Privacy Policy

Last updated: May 12, 2026

How InboxServe collects, uses, and protects personal data — including when you connect Gmail — under EU law.

1. Introduction

InboxServe B.V. (“InboxServe”, “we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we process it, how we protect it, and what rights you have under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Dutch GDPR Implementation Act (UAVG), and other applicable European and national privacy legislation.

This Privacy Policy describes how we process personal data when you use our services. Where we rely on consent, you may withdraw it as described in section 11.

2. Data Controller

The data controller for your personal data is:

InboxServe B.V.
Registered in The Netherlands
Email: privacy@inboxserve.com

3. What Personal Data We Collect

3.1 Account Data

Full name, email address, encrypted password
Organization name, ID, and role

3.2 Usage Data

IP address, browser, operating system, referring URL
Pages visited, actions performed, session duration

3.3 Customer and Communication Data

As a processor on your behalf:

Messages and conversations between you and your customers
Customer contact details, order data, attachments

3.4 Technical and Security Data

Log files, authentication tokens, and API call metadata.

3.5 Google User Data

If you choose to connect your Google account to InboxServe, we collect your Google email address (to identify the connected account) and OAuth tokens (access and refresh as issued by Google) needed to call Google APIs on your behalf. We request only the OAuth scopes listed in section 4.

4. Google API Disclosure & Limited Use

InboxServe uses Google APIs to provide sending from your connected Gmail or Google Workspace mailbox when you enable that option.

4.1 OAuth scopes (Connect Gmail)

The OAuth consent screen and our authorization request use the following scopes together (space-separated in the request; see https://www.googleapis.com/auth/gmail.send openid https://www.googleapis.com/auth/userinfo.email):

https://www.googleapis.com/auth/gmail.send — send email through the Gmail API when you send replies or outbound messages from your connected account inside InboxServe.
openid — establish your Google sign-in session for the OAuth grant used by this connection flow.
https://www.googleapis.com/auth/userinfo.email — read your Google account email address via the OAuth UserInfo endpoint so we can display and store which mailbox is connected (we do not use Gmail read or metadata scopes for mailbox access).

4.2 Access, use, storage, and sharing

Access: We access Google user data only after you complete Google's OAuth consent for the scopes above, and only through Google's APIs for the purposes described here.
Use: We use this data to identify the connected mailbox, maintain the connection, and send messages you initiate from InboxServe through your Google account. We do not use Google user data to serve advertisements (including remarketing or interest-based ads); we do not transfer Google user data to third parties except where necessary to provide or improve user-facing features in InboxServe, where compelled by applicable law, or in connection with a merger, acquisition, or sale of assets with continued protection; we do not allow humans to read Google user data except (a) where you have given us specific consent to do so, (b) where it is necessary for security purposes such as investigating abuse, (c) where required to comply with applicable law, or (d) where the data has been aggregated and de-identified and is used for internal operations consistent with this policy; and we do not use Google user data to develop, improve, or train generalised or non-personalised AI or machine-learning models.
Storage: We store your connected Google email address and OAuth tokens in our service database (hosted with our infrastructure providers) until you disconnect Gmail or delete your account, as described in section 9. Data is transmitted over TLS; our security measures are described in section 10.
Sharing: Google processes data according to Google's terms and policies. We do not transfer Google user data to third parties except as needed to operate the service (sub-processors in section 7) or when required by law.

We do not use the Gmail API to read your mailbox. Inbound mail typically reaches InboxServe through your forwarding or channel configuration. Your organization may view and handle those conversations in InboxServe as a support platform in line with your instructions and this policy.

4.3 Scopes we do not request

For the Gmail connection described above, we do not request Gmail read, metadata-only, compose/draft management, or full-mailbox scopes (for example gmail.readonly, gmail.modify, or https://mail.google.com/). We use send-only access via https://www.googleapis.com/auth/gmail.send for messages you initiate in InboxServe.

4.4 Limited Use

InboxServe's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we do not use Google user data for serving advertisements (including personalised, remarketing, or interest-based ads); we do not transfer Google user data to third parties except as necessary to provide or improve user-facing features in InboxServe, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with continued protection; we do not allow humans to read Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes such as investigating abuse, it is required to comply with applicable law, or the data has been aggregated and de-identified and is used only for internal operations; and we do not use Google user data to develop, improve, or train generalised or non-personalised AI or machine-learning models.

4.5 Scope of other purposes

The general processing purposes listed in section 5 (Legal Basis) and section 6 (Purposes of Processing) — including platform improvement, analytics, service improvement, and marketing communications — do not apply to Google user data. Google user data is processed only for the purposes described in this section 4, in line with the Google API Services User Data Policy and its Limited Use requirements.

5. Legal Basis for Processing

Legal basis	Explanation
Performance of a contract (Art. 6(1)(b))	Necessary to provide our services and manage your account.
Legitimate interest (Art. 6(1)(f))	Improving services, security, fraud prevention, and user experience optimization.
Legal obligation (Art. 6(1)(c))	Tax administration, court orders.
Consent (Art. 6(1)(a))	Optional Google OAuth to connect Gmail for sending; non-essential cookies or marketing communications where you have opted in. Withdrawable at any time where consent is the legal basis.

6. Purposes of Processing

Service delivery: Account management, message processing, and customer interactions.
Platform improvement: Usage analysis and feature development.
Security: Protection against unauthorized access and abuse.
Communication: Inquiries, service notifications, and — where you have opted in separately — product marketing communications using the contact details you provided to us. We never use Google user data for marketing.
Legal obligations: Compliance with applicable laws.
Dispute resolution: Establishing or defending legal claims.

8. International Data Transfers

We process data within the EEA where possible. Transfers outside the EEA are protected by adequacy decisions (where applicable), Standard Contractual Clauses, or the EU-U.S. Data Privacy Framework, depending on the provider and transfer scenario.

9. Retention Periods

Account data: Duration of account plus 12 months.
Usage data: Up to 26 months unless a shorter period is required for a specific log category.
Google OAuth tokens: Until you disconnect the Gmail integration or delete your account.
Billing data: 7 years (fiscal obligations).
Communication data: For the duration of your subscription or contract plus 12 months, unless a longer period is required by law or dispute handling.

10. Security

Encryption in transit (TLS/SSL) and at rest.
Secure authentication with hashed passwords.
Role-based access control (RBAC).
Regular security audits.
Incident response plan for data breaches.

11. Your Rights

Under the GDPR you have the right to: access, rectification, erasure, restriction of processing, data portability, object, withdraw consent where processing is based on consent, and not to be subject to solely automated decision-making that produces legal or similarly significant effects (where applicable). Contact us at privacy@inboxserve.com to exercise these rights. We respond within 30 days unless applicable law allows a different timeline.

12. Cookies

We only use strictly necessary cookies for authentication. No consent is required under Article 5(3) of the ePrivacy Directive for those essential cookies. If we introduce analytical, marketing, or similar non-essential cookies or similar technologies, we will obtain your prior consent in line with the GDPR and applicable national rules (including Dutch requirements where they apply) before activating them.

13. Complaints

14. Contact