Privacy Policy

This Privacy Policy applies to personal information we collect: - when you visit our website, sign up, or create an account; - when you connect a Gmail account or otherwise authorize mailbox access; - when you subscribe to, pay for, or manage a paid plan or trial; - when you contact support, participate in surveys or promotions, or otherwise communicate with us; - when we secure, monitor, operate, improve, support, analyze, or enforce the Service; and - when you interact with our emails, marketing materials, or ads. "Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you.

### A. Account and Profile Information - name, email address, and login identifiers; - authentication records, session tokens, two-factor secrets, and recovery codes; - subscription status, plan type, trial status, usage tier, and customer identifiers; - preferences, language, timezone, and notification settings; and - information you voluntarily provide in support requests, surveys, or communications. ### B. Gmail Connection and Inbox Data When you connect Gmail, we may collect or generate: - your Gmail account email address, profile identifiers, and the OAuth scopes you grant; - OAuth access and refresh tokens, token metadata, token expirations, and revocation signals; - Gmail message identifiers, thread identifiers, labels, categories, senders, recipients, subjects, timestamps, size metadata, and mime-type metadata; - Gmail snippets, message bodies (in whole or in part), selected headers, attachment metadata, and inline-image metadata needed to scan, classify, rank, summarize, surface, or act on messages; - derived classification results, confidence scores, reasoning traces, rule assignments, activity history, and usage metrics; - mailbox-management instructions and write-action logs, such as archive, label, mark-as-read, trash, untrash, or restore actions; - calendar-invite detection, attachment detection, unsubscribe-link detection, and similar feature-derived signals; and - related Gmail payload data that may be processed when necessary to support classification, sender analysis, troubleshooting, rule enforcement, or debugging. PureBox is designed to process only the data reasonably necessary to provide inbox-cleanup and related features. We do not sell Gmail-derived personal information, and we do not use it to serve or personalize advertising. ### C. Billing and Transaction Information If you purchase a subscription, our payment providers (principally Stripe) may collect: - plan selection, billing status, invoices, payment history, and subscription lifecycle events; - limited customer, card-brand, card-country, last-four, and transaction metadata (but not full card numbers); - tax residency, VAT or similar tax identifiers if provided, refund records, dispute records, chargeback records, and fraud-prevention signals; and - records required for tax, accounting, and regulatory compliance. We do not store full payment card numbers in PureBox systems. ### D. Device, Usage, and Diagnostic Data We automatically collect: - IP address, user agent, browser type, operating system, device identifiers, screen resolution, and approximate location derived from IP; - session data, page views, feature usage, clicks, referrers, timestamps, and client-side error traces; - **session replays**, which record your interactions with the Service interface, including mouse movements, clicks, scrolls, page navigations, form interactions, and rendered page content (including email metadata such as subjects, sender names, snippets, and classification results visible on screen at the time of the session); - web vitals and browser performance metrics (Largest Contentful Paint, Cumulative Layout Shift, Interaction to Next Paint, memory usage); - performance, reliability, abuse-prevention, and security telemetry; and - cookie, local-storage, session-storage, and similar technology data used for authentication, preferences, analytics, and Service operation. Session replays are used to diagnose usability issues, investigate bugs, evaluate user experience, measure feature adoption, and improve the Service - including by training, fine-tuning, evaluating, and benchmarking the narrowly-tailored AI/ML, ranking, classification, summarization, and product-quality models that exclusively power user-facing PureBox features. Replay data is sent to and stored by our observability vendor (Better Stack) under the terms described in Section 7. Session replays may capture on-screen content, including Gmail-derived data rendered in the Service interface. We do not use session-replay data for advertising, we do not use it to train general-purpose, third-party, or foundation AI models, and we do not share it with third parties except as described in Section 7. ### E. Communications and Support Data We collect the contents of your support requests, emails, chats, survey responses, and any attachments or follow-up information you provide. These may be stored by our support, ticketing, and email-delivery vendors. ### F. Cookies and Similar Technologies We and our service providers use cookies, pixels, SDKs, local storage, and similar technologies for authentication, session management, security (including CSRF and fraud protection), preferences, load balancing, analytics, performance measurement, feature flags, error monitoring, and limited first-party product analytics. We do not use third-party advertising cookies or cross-site tracking to build user profiles. You can manage cookies through your browser settings; disabling required cookies will prevent the Service from functioning. Where required by applicable law (including in the EEA, UK, and other regions), we display a cookie banner and obtain consent before setting non-essential cookies. Our cookie categories are: - **Strictly necessary cookies** (required for authentication, security, and core Service operation); - **Functional cookies** (save settings and product preferences); and - **Analytics cookies** (measure usage and performance to improve the Service). We do not use advertising or cross-context behavioral tracking cookie categories.

