1. Who We Are
This Privacy Policy explains how Onbox Labs, Inc. ("Onbox", "we", "us", "our"), a company incorporated in Delaware, United States (EIN 37-2222663), collects, uses, and protects personal data when you use our AI-powered email management platform at onbox.ing and related services (the "Service").
We act as controller for account and usage data, and as processor for customer email data (on behalf of your organization). We comply with the EU General Data Protection Regulation ("GDPR"). As a US-based company offering services to EU users, we have appointed an EU representative under GDPR Article 27:
EU Representative: José Antonio Pinto France Email: privacy@onbox.ing
2. What Data We Collect
Data you provide
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, profile picture, job title | Provided during sign-up via Google OAuth |
| Organization data | Company name, workspace names, team memberships | Provided by you or your organization admin |
| Drafts | Email drafts you compose in Onbox | Created by you within the Service |
Data synced from your email provider
When you connect your email account (currently Gmail via Google OAuth), we sync your mailbox. This includes emails from people who correspond with you (secondary data subjects). We process their data as part of delivering the Service to you; your organization is responsible for having a lawful basis for this under GDPR.
We sync the following:
| Category | Examples |
|---|---|
| Email content | Subject lines, message bodies (plain text and HTML), email headers |
| Recipients | Sender and recipient names and email addresses (To, Cc, Bcc) |
| Attachments | File names, sizes, MIME types, and file content |
| Metadata | Timestamps, message IDs, threading references, labels |
| Contacts | Names and email addresses of people you correspond with |
Data we generate
| Category | Examples |
|---|---|
| AI-generated metadata | Email categories, extracted metadata (dates, amounts, action items) |
| Skill library | Triage rules, automation triggers, and skill definitions built by the agent based on your instructions |
| Agent traces | Logs of autonomous and interactive agent execution |
| Search index | Indexed email content and vector embeddings for search |
Data collected automatically
| Category | Examples |
|---|---|
| Technical data | IP address, browser type, user agent, session tokens |
| Usage analytics | Feature usage and interaction patterns (via PostHog, EU-hosted) |
| Error reports | Error messages, stack traces, user context (via Sentry) |
3. How We Use Your Data
| Purpose | Data used |
|---|---|
| Provide the core Service: sync, display, search, and manage your emails | Email content, account data, contacts |
| AI processing: triage, categorize, draft replies, and execute automations | Email content, skill library, agent traces |
| Full-text and semantic search | Email content, embeddings |
| Transactional emails (invitations, notifications) | Email address, name |
| Monitoring and error tracking | Technical data, error reports |
| Product analytics | Usage analytics |
| Legal obligations | Account data, logs |
We process your data primarily to deliver the Service you signed up for (GDPR Art. 6(1)(b)). For monitoring and analytics, we rely on legitimate interest (Art. 6(1)(f)). For legal obligations, we rely on Art. 6(1)(c). AI processing is part of the core Service, not an optional add-on.
4. AI Processing
We route AI processing through third-party model providers via their API services. The active provider may change over time. Current providers:
| Provider | Location |
|---|---|
| Google (Gemini / Vertex AI) | United States |
| OpenAI | United States |
| Anthropic | United States |
| Groq | United States |
| Mistral AI | France (EU) |
None of these providers use your data for model training. Providers may temporarily retain data (up to 30 days) for abuse monitoring, after which it is deleted. The full list of sub-processors is maintained at onbox.ing/subprocessors.
Automated decision-making (GDPR Art. 22)
Our AI agent triages, categorizes, drafts replies, and executes automations, but does not make decisions with legal or similarly significant effects. All agent actions operate within the boundaries defined by your organization's skill library. The agent does not determine access to services, creditworthiness, or employment. Users can always review, override, or undo agent actions.
5. Who Has Access to Your Data
Sub-processors
The full list of sub-processors is maintained at onbox.ing/subprocessors. All act under Data Processing Agreements requiring them to process data solely on our behalf.
Other disclosures
We may disclose personal data:
- To comply with a legal obligation, court order, or lawful government request
- To protect the rights, property, or safety of Onbox, our users, or others
- In connection with a merger, acquisition, or sale of assets (with prior notice)
We do not sell personal data.
6. International Transfers
Our infrastructure runs in the EU (AWS eu-west-1, Ireland). However, some sub-processors are based in the United States.
For transfers of personal data from the EEA to the United States, we rely on:
- The EU-US Data Privacy Framework (DPF): most of our US-based sub-processors are certified under the DPF
- Standard Contractual Clauses (SCCs) approved by the European Commission, included in all our sub-processor data processing terms as an additional safeguard
Where a sub-processor is both DPF-certified and has SCCs in place, both mechanisms apply.
7. Data Retention
| Data category | Retention period |
|---|---|
| Email content and attachments | Kept while your account is active. Deleted within 30 days of account deletion. |
| Account data (name, email, profile) | Kept while your account is active. Deleted within 30 days of account deletion. |
| AI-generated metadata (categories, extracted data) | Deleted when the associated email data is deleted |
| Skill library (triage rules, skills) | Deleted within 30 days of account deletion |
| Agent traces (automation logs) | 14 days |
| Technical logs (IP, sessions) | 90 days |
| Error reports (Sentry) | 90 days |
| Usage analytics (PostHog) | 12 months |
| Backups | Purged within 30 days after primary data deletion |
When you disconnect your email integration, we stop syncing new emails. Previously synced data remains until you delete your account or request erasure.
8. Cookies and Tracking
We only use session cookies for authentication. We do not use advertising cookies, cross-site trackers, or fingerprinting. Analytics (PostHog) runs server-side and does not set cookies in your browser.
9. Data Security
We encrypt all data in transit (TLS 1.2+) and at rest, store credentials in an encrypted vault, enforce least-privilege access, and run automation code in isolated sandboxes. Full details on our Security page.
10. Your Rights
Under GDPR, you have the right to:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your data ("right to be forgotten") |
| Restriction | Ask us to temporarily limit how we process your data |
| Data portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Automated decisions | Not be subject to decisions based solely on automated processing that produce legal effects |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
How to exercise your rights: Email privacy@onbox.ing. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.
Supervisory authority: You have the right to lodge a complaint with a data protection authority. If you are in France, contact the CNIL. You can also contact the authority in your country of residence.
11. Children
Onbox is a business tool not directed to individuals under 16. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email if the changes significantly affect how we process your data
Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact
Onbox Labs, Inc. State of incorporation: Delaware, United States EIN: 37-2222663 Email: privacy@onbox.ing
EU Representative (GDPR Art. 27): José Antonio Pinto France Email: privacy@onbox.ing