Privacy Policy

1. Information We Collect

1.1 Information You Provide to Us

• Account & Contact Information. When you sign up or correspond with us, you may provide your name, email address, password, company name, and other contact details.
• LinkedIn Authorization Data. If you connect your LinkedIn account, we receive OAuth tokens and limited profile identifiers that let us access your LinkedIn messages as permitted by you.
• Email Provider Authorization Data. If you connect an email provider (e.g., Gmail or Outlook), we receive OAuth tokens and metadata that grant scoped access to your inbox.
• Content You Submit. We collect content you actively submit through the Services such as messages, support requests, surveys, or other user‑generated content.

1.2 Information We Collect Automatically

• Edge‑Processed Message Data. For routine filtering, message bodies are processed on‑device; they are not sent to InboxFunnel servers. Only hashed or tokenized features and resulting labels (e.g., “sales pitch”) may be transmitted for cross‑device sync.
• Usage Logs. We record minimal diagnostic events (IP address, coarse location, browser type, error traces) necessary to operate and secure the Services.
• Cookies & Local Storage. We use local storage and essential cookies to remember preferences and maintain your session. Analytics cookies are non‑essential and disabled by default unless you opt in (see Section 10).
• Derived Insights. Our machine‑learning algorithms generate scores or categories associated with message IDs. These insights are encrypted in transit and at rest.

1.3 Information from Third Parties

We may receive information about you from:

• LinkedIn APIs. Message metadata and bodies only for threads you explicitly authorize; processed locally whenever feasible.
• Email Provider APIs. Message metadata, headers, and labels needed to classify and organize your inbox.
• Analytics & Payment Processors. Aggregated usage metrics or subscription details from tools such as Stripe or Plausible.

2. How We Use Your Information

We process your information to:

1. Provide & Operate the Services (Local by Default). Authenticate you, deliver real‑time inbox updates, classify messages locally, and route them according to your preferences.
2. Optional Model Improvement (Opt‑In). If you enable “Share Anonymized Samples for R&D” in Settings, we may collect small, randomly sampled snippets (max 256 characters) stripped of direct identifiers to fine‑tune our models or create few‑shot prompts. You can disable this at any time, and samples older than 30 days are purged automatically.
3. Comply with Platform Policies. Our access and use of LinkedIn or Gmail data complies with LinkedIn Developer Policies, Gmail Restricted Scopes, and other platform terms.
4. Security & Fraud Prevention. Detect, investigate, and prevent spam, abuse, or unauthorized access.
5. Communicate. Send administrative messages, security alerts, onboarding material, and product announcements. You may opt out of non‑essential emails at any time.
6. Legal & Compliance. Enforce our Terms of Service, respond to lawful requests, and protect our rights, property, and safety.

We rely on the following legal bases, where applicable, to process your data: performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), consent (Art. 6(1)(a) GDPR), and compliance with legal obligations (Art. 6(1)(c) GDPR).

3. How We Share Information

We do not sell your personal information. We share it only as described below:

• Service Providers (Zero‑Knowledge Where Possible). Infrastructure, analytics, and payment vendors that need access to perform services on our behalf under confidentiality agreements. Whenever feasible, we transmit only encrypted or tokenized data.
• LinkedIn & Email Providers. Data flows to and from LinkedIn, Google, Microsoft, or other providers solely to the extent necessary to provide requested integrations.
• Business Transfers. In connection with any merger, sale, financing, or acquisition, subject to standard confidentiality and data protection safeguards.
• Legal Requirements. Where required by law, subpoena, or court order; or to protect our rights, security, or users.
• With Consent. Any additional sharing will occur only with your explicit permission.

4. Data Retention

• Local Data. Message bodies processed locally remain on your device subject to your own retention settings.
• Server‑Side Metadata. Classification labels, hashes, and sync state are retained for as long as your account is active or until you delete them via the Dashboard.
• Opt‑In Training Samples. Snippets used for model improvement are stored in isolated, encrypted buckets and deleted after 30 days (or immediately upon opt‑out).
• Aggregated, anonymized analytics data may be retained indefinitely.

5. Security

We implement administrative, technical, and physical safeguards, including:

• End‑to‑end TLS encryption in transit
• AES‑256 encryption at rest with managed keys
• Zero‑trust network isolation and least‑privilege IAM roles
• Edge encryption: sensitive fields encrypted before leaving your device whenever feasible
• Regular penetration testing and secure code reviews

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials.

6. Your Rights & Choices

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, object, port, or withdraw consent regarding your personal data. To exercise these rights, email privacy@inbox-funnel.com.

6.1 California Privacy Rights (CCPA/CPRA)

California residents may request details on personal information collected and request deletion, subject to statutory exceptions. InboxFunnel does not sell or share personal information for cross‑context behavioral advertising.

6.2 EU/EEA & UK Residents

You may lodge a complaint with your local data protection authority if you believe our processing violates applicable law.

7. International Data Transfers

Your information may be processed in the United States or other countries where we or our service providers operate. We rely on Standard Contractual Clauses or other approved transfer mechanisms to protect data exported from the EEA, UK, or Switzerland.

8. Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from them.

9. Third‑Party Links

The Site may contain links to third‑party websites or services not operated by us. We are not responsible for the privacy practices of such third parties.

10. Cookies & Local Storage Notice

We use:

• Essential Cookies & Local Storage – required for login, security, and remembering preferences.
• Analytics Cookies (Opt‑In). Disabled by default; you can enable them to help us improve the product.

Most browsers let you control cookies via settings. You can also manage cookie consent in Settings → Privacy Controls.

11. Changes to This Policy

We may update this Policy from time to time. Changes will be posted here with an updated “Last updated” date. Material changes will be communicated via email or prominent notice. Continued use of the Services after such changes constitutes acceptance of the updated Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Policy or our privacy practices, contact us at: