your email, we send relevant email content (including message bodies and participant names) to our AI service providers — Google (Gemini API) and OpenAI (API) — over encrypted connections. Under the terms governing our use of these services, your content is not used to train their models. Providers may retain API inputs for a limited period (for example, up to approximately 55 days) solely for abuse and misuse detection, after which they are deleted. We never use your email content to build or train models for other customers.
We use OpenAI's API for text embeddings (used to search and match your emails and templates), voice-input transcription, and extracting text from documents you add to your knowledge base. Voice input is processed for transcription and is not stored. Use of these services is subject to Google Cloud's enterprise API terms and Google's AI Principles, and to OpenAI's API data usage and privacy terms.
Resend (Transactional Email)
We use Resend to deliver transactional email, such as team invitations and responses to contact-form submissions. The names and email addresses included in those messages are processed by Resend solely to deliver them.
Jina AI (Website Content Import)
When you ask us to import content from a website into your knowledge base, we use Jina AI to fetch and extract the text of the page. Only the URLs you submit and the fetched page content are processed for this purpose.
Marketing-Site Analytics
Google Analytics and HubSpot run on our public marketing website only, to understand visitor engagement. They are never loaded inside the Qbox application and do not have access to your email, calendar, or account data.
Subprocessors
The complete, current list of our subprocessors is maintained at /subprocessors. We will update that page at least 30 days before adding or replacing a subprocessor that processes customer personal data.
Stripe
Qbox uses Stripe for payment processing. When you purchase a subscription:
- Payment card details are processed directly by Stripe (PCI DSS Level 1 certified)
- We never store or access your full credit card number
- We receive only transaction metadata (last 4 digits, card brand, expiry date)
- Billing information (name, email, amount) is stored to manage your subscription
- Stripe may share limited data with us for fraud prevention and compliance
- When you delete your account, Stripe retains billing and transaction records it is legally required to keep under financial and tax law, as permitted by GDPR Art. 17(3)(b) — this data is not erased on request for the duration of that legal obligation
- We keep a copy of incoming Stripe payment webhook events (which may contain billing details such as your email) only for a short retention window for reconciliation and fraud-prevention purposes, after which they are automatically purged
Supabase
Qbox uses Supabase as backend infrastructure. Data is encrypted at rest and in transit, and handled per Supabase's policies.
Unipile (LinkedIn Integration)
LinkedIn authentication and message delivery for Professional and Team plan users is powered by Unipile, a third-party integration platform. When you connect your LinkedIn account, your LinkedIn credentials and session tokens are managed by Unipile. LinkedIn message content is routed through Unipile's API to enable inbox sync, message sending, and webhook delivery. Unipile does not use your data for any purpose beyond providing this integration service. Use of Unipile is subject to Unipile's Privacy Policy.
When you connect your LinkedIn account, Qbox accesses your LinkedIn messages and conversations via the Unipile integration. This access is governed by LinkedIn's User Agreement. We do not post to LinkedIn, modify your profile, or access your connections list. We only read and send messages on your behalf as explicitly directed by you within the Qbox interface.
Data Sharing Principles
- We do not sell personal data.
- We do not share your email content with advertisers.
- We share only with providers essential for operations, under confidentiality agreements.
5. Data Security
We employ industry-standard measures, including:
- Encryption of OAuth tokens and sensitive data
- Calendar data encryption in transit and at rest
- Row-Level Security (RLS) for database isolation
- HTTPS encryption for all transmissions
- Regular audits and vulnerability testing
- Access logging and monitoring
- Rate limiting for calendar API access
- Audit logging for all calendar data access
- Automatic expiry of cached calendar data (1-hour TTL)
- Rate limiting and DDoS protection
- Encrypted backups
No system is 100% secure, but we continually work to safeguard your information. For more detail on our security measures, see our Security page.
