Privacy

We want to be as transparent as possible with your data. If anything isn't crystal clear, please contact us.

This policy was last updated on 29th October, 2019. We will announce any changes, and you can always alter your consent (see below).

Keeping Your Data Safe

We are an EU company subject to the GDPR (at threat of being put out of business), compelling us to dedicate significant resources to best practice security. We also undergo annual security auditing with a Google-approved firm to prove we meet those best practices.

Please see our Security Practices

Our core principle though is simply to avoid your sensitive data wherever possible. Most importantly, we cannot process your emails (as in it is impossible at a technical level).

Consenting

When you sign up for ActiveInbox, it requests consent to locally access the minimum required of your scoped Gmail data (described), and to receive emails from us.

We may ask for heightened data scopes at the point a feature needs it. (E.g. the first time you use GCal integration).

At any time, you can request to know all the information we hold about you, and request it be deleted, or alter your consent from that point forward. (By contacting support, or using any account management tools we provide).

If you no longer want to use ActiveInbox, you can log into your Google Account, and revoke any data permissions you gave ActiveInbox.

You can unsubscribe from our emails at any time.

What we do with the Gmail data scopes you approve

Most of your Gmail data does not touch our server: it is transferred directly between your local machine and Google's servers. The exception is your email address and Gmail email IDs (short, non-sensitive pieces of text).

Google Data OAuth Scope Why Used Who Can Access Transit Path Storage Location
Email Meta (id, subject, to/from, date, labels); All Labels auth/gmail.modify Renders task list, shows controls for a specific email, allows add/removal label to email Only User (ActiveInbox Client) Between Gmail server and user local client Cache of Gmail label/message data stored in browser's local storage.
Email body and attachments Theoretically made available by auth/gmail.modify Not used (but have to request OAuth Scope permission that includes it, to be able to add/remove labels to emails) Nobody Not transited Not stored outside Gmail server
Email IDs auth/gmail.modify Attach ActiveInbox Notes and Sub Tasks to your Gmail emails, using their Gmail ID. Theoretically, as its on our server, developers have access, but are prohibited by contract. Also we don't believe the IDs are maliciously useable (so not sensitive). Email IDs move from local client to the ActiveInbox server when Notes and Sub Tasks are saved. Email IDs stored in ActiveInbox server database
Calendars and Events auth/gmail.modify Attach emails to Calendar events Only User (ActiveInbox Client) Between Google server and user local client Cache of calendar / events data stored in browser's local storage.

What We Store on our Servers

We only store what cannot be easily stored in Gmail itself:

Precise Data Record & Impact Assessment

Data Description Customer Benefit Data Subject Category / Personal Data Category Data Source Storage Location Quality Maintenance Retention Duration Legal Basis Breach Risk Severity Specific Breach Identification
Email / Name The email address is key to the data that makes the app work, first names create a personal experience and addresses create necessary accounting info. Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier User submitted Database, and every 3rd party service listed Users can update email address but not name, but unlikely to change. Up to 12 months after last use. Consent + Legitimate interest: as an email app, it makes sense to hang entire accounts from the email address, and address people by name. Minor. If breached, liable to spam. Fake accounts are kept amongst accounts, as fingerprints for Dark Web monitoring
Partial Address / IP address / Last 4 digits of credit card Tracing payment history Current Personnel, Former Personnel, Customers, Application End Users / Location data User submitted Database, Xero, CarpenterBox Proven and immutable Up to 7 years Legal obligation: financial record keeping Minor. If breached, could be used for social engineering.
High level location (at resolution of city) Find timezone, to deliver timely notifications (including marketing material) Current Personnel, Former Personnel, Customers, Application End Users / Location data Deduced from IP address or user submitted Database User can override timezone Up to 12 months after last use Legitmate Interest: we advocate a workflow of ethos that penalises out-of-hours emailing, so this lets us send our communication during the day time. Minor. If breached, could be used for social engineering.
Year of birth To use our app, and receive communications, with the correct legal protections. Current Personnel, Former Personnel, Customers, Application End Users / Age User submitted Database User can alter Up to 12 months after last use Consent + Legal Obligation Minor. If breached, could be used for social engineering.
Email Notes & Sub Tasks Productive feature to add private actionable information to emails (kept on our server to sync across machines and backup) Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data (if entered by user - it’s freeform so no restriction) User submitted Database User can alter Up to 12 months after last use Consent + Legitimate interest: without our server, they cannot store and sync their notes between multiple machines. Significant. They may well contain embarrassing/compromising opinions about people close to the person.
Product Preferences Sync feature choices between machines, and backup Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships User submitted Database Can be ammended at any time Up to 12 months after last use Consent + Legitimate Interest: it's core functionality to choose features Negligible
Registered interest for beta products we propose Stay informed on new features/products we’re working on, and gain beta access. Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier User submitted Database It’s simple yes/no, but becomes less relevant with time. Up to 12 months after last use Consent Negligible
Referrals Be rewarded for referring colleagues Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships User submitted Database Perfect Up to 12 months after last use Consent Minor. Relationships between people could be used for social engineering and targetted spam
Job title, job seniority, organisation Helps us understand their feedback, and prioritise access to beta, and group accounts into teams Current Personnel, Former Personnel, Customers, Application End Users / Location, Economic Identifiers User submitted in surveys Database User can update at any time, but likely to become irrelevant in time as careers progress. Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + minor legitimate interest: help us enhance productivity features for specific roles Minor. Could be used for targetted spam, social engineering.
Website / App interaction It helps us with user education and product improvement to understand how people engage with our help pages and features, especially in the first few days. Current Personnel, Former Personnel, Customers, Application End Users / NA User submitted in surveys Database Perfect Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + minor legitimate interest: We can provide targetted education, and overcome functional issues during onboarding Negligible
Surveys Helps us offer them personalised help as part of the onboarding process, and gives us rich information about how they work to improve the product. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category (it's free form text input) User submitted in surveys Database + Google Drive + Dropbox It becomes less relevant as the product ages, workflow habits change, and opinions change. Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + legitimate interest: the user expects us to store their survey after they enter it Minor. It’s mostly long form content, so they could have theoretically entered information about themselves (most likely role, workflow habits, tools they use). Conceivably a boss could use it to judge their performance (they’re likely to be talking about weaknesses), or a spammer could target them more accurately.
Email reads Read receipts require us to record it was read, and to prevent duplicate read-reporting Current Personnel, Former Personnel, Customers, Application End Users / Pseudo-anonymised Basic Identifier, Location The recipient does not consent to being tracked, but they are not identifiable Database Perfect Pseudo-anonymised immediately (the sender isn't linked to an identifiable recipient [only Gmail IDs are stored without accessible PII in the database], the recipients IP address is truncated to lose identifiable resolution), and the receipt is deleted entirely within 2 weeks. Legitimate interest: it's a productivity feature for the sender, and the recipient isn't identifiable. Negligible. It's not useful to anyone but the sender that an email was read.
OAuth Tokens Provide the access to user emails in Gmail, and to modify Gmail labels, that powers the majority of ActiveInbox's features. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data Explicit user consent during login to ActiveInbox Local machine within browser extension Perfect The tokens are kept on the machine until ActiveInbox is uninstalled, and the token is invalidated after 6 months of inactivity. Consent + Legitimate interest: it's essential for ActiveInbox's productivity features. Major. The tokens provide the keys for anyone to access a user's Gmail data. However, Google has highly sophisticated intrusion systems that are triggered by any unusual behaviour, limiting the utilisation of stolen tokens.
Email cache To speed up ActiveInbox, emails that are tasks are cached into the local machine. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data Implicit consent as it follows the user's approval for the software to locally access their emails. Local machine within browser extension Perfect The email cache is kept on the machine until ActiveInbox is uninstalled, or the data is purged for performance. Consent + Legitimate interest: ActiveInbox is much more useful when it runs quickly. Significant. The cached data may contain special category data.

3rd Party Services Utilised

These services help us deliver ActiveInbox. If you have any reason to distrust them, please contact us.