InboxServe
InboxServe
Sign inStart free trial

Privacy Policy

Last updated: April 15, 2026

How InboxServe collects, uses, and protects personal data — including when you connect Gmail — under EU law.

1. Introduction

InboxServe B.V. (“InboxServe”, “we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we process it, how we protect it, and what rights you have under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Dutch GDPR Implementation Act (UAVG), and other applicable European and national privacy legislation.

This Privacy Policy describes how we process personal data when you use our services. Where we rely on consent, you may withdraw it as described in section 11.

2. Data Controller

The data controller for your personal data is:

InboxServe B.V.
Registered in The Netherlands
Email: privacy@inboxserve.com

3. What Personal Data We Collect

3.1 Account Data

  • Full name, email address, encrypted password
  • Organization name, ID, and role

3.2 Usage Data

  • IP address, browser, operating system, referring URL
  • Pages visited, actions performed, session duration

3.3 Customer and Communication Data

As a processor on your behalf:

  • Messages and conversations between you and your customers
  • Customer contact details, order data, attachments

3.4 Technical and Security Data

Log files, authentication tokens, and API call metadata.

3.5 Google User Data

If you choose to connect your Google account to InboxServe, we collect your Google email address (to identify the connected account) and OAuth tokens (access and refresh as issued by Google) needed to call Google APIs on your behalf. We request only the OAuth scopes listed in section 4.

4. Google API Disclosure & Limited Use

InboxServe uses Google APIs to provide sending from your connected Gmail or Google Workspace mailbox when you enable that option.

4.1 OAuth scopes (Connect Gmail)

The OAuth consent screen and our authorization request use the following scopes together (space-separated in the request; see https://www.googleapis.com/auth/gmail.send openid https://www.googleapis.com/auth/userinfo.email):

  • https://www.googleapis.com/auth/gmail.send — send email through the Gmail API when you send replies or outbound messages from your connected account inside InboxServe.
  • openid — establish your Google sign-in session for the OAuth grant used by this connection flow.
  • https://www.googleapis.com/auth/userinfo.email — read your Google account email address via the OAuth UserInfo endpoint so we can display and store which mailbox is connected (we do not use Gmail read or metadata scopes for mailbox access).

4.2 Access, use, storage, and sharing

  • Access: We access Google user data only after you complete Google's OAuth consent for the scopes above, and only through Google's APIs for the purposes described here.
  • Use: We use this data to identify the connected mailbox, maintain the connection, and send messages you initiate from InboxServe through your Google account. We do not use Google user data for advertising, and we do not sell Google user data.
  • Storage: We store your connected Google email address and OAuth tokens in our service database (hosted with our infrastructure providers) until you disconnect Gmail or delete your account, as described in section 9. Data is transmitted over TLS; our security measures are described in section 10.
  • Sharing: Google processes data according to Google's terms and policies. We do not transfer Google user data to third parties except as needed to operate the service (sub-processors in section 7) or when required by law.

We do not use the Gmail API to read your mailbox. Inbound mail typically reaches InboxServe through your forwarding or channel configuration. Your organization may view and handle those conversations in InboxServe as a support platform in line with your instructions and this policy.

4.3 Scopes we do not request

For the Gmail connection described above, we do not request Gmail read, metadata-only, compose/draft management, or full-mailbox scopes (for example gmail.readonly, gmail.modify, or https://mail.google.com/). We use send-only access via https://www.googleapis.com/auth/gmail.send for messages you initiate in InboxServe.

4.4 Limited Use

InboxServe's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We limit use of Google user data to providing and improving user-visible features in InboxServe (such as sending mail you initiate and displaying which mailbox is connected). We do not use Google user data for serving advertisements, and we do not sell or trade this data to third parties.

6. Purposes of Processing

  1. Service delivery: Account management, message processing, and customer interactions.
  2. Platform improvement: Usage analysis and feature development.
  3. Security: Protection against unauthorized access and abuse.
  4. Communication: Inquiries, service notifications, and marketing (with consent where required).
  5. Legal obligations: Compliance with applicable laws.
  6. Dispute resolution: Establishing or defending legal claims.

7. Sharing of Personal Data

We never sell your personal data. We share data only with:

7.1 Sub-processors

  • Supabase Inc. (database and authentication)
  • Vercel Inc. (hosting)
  • Google APIs (for sending email when you connect Gmail)
  • Email service providers (transactional and delivery infrastructure)

7.2 Legal obligation

Data may be shared with authorities if legally required.

7.3 Business transfer

In case of merger, acquisition, or sale of assets, personal data may be transferred subject to continued protection and notice as required by applicable law.

8. International Data Transfers

We process data within the EEA where possible. Transfers outside the EEA are protected by adequacy decisions (where applicable), Standard Contractual Clauses, or the EU-U.S. Data Privacy Framework, depending on the provider and transfer scenario.

9. Retention Periods

  • Account data: Duration of account plus 12 months.
  • Usage data: Up to 26 months unless a shorter period is required for a specific log category.
  • Google OAuth tokens: Until you disconnect the Gmail integration or delete your account.
  • Billing data: 7 years (fiscal obligations).
  • Communication data: For the duration of your subscription or contract plus 12 months, unless a longer period is required by law or dispute handling.

10. Security

  • Encryption in transit (TLS/SSL) and at rest.
  • Secure authentication with hashed passwords.
  • Role-based access control (RBAC).
  • Regular security audits.
  • Incident response plan for data breaches.

11. Your Rights

Under the GDPR you have the right to: access, rectification, erasure, restriction of processing, data portability, object, withdraw consent where processing is based on consent, and not to be subject to solely automated decision-making that produces legal or similarly significant effects (where applicable). Contact us at privacy@inboxserve.com to exercise these rights. We respond within 30 days unless applicable law allows a different timeline.

12. Cookies

We only use strictly necessary cookies for authentication. No consent is required under Article 5(3) of the ePrivacy Directive for those essential cookies. If we introduce analytical, marketing, or similar non-essential cookies or similar technologies, we will obtain your prior consent in line with the GDPR and applicable national rules (including Dutch requirements where they apply) before activating them.

13. Complaints

Contact us at privacy@inboxserve.com, or file a complaint with the Autoriteit Persoonsgegevens.

14. Contact

InboxServe B.V.
Registered in The Netherlands
Email: privacy@inboxserve.com

Drafted in accordance with GDPR (EU) 2016/679, the Dutch UAVG, and the ePrivacy Directive (2002/58/EC).