6. Data Retention and Deletion
Retention Periods
- Email data: retained while your account is active
- Email and thread data synced from a mailbox you disconnect: permanently deleted within 30 days of disconnection
- Calendar events synced from a mailbox you disconnect: permanently deleted within 30 days of disconnection
- LinkedIn messages synced via our third-party messaging provider: permanently deleted within 30 days after you disconnect LinkedIn, and the connection is removed from the provider
- AI drafts: retained while your account is active; purged within 30 days of disconnecting the associated mailbox
- Calendar availability cache: 1 hour
- OAuth token access logs, Gmail push notification logs, and provider webhook logs: 30 days
- Stripe payment webhook event records: 180 days
- Voice input: processed in memory for transcription and never stored
- Calendar sync metadata: retained while your account is active; deleted within 30 days of disconnecting the mailbox
- Analytics data: 30 days
- Email attachment files in storage: deleted after 24 hours
- Drafts: retained while your account is active and removed when you send or discard them
- Deleted accounts: your personal data in Qbox is permanently erased within 30 days, except for a limited set of billing and transaction records that our payment processor (Stripe) is legally required to retain under applicable financial and tax law (GDPR Art. 17(3)(b)), and short-lived payment webhook logs (see the Stripe section above), which are purged on a rolling retention schedule
- Pilot/trial data: scheduled for deletion when your pilot or contract ends and permanently removed within 30 days
Automatic Deletion Schedule
For pilot programs and enterprise trials:
- When a pilot or contract ends, deletion of your organization's data is scheduled and completed within 30 days
- The deletion schedule includes reminder checkpoints at 7 days and 1 day beforehand
- Organizations can request immediate deletion or data export
- All associated user data, emails, and metadata are permanently removed
You may request deletion at any time via in-app settings or by contacting us at privacy@qbox-ai.com.
7. Your Rights (GDPR/CCPA)
Your Data Protection Rights
Under GDPR (for EU/EEA residents) and CCPA (for California residents), you have the following rights:
- Access: Request a copy of all personal data we hold about you
- Rectification: Request correction of inaccurate personal data
- Erasure ("Right to be Forgotten"): Request deletion of your personal data
- Data Portability: Receive your data in a structured, machine-readable format (JSON)
- Restriction: Request limitation on how we process your data
- Objection: Object to processing based on legitimate interests
- Withdrawal of Consent: Revoke consent for data processing at any time
- Non-discrimination: Not be discriminated against for exercising your rights
How to Exercise Your Rights
To exercise any of these rights:
- Email us at privacy@qbox-ai.com
- Include your account email and specific request
- We will respond within 30 days (45 days for complex requests)
- We may request identity verification for security
Data Export and Deletion
We provide automated tools for:
- Exporting all your personal data in JSON format
- Scheduling account deletion with 30-day grace period
- Immediate deletion upon request (irreversible)
Supervisory Authority
EU/EEA residents have the right to lodge a complaint with their local data protection authority if they believe their rights have been violated.
8. Cookies and Tracking
- Local storage for session and preferences
- Analytics cookies for usage insights
- No third-party advertising cookies
You may disable cookies, though some features may not function properly.
9. Children's Privacy (COPPA Compliance)
Qbox is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.
If You Are a Parent or Guardian
If you believe your child under 18 has provided us with personal information, please contact us immediately at privacy@qbox-ai.com. We will:
- Investigate the matter promptly
- Delete the child's information from our systems within 30 days
- Terminate the associated account
- Provide confirmation of deletion upon request
Parents have the right to review, request deletion of, and refuse further collection of their child's information.
10. International Data Transfers
Qbox operates globally, and your data may be transferred to, stored, and processed in countries other than your country of residence, including the United States.
Data Storage Locations
- Primary infrastructure: United States (via Supabase/AWS)
- AI processing: United States and global Google Cloud regions (via Google Gemini) and the United States (via OpenAI)
- Payment processing: Global (via Stripe)
Transfer Safeguards
When transferring data internationally, we use appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework participation (where applicable)
- Adequacy decisions for transfers to countries deemed adequate by the EU
- Explicit consent for transfers where required by law
- Encryption of data in transit and at rest
For EU/EEA residents, you have the right to obtain information about the safeguards we use for international transfers and to obtain a copy of the SCCs by contacting privacy@qbox-ai.com.
