Legal

Privacy Policy

We believe privacy is a right, not a feature. This page explains exactly what we access, what we don't, and how we protect your information.

Last updated: February 2026

The short version

  • We only read email metadata — subject, sender, date, size, labels.
  • We never read or store your email body content or attachments.
  • We never sell your data to anyone, ever.
  • You can revoke our access instantly at any time from Google settings.

1. Who We Are

CleanInbox ("we," "us," or "our") is an email management service that helps users scan their Gmail inboxes, categorize emails by type and size, and safely delete unwanted messages. Our service is available at app.cleaninbox.cc.

If you have questions about this policy, contact us at [email protected].

2. What Data We Access

To provide our service, we request access to your Gmail account via Google OAuth 2.0. We access only the minimum data necessary to perform email scanning and categorization.

Email metadata we access:

  • Email subject lines
  • Sender email addresses and display names
  • Email dates and timestamps
  • Email size (in bytes)
  • Gmail labels (e.g., Promotions, Social, Inbox)
  • Email thread IDs and message IDs (for identification only)
  • Email headers used for categorization (e.g., List-Unsubscribe, Precedence)

Gmail API scopes we request:

  • gmail.readonly — to read metadata for scanning and categorization
  • gmail.modify — to move emails to Trash when you request deletion

3. What We Never Access

We are explicit about what we do not do, because trust requires clarity.

  • We never read the body content of any email
  • We never open, download, or inspect email attachments
  • We never access emails in other Google Workspace apps (Drive, Docs, Calendar, etc.)
  • We never access your Google contacts
  • We never request or store your Google account password
  • We never access your Google account profile beyond your name and email address (used for display purposes only)

4. How We Use Your Data

The data we access is used solely to provide the CleanInbox service to you. Specifically:

  • Scanning: We query Gmail API to retrieve email metadata and count, size, and categorize messages.
  • Categorization: We analyze metadata (labels, headers, sender patterns) to group emails into categories like Newsletters, Promotions, Large Attachments, and Social.
  • Deletion: When you choose to delete emails, we call the Gmail API to move those specific message IDs to Trash (or permanently delete, if you explicitly choose that option).
  • Session state: We store a minimal session to keep you logged in during your session. This includes your OAuth token, your display name and email, and scan results — all stored in an encrypted browser cookie.

We do not use your email data to train machine learning models, build advertising profiles, or for any purpose other than the direct delivery of the CleanInbox service.

5. Data Retention

We are designed to be stateless and to retain as little data as possible.

  • Scan results are cached in server memory only for the duration of your active session. They are discarded when you log out or your session expires (24 hours maximum).
  • OAuth tokens are stored in an encrypted session cookie in your browser. They are never written to a persistent database. When you log out, the cookie is deleted.
  • Email metadata is retrieved on-demand from Gmail and never persisted to disk or database on our servers.
  • Log files may capture anonymized request metadata (timestamps, error types) for operational purposes. These do not contain email content or personal identifiers.

6. Third-Party Services

We do not sell, rent, or share your personal data or email metadata with any third parties for any commercial purpose.

The only third-party service we interact with is:

  • Google Gmail API — we query Gmail on your behalf, using the OAuth token you granted. Google's privacy practices are governed by Google's Privacy Policy.

We may use infrastructure providers (hosting, CDN) to operate the service. These providers process data only as necessary to deliver our service and are bound by appropriate data processing agreements.

7. Security

We take the security of your data seriously:

  • All communication between your browser and our servers is encrypted via TLS/HTTPS.
  • Your OAuth access token is stored exclusively in an encrypted, HTTP-only browser cookie using industry-standard cryptographic signing (itsdangerous / HMAC-SHA256).
  • We do not store credentials, tokens, or sensitive data in plaintext anywhere in our system.
  • We follow the principle of least privilege — requesting only the OAuth scopes necessary for the service to function.

8. Your Rights

You have full control over your data and our access to your account:

  • Revoke access: You can instantly revoke CleanInbox's access to your Gmail at any time by visiting myaccount.google.com/permissions and removing CleanInbox. This immediately invalidates our OAuth token.
  • Log out: Logging out of CleanInbox deletes your session cookie and all in-memory scan data.
  • Data deletion request: To request deletion of any data we may hold, email us at [email protected]. Given our stateless design, there is typically no persistent data to delete, but we will investigate and confirm within 30 days.
  • Access request: You may request a summary of any data we hold about you by emailing [email protected].

9. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on your explicit consent, which you provide by connecting your Google account through OAuth.
  • Right to erasure: You may request deletion of your personal data at any time.
  • Right to portability: You may request a copy of your data in a portable format.
  • Right to object: You may object to processing of your personal data at any time by revoking OAuth access.
  • Right to rectification: If we hold inaccurate data about you, you may request correction.
  • Right to restrict processing: You may request that we restrict processing of your data.

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

10. Children's Privacy

CleanInbox is not directed at individuals under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days.