Privacy Policy

Last updated: January 2025

InboxBuddy ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our AI scheduling assistant service.

Information We Collect

When you use InboxBuddy, we collect:

• Account Information: Your email address and name from Google OAuth
• Calendar Data: Access to your Google Calendar to check availability and create events
• Email Content: Email threads where InboxBuddy is CC'd, to understand scheduling requests

How We Use Your Information

We use your information solely to:

• Check your calendar availability
• Propose meeting times to email participants
• Create calendar events when meetings are confirmed
• Send scheduling-related emails on your behalf

Data Storage & Security

Your data is processed on Cloudflare's edge network with the following security measures:

• OAuth tokens are encrypted using AES-256-GCM before storage
• Session tokens are cryptographically signed (HMAC-SHA256)
• All data transmission uses HTTPS/TLS encryption
• We use Cloudflare's secure infrastructure (D1, KV, Durable Objects)

Data Sharing & Third-Party Services

InboxBuddy shares, transfers, or discloses your data to the following third-party services:

1. Anthropic (Claude AI)

• What we share: Limited email content (subject lines and scheduling-related text excerpts only)
• What we do NOT share: Google Calendar data, event details, attendee lists, calendar IDs, or Google OAuth tokens are NEVER sent to Anthropic
• Purpose: Natural language processing to understand scheduling intent and extract proposed meeting times
• Data retention by Anthropic: Anthropic does not retain API inputs beyond the immediate processing of the request
• AI Training: We use Anthropic's commercial API which does NOT use customer data for model training. Per Anthropic's Commercial Terms: "Anthropic will not train models on Customer Content unless Customer explicitly opts in." We have NOT opted in.
• Privacy Policy: Anthropic Privacy Policy

2. Google

• What we access: Google Calendar (read availability, create events), basic profile info (name, email)
• Purpose: Authentication, checking your availability, and creating calendar events
• Data flow: Google data stays within our secure infrastructure and is not shared with other third parties
• Privacy Policy: Google Privacy Policy

3. Cloudflare

• What we share: All application data is processed on Cloudflare's infrastructure
• Purpose: Hosting, data storage (D1 database, KV store), and edge computing
• Privacy Policy: Cloudflare Privacy Policy

Google API Services User Data Policy Compliance

InboxBuddy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data for the purposes described in this policy (scheduling meetings)
• We do not use Google user data for serving advertisements
• We do not allow humans to read your data unless required for security purposes, required by law, or with your explicit consent
• We do not use Google user data for training generalized AI or machine learning models
• We do not transfer Google user data to third parties for AI training purposes

Data Retention

We retain your data as follows:

• Account data: Until you delete your account
• Conversation metadata: 90 days after last activity
• OAuth tokens: Until revoked or expired

Your Rights

You have the right to:

• Access your personal data
• Delete your account and associated data
• Revoke Google Calendar/Gmail access at any time via Google Account Settings
• Export your data upon request

Contact Us

For privacy-related questions or requests, contact us at @whoiskatrin on X (Twitter).

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.