We collect information: - directly from you (account registration, checkout, support requests, settings); - automatically through your interaction with the Service (device, usage, diagnostics, cookies); - from Gmail and Google authentication (Gmail content and metadata, profile information); - from our payment, authentication, analytics, observability, and support vendors; and - from public sources, fraud-prevention services, and legal process where applicable.

We use personal information to: - provide, authenticate, personalize, maintain, and secure the Service; - connect to Gmail, scan inbox data, generate suggestions and classifications, and perform user-authorized mailbox actions; - process subscriptions, payments, trials, renewals, cancellations, refunds, chargebacks, and billing support; - communicate with you about your account, security, service changes, updates, and, where permitted, marketing; - improve features, workflows, detection logic, classification quality, evaluation datasets, model performance, and user experience, including by training, fine-tuning, distilling, evaluating, benchmarking, regression-testing, and otherwise developing narrowly-tailored AI/ML, ranking, classification, summarization, sender-reputation, deliverability, and product-quality models that exclusively power user-facing PureBox features; - build, curate, label, annotate, and audit internal evaluation, training, fine-tuning, and quality-assurance datasets derived from email metadata, classification outcomes, user feedback (including accept, reject, undo, edit, snooze, and re-label signals), session replays, activity logs, support communications, and other Service interactions; - detect, investigate, prevent, and respond to fraud, abuse, spam, security incidents, policy violations, and legal threats; - comply with legal obligations, respond to lawful requests, and enforce our Terms of Service and policies; - protect our rights, property, customers, vendors, and the public; and - create aggregated or de-identified analytics, benchmarks, product metrics, and operational insights that do not identify you. We do not use the content of your emails, Gmail-derived data, or session replays to train general-purpose, third-party, or foundation AI models. Consistent with the Google API Services User Data Policy, we may use Gmail-derived data and session replays to train, fine-tune, evaluate, and improve AI/ML models that are narrowly tailored to PureBox and used solely to support user-facing features that are prominent in the Service interface (such as classification, ranking, summarization, sender insights, rule suggestions, and similar inbox-cleanup features). Where feasible we minimize, redact, pseudonymize, or aggregate the data used for these purposes.

If you connect Gmail, you authorize us to access and process Google user data as needed to provide the Service features you enable. **PureBox's use and transfer to any other app of information received from Google APIs will adhere to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.** ### Scopes we request | OAuth scope | Why we request it | What we do with the data | |---|---|---| | `https://www.googleapis.com/auth/userinfo.email` | Identify the Gmail account you connect so we can route classifications and apply changes to the correct mailbox. | We store your Gmail email address linked to your PureBox account; we do not use it for marketing without separate consent. | | `https://www.googleapis.com/auth/gmail.modify` | Read message metadata + selected content for classification, AND apply the labels, archives, and trash actions you authorize from the review screen. | Read access powers scan and classification; write access executes only the actions you confirm. We never delete messages permanently and we never send mail on your behalf. | We request `gmail.modify` (rather than the narrower `gmail.readonly` or `gmail.metadata`) because the Service applies labels and moves messages to archive or trash on your behalf - operations that the read-only scopes cannot perform. We do not request the broader `https://mail.google.com/` scope. ### In practical terms - we use Gmail data only to provide or improve user-facing features that are prominent in the Service (including scan, classification, cleanup, rules, sender insights, and account management); - we do not transfer Gmail data to third parties except to the sub-processors listed in Section 7, to comply with applicable law, or as part of a merger, acquisition, or asset sale with continuing privacy protections; - we do not use Gmail data, raw or derived, for serving advertising, including retargeting, personalized advertising, or interest-based advertising; - we do not use Gmail data, raw or derived, to train, fine-tune, distill, or evaluate any generalized, third-party, or foundation AI/ML model. Our third-party AI provider (Microsoft Azure OpenAI Service) is configured so that prompts and completions are not used to improve Microsoft or third-party models; - as expressly permitted by the Google API Services User Data Policy, we may use Gmail data and Service interaction data (including session replays, classification outcomes, and user feedback signals) to train, fine-tune, evaluate, benchmark, and improve narrowly-tailored AI/ML models that are exclusively used to power user-facing PureBox features prominent in the Service interface (such as classification, ranking, summarization, sender insights, rule suggestions, and similar inbox-cleanup features). We do not transfer such models, model weights, embeddings, or training datasets containing Gmail data to third parties except subprocessors acting on our behalf under written confidentiality and use restrictions consistent with this Policy; - human review of Gmail data is limited to (i) you or someone acting on your behalf, (ii) cases where we have your specific consent, (iii) security, fraud, and abuse investigations, (iv) legal compliance, (v) where the data is aggregated and used for internal operations under the Limited Use requirements, or (vi) where strictly necessary to label, curate, audit, or quality-assure internal training and evaluation datasets used solely to improve user-facing PureBox features, with access limited to the Operator (or a sole authorized contractor under written confidentiality) on a least-privilege basis; and - you can revoke Google access through your Google account permissions, disconnect Gmail inside the Service, or delete your account, which revokes our refresh token and removes derived data within thirty (30) days.

