Privacy Policy.

Last updated: May 21, 2026 · Effective date: at first use

This is the plainest English we could manage. The legalese version is here too, but we tried to write it so you can actually read it. If anything is unclear, email privacy@inboxnanny.com.

Note: This is a working draft prepared by the founders. Before going live, this policy will be reviewed by a qualified data protection lawyer. If you have legal questions about how Inbox Nanny handles data, please reach out directly - we'd rather have the conversation than hide behind boilerplate.

1. Who we are

Inbox Nanny (referred to as "we," "us," or "the Service") is operated by the team behind inboxnanny.com. We are reachable at hello@inboxnanny.com for general questions, and at privacy@inboxnanny.com for anything privacy-related.

This policy explains what data we collect when you use Inbox Nanny, what we do with it, how we protect it, and what rights you have to access, change, or delete it.

2. What we collect

In plain English

To find cold senders, the nanny reads parts of your Gmail. She sees sender addresses and subject lines. She does not store full message contents, and she cannot send or delete mail without your explicit permission for each action.

2.1 Information you provide directly

When you sign up:

Your Google account email address (via Gmail OAuth)
Your name as shown on your Google profile (for personalization only)
Payment information (handled by our payment provider Paddle; we never see or store card numbers)

2.2 Information collected via Gmail OAuth

When you grant the nanny read-only Gmail access, the Service may access:

Sender metadata: From address, From name, reply-to header, list-unsubscribe header
Subject lines: of messages identified as potential cold outreach
Date/time stamps and message IDs (used to detect patterns and avoid double-processing)
Limited message contents: only the first ~500 characters of messages that match cold-outreach patterns, used for pattern matching and database attribution

The Service does not access:

Contents of messages from senders you've replied to or corresponded with
Attachments of any kind
Drafts in your drafts folder
Messages in folders you've labeled as private
Calendar invites, payment receipts, or other categorized messages outside the inbox

2.3 Information about your interactions with the Service

We log basic usage data: pages viewed, features used, error events. This data is used to improve the Service and is not associated with your inbox contents.

2.4 Email scan data

When you check an email address using our no-auth scan, we store the email, the scan results, and (if you opt in) your preference for re-listing alerts. We keep this data for 90 days, then delete it automatically. You can unsubscribe from alerts at any time using the link in any alert email.

3. How we use what we collect

In plain English

To find cold senders, identify which database they came from, send removal requests on your behalf, and check whether your data has re-appeared in those databases over time. That's it.

The Service uses your data exclusively for the following purposes:

Detecting cold outreach patterns in your Gmail inbox
Identifying which B2B sales databases likely supplied your contact information
Generating personalized removal requests addressed to specific databases
Sending those removal requests via your own Gmail (only after your explicit consent, per request)
Creating optional Gmail filters to triage future cold messages
Monitoring monthly (or weekly on Deep Work) for re-listings
Sending you summary reports of removal status
Customer support and account administration
Improving the Service (in aggregate, never tied to your individual inbox content)

4. What we do NOT do with your data

To be explicit about what's off the table:

We do not sell your data. Not to anyone, not in aggregate, not derivative products. Ever.
We do not train AI models on your inbox content. Pattern detection uses statistical heuristics, not machine learning trained on your messages.
We do not share your inbox data with third parties except as strictly necessary to operate the Service (e.g., our hosting provider stores encrypted data on our behalf).
We do not use your data for advertising - ours or anyone else's.
We do not access messages from your real contacts. Cold sender detection is specifically designed to skip messages from people you've corresponded with.

5. Where your data lives

Your data is stored on servers in the geographic region matching your jurisdiction:

EU/UK users: AWS Frankfurt and AWS Dublin
US users: AWS US-East and AWS US-West
Other regions: AWS region geographically closest to you

Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Backups are encrypted and retained for 30 days, then permanently deleted.

6. How long we keep your data

Active account data: kept for as long as your account is active
Inbox scan results: kept for 90 days, then automatically purged
Removal request records: kept for as long as needed to track and re-submit (typically 12 months)
Account deletion: when you delete your account, all data is permanently erased within 30 days, with the exception of records we are legally required to retain (e.g., payment receipts for tax purposes - kept for 7 years)

7. Your rights

Depending on your jurisdiction, you have some or all of the following rights:

Access: get a copy of all the data we hold about you
Correction: ask us to fix data that's wrong or incomplete
Deletion: ask us to delete your data ("right to be forgotten")
Restriction: ask us to stop using your data while we resolve a dispute
Portability: get your data in a structured, machine-readable format
Objection: object to processing for direct marketing
Opt-out of sale: not relevant since we never sell your data, but it's your right under CCPA
Withdraw consent: revoke the Gmail OAuth permission at any time from your Google account

To exercise any of these rights, email privacy@inboxnanny.com. We respond within the timeframe required by your jurisdiction's law (30 days under GDPR, 45 days under CCPA).

8. Cookies and tracking

We use the minimum cookies necessary to operate the Service:

Session cookie: keeps you logged in
Preferences cookie: remembers your dashboard settings

We do not use third-party advertising cookies, social tracking pixels, or session replay tools. Analytics is done with privacy-respecting tooling (currently Plausible Analytics) that does not use cookies or personal identifiers.

9. Children's privacy

The Service is intended for use by adults in a professional context. We do not knowingly collect data from anyone under 16. If you believe a minor has signed up for the Service, contact us and we will delete the account.

10. Changes to this policy

If we make material changes to this policy, we will notify you via email at least 30 days before the changes take effect. Minor changes (typos, clarifications) may be made without notice but are reflected in the "last updated" date at the top.

11. Contact

Privacy questions, complaints, or rights requests:

Email: privacy@inboxnanny.com
Mail: [TO BE ADDED at launch - business address]

If you're in the EU/UK and aren't satisfied with our response, you have the right to lodge a complaint with your national data protection authority.

Questions?

We'd rather answer directly than hide behind boilerplate.

Privacy isn't a checkbox for us. Email privacy@inboxnanny.com with anything you want clarified.