Legal

Privacy Policy

Effective date: July 3, 2026 ยท Last updated: July 3, 2026

InboxAttic is built privacy-first. This policy explains exactly what data the InboxAttic Gmail add-on accesses, how it is used and stored, and the one narrow case in which any information leaves your Google account.

The short version. InboxAttic reads only mailbox metadata (who sent a message, when, its estimated size, and whether it offers a one-click unsubscribe). It never reads the body, subject, or attachments of your email. All analysis is stored in a Google Sheet inside your own Google account. The only thing ever sent to us is your email address, used solely to check whether you have a paid subscription.

1. Who we are

InboxAttic (the "Service") is a Gmail add-on built on Google Apps Script and operated by Faraz Borghei ("InboxAttic," "we," "us," or "our"). InboxAttic is an independent product and is not affiliated with, endorsed by, or sponsored by Google.

This policy applies to the InboxAttic Gmail add-on and the InboxAttic website. Questions can be sent to support@inboxattic.com.

2. What Google user data we access

When you install and authorize InboxAttic, it runs inside your own Google account under the permissions you grant. It reads only message metadata. Specifically, for the messages it processes, InboxAttic accesses:

InboxAttic never reads the body, subject line, or attachments of any message. It does not download, copy, or transmit the contents of your email.

3. How that data is used and stored

The metadata above is used to compute per-day and per-sender aggregates โ€” for example, how much storage a given sender is using, how many messages you receive over time, and which senders offer an unsubscribe option. These aggregates power the InboxAttic dashboard and the one-click cleanup features.

These derived aggregates are stored in a Google Sheet inside your own Google account. Nothing about your mailbox โ€” neither the metadata nor the aggregates derived from it โ€” is stored on InboxAttic's servers or transmitted off your Google account. It stays with you.

Cleanup actions

When you choose a cleanup action โ€” archive, label, move to trash, or unsubscribe โ€” that action runs under your own authorization, on your own mailbox, only when you initiate it:

4. Google API Services Limited Use

InboxAttic's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. What we never do with your data

To be explicit, InboxAttic does not:

6. The one thing that leaves your account: licensing

To unlock paid features, InboxAttic needs to check whether you have an active paid subscription. To do that, the add-on sends your email address โ€” and nothing else โ€” over HTTPS to InboxAttic's licensing service, which runs on a Cloudflare Worker.

That request is used solely to verify your subscription status. No mailbox data โ€” no metadata, no aggregates, no message content โ€” is ever sent to the licensing service or to any InboxAttic server. Your email address is the only piece of information that ever leaves your Google account, and it is used only for licensing.

7. Payments (Paddle)

Purchases are processed by Paddle.com as our Merchant of Record (seller of record). Paddle handles payment collection, billing, invoicing, and applicable taxes, and acts as a data processor for the payment information you provide to it.

InboxAttic does not receive or store your card or payment details. Your handling of payment data is governed by Paddle's own terms and privacy policy, available at Paddle's buyer terms and Paddle's privacy policy.

8. The InboxAttic website

The InboxAttic website (this site) sets no tracking cookies and runs no third-party analytics on your data. If you email us, we use your message and email address only to respond to and support you.

9. Data retention and deletion

Because your mailbox metadata and the aggregates derived from it live entirely inside your own Google account, you control retention and deletion directly:

Together, deleting the Sheet and revoking access removes all InboxAttic-related data from your Google account. We hold no separate copy to delete on your behalf. For licensing, we retain your email address for only as long as needed to administer your subscription; you may ask us to delete it by contacting support@inboxattic.com, subject to any records Paddle must keep as Merchant of Record.

10. Your privacy rights (GDPR / CCPA)

Depending on where you live, you may have rights under laws such as the EU/UK General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA/CPRA), including the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing.

Most of your data never leaves your Google account, so you can exercise these rights yourself by managing or deleting the Google Sheet and revoking the add-on's access. For the limited data we do hold (your email address, for licensing), you can exercise your rights by contacting support@inboxattic.com. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. If you are in the EEA or UK, our legal bases for processing your email address are performance of a contract (providing the licensed Service) and our legitimate interest in operating the Service.

11. Children

InboxAttic is not directed to children under 13 (or the minimum age of digital consent in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Your continued use of InboxAttic after an update means you accept the revised policy.

13. Contact

Questions about this policy or your data? Contact Faraz Borghei at support@inboxattic.com.


See also our Terms of Service.