PureBox uses automated systems, including AI-assisted classification and summarization, to help sort, score, label, and recommend inbox actions. To provide those features, we may send email-derived inputs (such as sender, subject, snippets, selected headers, message metadata, and limited body content) to service providers operating AI or cloud infrastructure on our behalf, under written agreements that restrict their use of the data to providing services to us and prohibit training their foundation models on your content. We also operate, maintain, and continuously improve our own narrowly-tailored AI/ML, classification, ranking, summarization, sender-reputation, and product-quality models that exclusively power user-facing PureBox features. To do that, we may use Gmail-derived data, classification outcomes, user feedback signals (such as accept, reject, undo, edit, snooze, and re-label actions), activity logs, session replays, and other Service interaction data to train, fine-tune, distill, evaluate, benchmark, and regression-test those PureBox-specific models, in each case consistent with the Google API Services User Data Policy and the Limited Use commitment in Section 5. AI outputs can be inaccurate, biased, incomplete, or fabricated. They are one input into the Service and may be supplemented by deterministic rules, safety checks, and user review. You are responsible for evaluating AI outputs before acting on them. Some AI features may involve automated decision-making. Where required by law (such as under GDPR Article 22), you may request human review of significant automated decisions by contacting us.

We may disclose personal information to: - **Service providers and subprocessors** that host, secure, operate, store, support, analyze, or improve the Service (including Google for OAuth and Gmail APIs, Microsoft Azure for hosting, Supabase for authentication and database, Stripe for billing, AI model providers for classification and summarization, observability and logging vendors, and email-delivery vendors); - **Payment and billing partners** that process subscriptions and related transactions; - **Professional advisors**, auditors, insurers, and legal counsel; - **Law enforcement, regulators, courts, or other parties** when we believe in good faith that disclosure is required by law, subpoena, warrant, or court order, or is reasonably necessary to protect the rights, property, or safety of PureBox, users, or the public, to enforce our Terms of Service, or to detect, prevent, or address fraud, security, or technical issues; - **Potential or actual acquirers, investors, successors, or counterparties** in connection with a financing, merger, acquisition, corporate reorganization, sale of assets, bankruptcy, or similar transaction, subject to customary confidentiality protections; - **You or persons you authorize**, such as account administrators if applicable; and - **Other parties with your consent** or at your direction. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising. A current list of our core sub-processors: | Sub-processor | Purpose | Receives Gmail content? | Region | Reference | |---|---|---|---|---| | Google LLC | OAuth identity + Gmail API (source) | n/a (origin) | Global | [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy) | | Microsoft Azure (Container Apps, Key Vault, Log Analytics, Container Registry, Communication Services) | Hosting, secret storage, infra logs, transactional email | Yes (in transit) | East US | [Microsoft Online Services DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) | | Microsoft Azure OpenAI Service | Email classification (Phase 1 + Phase 2) | Yes - **input only**; **no training** on inputs | East US | [Azure OpenAI data, privacy, and security](https://learn.microsoft.com/azure/ai-services/openai/concepts/data-privacy) | | Supabase, Inc. | Postgres database, authentication, Stripe Sync Engine | Yes - **derived metadata only** (subjects, snippets, sender, classifications); raw bodies are never persisted | AWS US-East | [Supabase DPA](https://supabase.com/legal/dpa) | | Better Stack (Logtail + Real User Monitoring) | Application logs, alerting, session replays, web vitals, and product analytics | Yes - session replays capture on-screen content including Gmail-derived metadata (subjects, senders, snippets, classifications) as rendered in the UI; application logs are field-redacted | EU | [Better Stack DPA](https://betterstack.com/legal/dpa) | | Stripe, Inc. | Hosted Checkout, Billing Portal, subscription management | No | US | [Stripe DPA](https://stripe.com/legal/dpa) | We may update our vendors and sub-processors from time to time. Where required by law, we will provide notice of material changes.

