Inbox Hero

Privacy Policy

Your privacy is important to us. It is Inbox Hero's policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, https://inboxhero.win, and other sites we own and operate.

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, email, and job title), your devices, payment details, and even information about how you use a website or online service.

In the event our site contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site.

This policy is effective as of January 20, 2025

Last updated: 28th May, 2025

Information We Collect

Information we collect falls into one of two categories: "voluntarily provided" information and "automatically collected" information.

"Voluntarily provided" information refers to any information you knowingly and actively provide us when using or participating in any of our services and promotions.

"Automatically collected" information refers to any information automatically sent by your devices in the course of accessing our products and services.

Personal Information

We may ask for, or gather personal information, depending on diagnostic settings configured by your organization's admin – for example – which may include one or more of the following:

  • Name
  • Email address
  • Job title and department
  • Office location
  • Microsoft 365 User Principal Name
  • Microsoft Entra User ObjectID
  • Organization domain information
  • Email metadata and headers
  • Email content for analysis purposes
  • Email categorization and status assignment

Email Data Processing and Storage

Our AIM (Artificial Intelligence for Mail) service processes email data to provide intelligent email analytics, categorization, and productivity insights.

Diagnostic logging can be enabled or disabled at any time by your organization's administrator through the service settings.

Cross-Tenant Data Isolation:

All email data, including body previews, AI summaries, categorization results, and diagnostic logs, is strictly isolated to your tenant. This data is never:

  • Shared between different customer organizations
  • Used to improve AI models for other tenants
  • Accessible to other customers or tenants
  • Combined with data from other organizations

Microsoft Graph Integration

Our services integrate with Microsoft Graph API to access and process your organization's email data. This integration allows us to:

  • Read email messages and metadata from Microsoft 365 mailboxes
  • Update email categories and extended properties
  • Access user profile information for context and personalization
  • Retrieve organizational information for multi-tenant processing
  • Process email events and notifications from Microsoft 365

All Microsoft Graph access is performed with appropriate permissions granted by your organization's administrators and in compliance with Microsoft's terms of service.

Legitimate Reasons for Processing Your Personal Information

We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you.

Collection and Use of Information

We may collect personal information from you when you do any of the following:

  • Purchase a subscription to our email analytics services
  • Connect your Microsoft 365 organization to our platform
  • Use our email processing and categorization features
  • Access our analytics dashboard and reporting tools
  • Contact us via email, social media, or similar technologies
  • When you mention us on social media

We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes:

  • To provide email analytics, categorization, and productivity insights
  • To process and analyze email content using artificial intelligence and machine learning models
  • To generate AI summaries and reasoning for email categorization
  • To provide personalized categorization based on recipient patterns and organizational context
  • To troubleshoot AI classification issues when diagnostic logging is enabled
  • To provide technical support and troubleshooting services after written approval
  • For system monitoring, performance optimization, and security purposes
  • For analytics, market research, and business development
  • For internal record keeping and administrative purposes
  • To comply with legal obligations and regulatory requirements

Artificial Intelligence and Machine Learning

Our services utilize artificial intelligence and large language models to analyze email content and provide intelligent categorization and insights. This processing includes:

  • Content analysis for categorization and task identification
  • Pattern recognition for email productivity insights and personalized categorizations
  • Automated status assignment based on email content and recipient context
  • Sender reputation and email type classification
  • Language processing for multi-language support

All AI processing is performed in a secure, isolated environment with data remaining within your tenant's boundaries.

Data Isolation and Multi-Tenancy

Our platform operates on a multi-tenant architecture with strict data isolation:

  • Each organization's data is logically separated and encrypted
  • No data is shared between different organizations or tenants
  • Cross-tenant data access is technically and administratively prevented
  • Diagnostic logs, when enabled, are stored separately for each tenant
  • AI model improvements are tenant-specific and do not benefit from other organizations' data

Azure Cloud Infrastructure

Our services are hosted on Microsoft Azure infrastructure, utilizing:

  • Azure Functions for serverless email processing
  • Azure Service Bus for reliable event processing
  • Azure SQL Database for structured data storage
  • Azure Key Vault for secure credential management
  • Azure Application Insights for monitoring and diagnostics

Data Retention and Storage

Email data and analytics are retained according to the following schedule:

  • Diagnostic logs (when enabled): Retained for up to 90 days
  • Analytics and reporting data: Retained for up to 90 days
  • System logs and monitoring data: Retained for up to 90 days
  • User profile information: Retained for the duration of your subscription

Upon subscription termination, you may request data export for 30 days, after which all data will be permanently deleted.

