Legal

InboxPilot Privacy Policy

Last updated June 17, 2025

At InboxPilot, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website, use our services, or otherwise communicate with us — and it tells you about your privacy rights and how the law protects you.

1. Important information and who we are

1.1 Purpose of this privacy policy

This privacy policy aims to give you information on how InboxPilot collects and processes your personal data through your use of our website, our InboxPilot services, or otherwise when you communicate or interact with us in the course of business.

1.2 Controller

If you are a registered customer of InboxPilot, we act as the data controller of personal data about you and your use of InboxPilot, but as the data processor of personal data in the information you submit to InboxPilot to use InboxPilot's products and services (such as information about your emails, email accounts, connected integrations, and knowledge-base content). If we are the data processor of your personal data (i.e., not the data controller), please contact the controller party in the first instance to address your rights with respect to such data.

If you have any questions about this privacy policy, including any requests to exercise your legal rights referred to below, please contact us using the details set out below.

1.3 Contact details

We are: InboxPilot of 2810 N Church St PMB 16104, Wilmington, Delaware 19802-4447, USA.

If you need to get hold of us for any reason in connection with your personal data, please email us at privacy@inboxpilot.co or support@inboxpilot.co.

If you are located in the United Kingdom or European Economic Area, you have the right to make a complaint at any time to your local supervisory authority. We would, however, appreciate the chance to deal with your concerns about privacy and data protection before you approach a regulator, so please contact us in the first instance.

1.4 Changes to the privacy policy and your duty to inform us of changes

This version was last updated on June 17, 2025. If you use our website or the InboxPilot services after any changes to this privacy policy have been posted, that means you agree to all of the changes. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. The data we collect about you

We may create aggregated, de-identified, or anonymized data from the personal data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified, or anonymized data and disclose it with third parties for our lawful business purposes, including to analyze, build, and improve the InboxPilot services and promote our business, provided that we will not disclose such data in a manner that could identify you.

We may collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data includes name, role at business, email address, and phone number.
  • Account Data includes login credentials, profile picture or avatar, organization details, and subscription preferences.
  • Financial Data includes billing information and payment card details (processed by our payment provider).
  • Correspondence Data includes email correspondence with our team, support tickets, and notes of conversations where these express an opinion.
  • Usage Data includes information about how you use our website or services, including feature usage and configuration settings.
  • Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website or our services.
  • Email and Integration Data includes message IDs, thread IDs, AI-generated draft and sent responses, and metadata necessary to provide our email automation services. We do not store full email content beyond what is required to deliver the service.

We explicitly do not:

  • Store email attachments
  • Sell your data to third parties
  • Share data with information resellers
  • Use your data for advertising or credit assessment
  • Use data obtained through Google Workspace APIs to develop, improve, or train generalized AI or machine learning models

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

  1. Direct interactions. We collect the majority of your data through our InboxPilot products and services on our website, by email, over the phone, in person at meetings, or otherwise.
  2. Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
  3. Third parties or publicly available sources. We may receive Technical Data about you from analytics providers with servers based outside of Europe.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • In anticipation of or in accordance with the terms of use or service agreement that we have with you;
  • Where it is necessary for our legitimate interests (or those of a third party) in the operation of our business and we have made an objective assessment that your interests and fundamental rights do not override those interests (for example to manage our relationship with you, to improve the service that we offer, or to answer an enquiry you make to us); or
  • Where we need to comply with a legal or regulatory obligation.

Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

5. Gmail, Outlook, and connected account access

InboxPilot uses OAuth to connect to your Gmail, Outlook, and other supported accounts with the permissions necessary to read, draft, and send emails on your behalf. We are committed to ensuring the privacy and security of your data. Here is how we handle connected account data:

  • Email access. We access your emails solely to provide AI drafting, triage, labeling, workflows, and automation features you configure.
  • Data minimization. We store only what is necessary to operate the service, such as message IDs, thread IDs, and outgoing AI-generated responses for logging and quality assurance.
  • Data security. All data interactions are encrypted and handled securely. We adhere to industry-standard security practices to protect your information.
  • User control. You can revoke InboxPilot's access to your connected accounts at any time through your Google or Microsoft account settings, or by disconnecting the integration within InboxPilot.