Where EEA, UK, or similar data-protection law requires a legal basis, we process personal information on these grounds: - **Contract**: to provide the Service you request and to take steps you request before entering into a contract; - **Legitimate interests**: to secure, improve, monitor, support, and enforce the Service; to prevent fraud and abuse; to operate and grow our business; and to communicate with users, provided those interests are not overridden by your rights; - **Consent**: where you voluntarily connect Gmail, authorize certain processing (such as non-essential cookies, optional marketing, or sensitive processing), or where law otherwise requires consent; and - **Legal obligation**: to comply with legal, tax, accounting, reporting, safety, or law-enforcement requirements. You have the right to withdraw consent at any time without affecting prior lawful processing; some processing may continue under other legal bases.

PureBox retains personal information only as long as reasonably necessary for the purposes described in this Policy, or as required or permitted by applicable law. - **Account data** (email address, authentication credentials): retained while your account is active, then for a reasonable period after closure to allow reactivation. - **OAuth connection data**: retained until you disconnect, revoke, or delete your account, or until no longer needed for the service. - **Gmail-derived working records and classifications**: retained while your account is active. For free accounts inactive for 90 or more days, email metadata and classification history are automatically deleted. Paid accounts retain data for the life of the subscription. - **Activity logs and audit records**: retained for a period consistent with operational, legal, and security needs. For free accounts inactive for 90 or more days, activity logs are automatically deleted. - **Billing, invoicing, tax, and dispute records**: as long as required by applicable law (typically up to 7 years). - **Support communications**: as long as needed to provide support and comply with legal obligations. - **Backups and archived security records**: may persist for a limited additional time before deletion cycles complete. - **De-identified or aggregated data**: may be retained indefinitely as it is not personal information. You may delete your account at any time through your account settings, which triggers immediate removal of your personal data (see Section 11 - Your Choices and Rights). Upon account termination we delete your information on our standard timeline; we are not obligated to provide data-export tools or a grace period before deletion.

We use commercially reasonable administrative, technical, and organizational safeguards designed to protect personal information, including access controls, encryption in transit, authentication controls, vendor restrictions, logging, monitoring, and environment-level security practices. No system is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk. You are responsible for keeping your credentials, recovery codes, and connected-account authentication secure. In the event of a security incident that affects your personal information and requires notification under applicable law, we will notify you and relevant authorities within the time frames and in the manner required by that law. We reserve the right not to provide notice where the incident does not trigger a legal notification obligation.

We and our service providers may process personal information in the United States and other countries where we or our vendors operate. Those jurisdictions may have data-protection laws different from those in your location, and data-protection authorities in your location may not have jurisdiction over our vendors. Where required, we rely on lawful transfer mechanisms, such as the EU Standard Contractual Clauses, UK International Data Transfer Agreement, adequacy decisions, and supplementary technical, contractual, or organizational safeguards, to support cross-border transfers.

Depending on your location and applicable law, you may have rights to: - request access to the personal information we hold about you; - request correction of inaccurate information; - request deletion or erasure, subject to legal exceptions; - request portability of certain information in a machine-readable format; - restrict or object to certain processing; - withdraw consent where processing is based on consent; and - lodge a complaint with your local supervisory authority. You may also be able to: - manage Gmail access through your Google account permissions; - disconnect Gmail inside PureBox where that feature is available; - manage subscriptions through Stripe's billing portal where available; - manage communication preferences from within the Service or via email opt-out links; and - request account or data assistance by contacting us at the address below. We may need to verify your identity and authority before acting on a request, and we may use information from our vendors to perform that verification. We may deny or limit a request when permitted by law, including where doing so would adversely affect others' rights, undermine security, conflict with legal obligations, interfere with our ability to enforce legal claims, or be manifestly unfounded or excessive. We will not discriminate against you for exercising any of your rights.