11. California Privacy Rights (CCPA/CPRA)
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Your Rights
- Right to Know: Request disclosure of personal data collected, sources, purposes, and third parties with whom shared
- Right to Delete: Request deletion of personal data we collected
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt-out of sale or sharing of personal data
- Right to Limit: Limit use and disclosure of sensitive personal information
- Right to Non-Discrimination: Not be discriminated against for exercising privacy rights
Sale of Personal Information
We do not sell your personal information. Under CCPA, "sale" is defined broadly to include sharing personal information for valuable consideration. We do not exchange personal data for money or other valuable consideration. We share data only with service providers necessary to operate our service (including Google (Gmail, Calendar, Gemini AI), Microsoft (Outlook, Microsoft Graph), OpenAI, Stripe, Supabase, Unipile, Resend, and Jina AI) under strict contractual limitations. The complete, current list is maintained at /subprocessors.
How to Exercise Your Rights
To exercise these rights, contact us at privacy@qbox-ai.com. We will verify your identity and respond within 45 days.
12. Google API Services User Data Policy
Qbox's use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
- Gmail data is used only to provide email management and AI features
- Calendar data is used only for scheduling, meeting-preparation, and follow-up features
- Gmail and Calendar data is never used for advertising
- Human access is prohibited, except with your explicit consent (e.g., support)
- Data is retained only as long as necessary to provide the Service
- Calendar access requires explicit user consent via OAuth
- You can revoke calendar access at any time through your Google account settings
In particular, we do not use Google Workspace data (including Gmail and Google Calendar data) to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models. AI features that process your Google user data operate solely on your own data, to provide user-facing features to you.
13. Data Breach Notification
In the event of a data breach that may compromise your personal information, we commit to:
- Notifying affected users within 72 hours of discovering the breach
- Notifying relevant regulatory authorities as required by law (e.g., EU supervisory authorities under GDPR)
- Providing detailed information about the breach, including:
- What data was affected
- When the breach occurred and was discovered
- What measures we've taken to contain the breach
- Steps you should take to protect yourself
- Contact information for further inquiries
- Offering identity theft protection services if sensitive data was compromised
- Conducting a thorough investigation and implementing additional security measures
You can report suspected security issues to security@qbox-ai.com.
14. Service Limits and Rate Limiting
To ensure fair usage and system stability, we implement various service limits:
Credit Limits
- Each subscription tier includes monthly AI generation credits
- When credits are exhausted, AI features are paused until renewal or credit purchase
- Basic email viewing and management remain available
API Rate Limits
- Gmail sync: Limited by Google's API quotas
- Outlook sync: Limited by Microsoft Graph API quotas
- Calendar availability: Rate-limited to prevent abuse
- AI generation: Rate-limited based on subscription tier
- Email sending: Subject to daily sending limits to prevent spam
When Limits Are Reached
When you reach a service limit, you will be notified in-app. You may:
- Wait for automatic limit reset (daily or monthly depending on limit type)
- Purchase additional credits for AI features
- Upgrade to a higher subscription tier for increased limits
- Contact support for enterprise custom limits
15. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be communicated by:
- Updating this page with the new policy
- Adjusting the "Last Updated" date at the top of this page
- Emailing you at your registered email address if changes are material
- Displaying an in-app notification for significant changes
For material changes that require consent, we will obtain your explicit consent before the changes take effect. Continued use of Qbox after non-material changes indicates acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
16. Contact Us
For privacy-related inquiries:
Privacy inquiries: privacy@qbox-ai.com (our privacy team)
Qbox is operated from the United States. We are in the process of appointing EU and UK representatives under Article 27 GDPR / UK GDPR; this policy will be updated with their contact details once appointed.