6. Data shared with third-party AI models

6.1 Data shared with AI models

To provide email drafting, categorization, triage, and automation features, our service employs machine learning models using third-party AI providers, including OpenAI, LLC. We require our AI service providers to use your information only for the purpose of providing our service. We do not allow those providers to train their AI models using your data.

The following data types may be shared with these AI models:

  • Email content and data: Subject lines, email body text, sender and recipient information (limited to what is required for the requested feature).
  • Knowledge-base and integration data: Content from documents, websites, and connected tools you choose to ground replies in.
  • Calendar and CRM context: Where you connect supported integrations, relevant event or contact context needed to draft accurate replies.

This data is processed for the sole purpose of delivering the services you request and is not used for any other functions within the AI models.

6.2 User consent for data sharing with AI models

Before sharing your data with our AI models, we seek your consent through our onboarding flow and account connection process. Significant changes to how we use AI processing will be communicated through updates to this policy and, where appropriate, in-product notices.

6.3 Third-party AI data retention

We configure third-party AI services to not retain or use your personal data, email content, or customer information for training their models. We use API configurations that disable data retention and training features where available, and we have contractual protections in place with AI providers that prohibit use of your data for model training or improvement.

7. Disclosures of your personal data

We will need to share your personal data with the parties set out below for the purposes set out in section 4 above:

  • Our service providers acting as processors who may be based in the US or elsewhere outside the EEA and who provide us with cloud hosting, IT support, data storage, payment processing, email and integration services, customer support tooling, and language model services. Our current sub-processors include Amazon Web Services, Inc., Google LLC, OpenAI, LLC, Stripe, Inc., and Zendesk, Inc. (where used).
  • Analytics service providers which may have servers based in the US for the purpose of analyzing user behavior on our website.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

For more detail on how we process data on your behalf, see our Data Processing Agreement.

8. International transfers

A number of our service providers processing your personal data on our behalf are based in the US or elsewhere outside the EEA, so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring that either:

  • We have a specific contract with that processor in a form approved by the European Commission which ensures that the service provider gives your personal data the same protection it has in Europe; or
  • If the provider is based in the US, it participates in an approved transfer mechanism such as the EU-US Data Privacy Framework or Standard Contractual Clauses.

Information we collect about you will also be processed in the United States. By using InboxPilot's services, you acknowledge that your personal information may be processed in the United States. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

9. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Our security measures include:

  • Encryption of data in transit and at rest
  • Secure cloud infrastructure with industry-standard protections
  • Regular security assessments and updates
  • Access controls, authentication mechanisms, and audit logging

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. How long will you use my personal data for?

  • We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
  • To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
  • Outgoing AI-generated emails, message IDs, and thread IDs may be retained for service functionality and quality assurance while your account is active.
  • In some circumstances, you can ask us to delete your data (see below for further information).
  • In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

You may request deletion of your data by contacting our Privacy Team at support@inboxpilot.co, using deletion tools in your account settings, or revoking access through your connected account provider.

11. Your legal rights

You have the right in certain circumstances to:

  • Request access to your personal data (a "data subject access request").
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Request restriction of processing of your personal data.
  • Request the transfer of your personal data to you or to a third party.

More information on these rights and when they apply is available from the UK Information Commissioner's Office.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Children's data

We do not knowingly attempt to solicit or receive information from children.

13. Questions, concerns, or complaints

If you have questions, concerns, or complaints regarding this Privacy Policy or our data practices, please contact us at:

InboxPilot
2810 N Church St PMB 16104
Wilmington, Delaware 19802-4447
privacy@inboxpilot.co

Thank you for choosing InboxPilot. We are committed to ensuring your privacy and providing a secure platform.

© 2026 InboxPilot. All rights reserved.

¡nboxpilot