If U.S. state privacy laws apply to you (including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and similar), this section provides additional disclosures. **Categories of personal information collected.** In the prior twelve (12) months, we have collected the categories described in Section 2 (identifiers, account and commercial information, internet/electronic activity, geolocation derived from IP, Gmail-derived content and metadata, inferences drawn from the foregoing, and communications/support data). **Sources.** See Section 3. **Purposes.** See Section 4. **Recipients.** See Section 7. **Retention.** See Section 9. **Sensitive personal information.** We do not request sensitive personal information. If such information appears incidentally in your Gmail content, we process it only to provide the Service and not for the purpose of inferring characteristics about you. **We do not sell personal information** for monetary consideration, and **we do not share personal information for cross-context behavioral advertising**. We honor Global Privacy Control ("GPC") signals as a request to opt out of sale or sharing to the extent applicable. **California Shine the Light.** California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes. **Your rights.** Subject to applicable law, you may request to know, access, correct, delete, opt out of sale/sharing, opt out of certain profiling or automated decision-making, and appeal our response. Colorado, Connecticut, Virginia, and similar-state residents may also appeal decisions about their rights requests by replying to our response or by contacting us at the address below. If you are not satisfied with our appeal response, you may contact your state attorney general. **Authorized agents.** You may designate an authorized agent to make requests on your behalf, subject to verification.

If you are located in the EEA, the UK, Switzerland, or a jurisdiction with similar rights, you may exercise the rights described in Section 12. The data controller is individual sole proprietor operating PureBox. You may also contact us about our use of legitimate interests, automated decision-making, or international transfers. ### EU and UK Representatives (Article 27) For GDPR/UK GDPR Article 27 purposes, our appointed representatives are: - **EEA Representative:** Shaked Ilan, 1985 Del Amo Blvd, #C0050, Torrance, California (CA) 90501 - **UK Representative:** Shaked Ilan, 1985 Del Amo Blvd, #C0050, Torrance, California (CA) 90501 You may contact the representative addresses above for matters related to EEA/UK data-protection obligations. ### Supervisory authority PureBox does not rely on a one-stop-shop lead supervisory authority. You may lodge a complaint with the supervisory authority in the EEA/UK country where you live, where you work, or where the alleged infringement occurred. A list of EU supervisory authorities is available at [https://edpb.europa.eu/about-edpb/about-edpb/members_en](https://edpb.europa.eu/about-edpb/about-edpb/members_en). UK data subjects may also contact the Information Commissioner's Office (ICO). ### Breach notification If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, consistent with Articles 33 and 34 of the GDPR/UK GDPR. Where required, we will also notify affected individuals without undue delay.

### Minimum age The Service is not directed to children under 16, or under the lower minimum age permitted by member-state law where such law applies. We do not knowingly collect personal information from children below that minimum age. If you believe a child provided us personal information, contact us so we can take appropriate action, including account deletion.

Some features of the Service apply automated classification, ranking, or scoring to mailbox messages. Where a decision produces legal or similarly significant effects on you and is based solely on automated processing, and where required by law, you have the right to obtain human review, express your point of view, and contest the decision. Most Service features involve suggestions that you review and apply, so human-in-the-loop review is available by default.

The Service does not respond to Do Not Track ("DNT") browser signals. We honor Global Privacy Control signals to the extent they apply to opt-out of sale/sharing rights under applicable U.S. state law.

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the Service, by email, or by other reasonable means. The updated version will become effective when posted unless otherwise stated. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

If you have questions, requests, or complaints about this Privacy Policy or our privacy practices, contact the Operator: Operator of PureBox support@purebox.ai 1985 Del Amo Blvd, #C0050, Torrance, California (CA) 90501 Because the Service is operated by a single individual on a best-effort basis, we aim to respond to verifiable privacy requests within the time frame required by applicable law (typically 30–45 days). EEA/UK representative details are listed in Section 14.