Privacy Policy
InboxAttic is built privacy-first. This policy explains exactly what data the InboxAttic Gmail add-on accesses, how it is used and stored, and the one narrow case in which any information leaves your Google account.
1. Who we are
InboxAttic (the "Service") is a Gmail add-on built on Google Apps Script and operated by Faraz Borghei ("InboxAttic," "we," "us," or "our"). InboxAttic is an independent product and is not affiliated with, endorsed by, or sponsored by Google.
This policy applies to the InboxAttic Gmail add-on and the InboxAttic website. Questions can be sent to support@inboxattic.com.
2. What Google user data we access
When you install and authorize InboxAttic, it runs inside your own Google account under the permissions you grant. It reads only message metadata. Specifically, for the messages it processes, InboxAttic accesses:
- the From header (the sender's name and email address);
- the Date the message was received;
- Gmail's estimated size of the message; and
- whether a List-Unsubscribe header is present (i.e. whether the message offers a one-click unsubscribe).
3. How that data is used and stored
The metadata above is used to compute per-day and per-sender aggregates โ for example, how much storage a given sender is using, how many messages you receive over time, and which senders offer an unsubscribe option. These aggregates power the InboxAttic dashboard and the one-click cleanup features.
These derived aggregates are stored in a Google Sheet inside your own Google account. Nothing about your mailbox โ neither the metadata nor the aggregates derived from it โ is stored on InboxAttic's servers or transmitted off your Google account. It stays with you.
Cleanup actions
When you choose a cleanup action โ archive, label, move to trash, or unsubscribe โ that action runs under your own authorization, on your own mailbox, only when you initiate it:
- Archive and label are reversible โ you can undo them at any time.
- Trash moves messages to Gmail's Trash, where they remain recoverable for 30 days before Gmail removes them.
- InboxAttic performs no permanent deletion of your email on its own.
4. Google API Services Limited Use
5. What we never do with your data
To be explicit, InboxAttic does not:
- sell, rent, or transfer your data to third parties, ad networks, or data brokers;
- use your data for advertising, retargeting, or building marketing profiles;
- use your data for credit, lending, or any creditworthiness determination;
- keep permanent copies of your Google user data;
- use your data to train, fine-tune, or develop artificial-intelligence or machine-learning models;
- allow humans to read your data, except as narrowly permitted by the Google API Services User Data Policy (for example, with your explicit consent, for security purposes, to comply with applicable law, or where the data is aggregated and used for internal operations in line with that policy).
6. The one thing that leaves your account: licensing
To unlock paid features, InboxAttic needs to check whether you have an active paid subscription. To do that, the add-on sends your email address โ and nothing else โ over HTTPS to InboxAttic's licensing service, which runs on a Cloudflare Worker.
That request is used solely to verify your subscription status. No mailbox data โ no metadata, no aggregates, no message content โ is ever sent to the licensing service or to any InboxAttic server. Your email address is the only piece of information that ever leaves your Google account, and it is used only for licensing.
7. Payments (Paddle)
Purchases are processed by Paddle.com as our Merchant of Record (seller of record). Paddle handles payment collection, billing, invoicing, and applicable taxes, and acts as a data processor for the payment information you provide to it.
InboxAttic does not receive or store your card or payment details. Your handling of payment data is governed by Paddle's own terms and privacy policy, available at Paddle's buyer terms and Paddle's privacy policy.
8. The InboxAttic website
The InboxAttic website (this site) sets no tracking cookies and runs no third-party analytics on your data. If you email us, we use your message and email address only to respond to and support you.
9. Data retention and deletion
Because your mailbox metadata and the aggregates derived from it live entirely inside your own Google account, you control retention and deletion directly:
- Delete the InboxAttic Google Sheet from your Google account to remove the stored aggregates.
- Uninstall the add-on and/or revoke its access (via your Google Account permissions) to stop all further access.
Together, deleting the Sheet and revoking access removes all InboxAttic-related data from your Google account. We hold no separate copy to delete on your behalf. For licensing, we retain your email address for only as long as needed to administer your subscription; you may ask us to delete it by contacting support@inboxattic.com, subject to any records Paddle must keep as Merchant of Record.
10. Your privacy rights (GDPR / CCPA)
Depending on where you live, you may have rights under laws such as the EU/UK General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA/CPRA), including the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing.
Most of your data never leaves your Google account, so you can exercise these rights yourself by managing or deleting the Google Sheet and revoking the add-on's access. For the limited data we do hold (your email address, for licensing), you can exercise your rights by contacting support@inboxattic.com. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. If you are in the EEA or UK, our legal bases for processing your email address are performance of a contract (providing the licensed Service) and our legitimate interest in operating the Service.
11. Children
InboxAttic is not directed to children under 13 (or the minimum age of digital consent in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Your continued use of InboxAttic after an update means you accept the revised policy.
13. Contact
Questions about this policy or your data? Contact Faraz Borghei at support@inboxattic.com.