Diagnostic Logging Controls

Your organization's administrator has full control over diagnostic logging:

  • Diagnostic logging is disabled by default
  • Can be enabled or disabled at any time through administrative settings
  • When enabled, full email content and AI responses are temporarily logged for troubleshooting purposes
  • Diagnostic data is automatically purged after 90 days
  • Only authorized support personnel can access diagnostic logs when troubleshooting is requested
  • Diagnostic logs are encrypted and stored separately from standard operational data

Security of Your Personal Information

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification.

Our security measures include:

  • End-to-end encryption for data in transit and at rest
  • Multi-factor authentication for administrative access
  • Compliance with Microsoft's Trusted Cloud principles
  • Regular security training for all personnel
  • Isolated storage systems for diagnostic data when enabled

Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services.

Third-Party Services and Integrations

We utilize the following third-party services to provide our platform:

  • Paddle for subscription billing and payment processing
  • Lemon Squeezy for subscription billing and payment processing

All third-party integrations are governed by appropriate data processing agreements and privacy controls.

Children's Privacy

We do not aim any of our products or services directly at children under the age of 13 and we do not knowingly collect personal information about children under 13. Our services are designed for business and organizational use.

International Data Transfers

Our services may process data across multiple geographic regions within Microsoft's Azure infrastructure. All international transfers are protected by:

  • Microsoft's global compliance and certification programs
  • Standard contractual clauses approved by relevant data protection authorities
  • Adherence to Privacy Shield principles where applicable
  • Encryption and security controls for data in transit

Your Rights and Controlling Your Personal Information

Your choice: By connecting your organization to our services, you understand we will collect, hold, use, and disclose your email and user information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our email analytics services.

Information from third parties: If we receive personal information about you from Microsoft Graph or other integrated services, we will protect it as set out in this privacy policy.

Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.

Access: You may request details of the personal information that we hold about you, including email analytics, AI summaries, and categorization data.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy.

Data portability: You may request a copy of your email analytics data, AI summaries, and categorization results in a structured, machine-readable format.

Deletion: You may request that we delete the personal information we hold about you, subject to legal and operational requirements. This includes diagnostic logs if enabled.

Diagnostic data control: Your administrator can enable or disable diagnostic logging at any time, and can request immediate purging of diagnostic data.

Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information.

Notification of data breaches: We will comply with laws applicable to us in respect of any data breach and will notify affected parties as required by applicable law.

Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below.

Unsubscribe: To unsubscribe from our email database or opt-out of communications, please contact us using the details provided in this privacy policy.

Use of Cookies

We use "cookies" to collect information about you and your activity across our site. A cookie is a small piece of data that our website stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified.

Please refer to our Cookie Policy for more information.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy.

Limits of Our Policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

Changes to This Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.

If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU)

Data Controller / Data Processor

We, Inbox Hero, are a Data Controller with respect to the personal information you provide to us for our email analytics services.

Legal Bases for Processing Your Personal Information

Our lawful bases depend on the services you use and how you use them:

  • Consent: Where you give us consent to process your email data for analytics purposes
  • Performance of a Contract: Where processing is necessary to provide our email analytics services
  • Legitimate Interests: For improving our services, security, and business operations
  • Compliance with Law: Where we have legal obligations to process or retain data

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, including standard data protection clauses approved by the European Commission.

Your Rights Under GDPR

  • Right to be informed about how your data is processed
  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision making and profiling

Contact Us

For any questions or concerns regarding your privacy, you may contact us using the following details:

https://inboxhero.win/contact