Inbox Assistant
 Back to site

Privacy Policy

Your inbox. Your data. Always.

Last updated May 10, 2026

This policy explains what personal data Inbox Assistant ("we", "us") collects when you use the service, how we use it, who we share it with, and the choices you have. We are the data controllerfor your account information and a data processor for the email content you forward to us.

1. Who we are

Inbox Assistant is operated by Cardim IT AB, registered in Sweden (org. nr. 559278-1453, VAT SE559278145301), based in Göteborg, Sweden. For all privacy matters contact us at cardimattos@gmail.com.

2. What we collect

Account data (we are controller)

  • Name, email address, password hash (bcrypt)
  • Phone number (only if you enable SMS alerts)
  • Billing data (handled by Stripe — we never see your card)
  • Connected inbox metadata (provider, OAuth tokens — encrypted)

Email content (we are processor)

  • Messages you forward to your assistant address
  • AI-generated summaries, tags, action items, embeddings
  • Attachment metadata (filename, type, size — content is processed in memory and not retained beyond your retention window)

Telemetry

  • Authenticated usage events (page views, feature use)
  • Error logs (no email content, ever)
  • IP address and user agent (kept 30 days for security)

3. What we do not collect or do

  • We do not use your email content to train AI models.
  • We do not sell, rent, or share your data with advertisers.
  • We do not have human readers of your inbox.
  • We do not profile you for marketing based on email contents.

4. Legal bases (GDPR Art. 6)

  • Contract — to deliver the service you signed up for.
  • Consent — for SMS alerts, marketing emails, optional analytics.
  • Legitimate interest — security, fraud prevention, basic product analytics.
  • Legal obligation — tax, accounting, lawful requests.

5. Sub-processors

We use a small, vetted list of sub-processors. Current list:

  • AWS (eu-central-1, Frankfurt) — hosting, storage
  • OpenAI (EU residency) — language model inference (zero-retention API)
  • Anthropic (EU) — language model inference (zero-retention API)
  • Stripe (Ireland) — billing
  • Twilio (Ireland) — SMS delivery
  • Postmark (EU region) — transactional email

We notify you 30 days before adding a new sub-processor.

6. Where data lives

Primary: AWS Frankfurt (eu-central-1). Backup: AWS Stockholm (eu-north-1). Both are EU regions. We do not transfer personal data outside the EEA except via Standard Contractual Clauses with our LLM providers, and only in zero-retention configurations.

7. How long we keep data

  • Email content & AI artifacts: your retention setting (default 90 days, min 7, max 365).
  • Account data: until you delete your account, then 30 days for backup expiry.
  • Billing records: 7 years (Swedish accounting law).
  • Audit logs: 12 months.

8. Security

Encryption at rest (AES-256), in transit (TLS 1.3), per-tenant key isolation, MFA on all employee access, SSO + hardware keys for engineering. See our Security page for details.

9. Your rights

Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to lodge a complaint with a supervisory authority (in Sweden: IMY, integritetsskyddsmyndigheten.se). See GDPR & Your Rights.

10. Cookies

We use one strictly necessary cookie (session). Optional analytics cookies are off by default and require consent. We do not use advertising cookies.

11. Children

Inbox Assistant is not intended for users under 16. If you become aware a minor has created an account, contact us and we will delete it.

12. Changes

We will notify you by email and in-app at least 30 days before any material change.

Questions? Email cardimattos@gmail.com. Operated by Cardim IT AB (org. nr. 559278-1453), Göteborg, Sweden.