We want to be as transparent as possible with your data. If anything isn't crystal clear, please contact us.
This policy was last updated on 29th October, 2019. We will announce any changes, and you can always alter your consent (see below).
Keeping Your Data Safe
We are an EU company subject to the GDPR (at threat of being put out of business), compelling us to dedicate significant resources to best practice security. We also undergo annual security auditing with a Google-approved firm to prove we meet those best practices.
Please see our Security Practices
Our core principle though is simply to avoid your sensitive data wherever possible. Most importantly, we cannot process your emails (as in it is impossible at a technical level).
When you sign up for ActiveInbox, it requests consent to locally access the minimum required of your scoped Gmail data (described), and to receive emails from us.
We may ask for heightened data scopes at the point a feature needs it. (E.g. the first time you use GCal integration).
At any time, you can request to know all the information we hold about you, and request it be deleted, or alter your consent from that point forward. (By contacting support, or using any account management tools we provide).
If you no longer want to use ActiveInbox, you can log into your Google Account, and revoke any data permissions you gave ActiveInbox.
You can unsubscribe from our emails at any time.
What we do with the Gmail data scopes you approve
Most of your Gmail data does not touch our server: it is transferred directly between your local machine and Google's servers. The exception is your email address and Gmail email IDs (short, non-sensitive pieces of text).
|Google Data||OAuth Scope||Why Used||Who Can Access||Transit Path||Storage Location|
|Email Meta (id, subject, to/from, date, labels); All Labels||auth/gmail.modify||Renders task list, shows controls for a specific email, allows add/removal label to email||Only User (ActiveInbox Client)||Between Gmail server and user local client||Cache of Gmail label/message data stored in browser's local storage.|
|Email body and attachments||Theoretically made available by auth/gmail.modify||Not used (but have to request OAuth Scope permission that includes it, to be able to add/remove labels to emails)||Nobody||Not transited||Not stored outside Gmail server|
|Email IDs||auth/gmail.modify||Attach ActiveInbox Notes and Sub Tasks to your Gmail emails, using their Gmail ID.||Theoretically, as its on our server, developers have access, but are prohibited by contract. Also we don't believe the IDs are maliciously useable (so not sensitive).||Email IDs move from local client to the ActiveInbox server when Notes and Sub Tasks are saved.||Email IDs stored in ActiveInbox server database|
|Calendars and Events||auth/gmail.modify||Attach emails to Calendar events||Only User (ActiveInbox Client)||Between Google server and user local client||Cache of calendar / events data stored in browser's local storage.|
What We Store on our Servers
We only store what cannot be easily stored in Gmail itself:
- Your email address, as the identifier for your ActiveInbox account.
- Your ActiveInbox Preferences.
- Your timezone, derived from your IP address, for timezone related functionality and appropriately timed notifications.
- The notes and sub-tasks you add to emails (associated only with the email's ID)
- The rank order of your emails, when you drag up & down (associated only with the email's ID)
- To guide our product development, we store your interaction with our website, which is used to make improvements using aggregate data. We also store how you use the product, but with no personal information (e.g. it'll record "Due Date Set", but not what the due date was).
- Any feedback you optionally give us (e.g. surveys, job role).
Precise Data Record & Impact Assessment
- Accurate up to 29th October 2019. If you want an accurate current assessment, please contact firstname.lastname@example.org
- You'll see we typically retain core app data for 12 months as that is the period in which people return to the app (and we don't want them to have a negative experience of having lost information). It can be deleted prior to this upon request.
- 'Specific Breach Identification' is in addition to all the default Security measures for breach identification.
|Data Description||Customer Benefit||Data Subject Category / Personal Data Category||Data Source||Storage Location||Quality Maintenance||Retention Duration||Legal Basis||Breach Risk Severity||Specific Breach Identification|
|Email / Name||The email address is key to the data that makes the app work, first names create a personal experience and addresses create necessary accounting info.||Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier||User submitted||Database, and every 3rd party service listed||Users can update email address but not name, but unlikely to change.||Up to 12 months after last use.||Consent + Legitimate interest: as an email app, it makes sense to hang entire accounts from the email address, and address people by name.||Minor. If breached, liable to spam.||Fake accounts are kept amongst accounts, as fingerprints for Dark Web monitoring|
|Partial Address / IP address / Last 4 digits of credit card||Tracing payment history||Current Personnel, Former Personnel, Customers, Application End Users / Location data||User submitted||Database, Xero, CarpenterBox||Proven and immutable||Up to 7 years||Legal obligation: financial record keeping||Minor. If breached, could be used for social engineering.|
|High level location (at resolution of city)||Find timezone, to deliver timely notifications (including marketing material)||Current Personnel, Former Personnel, Customers, Application End Users / Location data||Deduced from IP address or user submitted||Database||User can override timezone||Up to 12 months after last use||Legitmate Interest: we advocate a workflow of ethos that penalises out-of-hours emailing, so this lets us send our communication during the day time.||Minor. If breached, could be used for social engineering.|
|Year of birth||To use our app, and receive communications, with the correct legal protections.||Current Personnel, Former Personnel, Customers, Application End Users / Age||User submitted||Database||User can alter||Up to 12 months after last use||Consent + Legal Obligation||Minor. If breached, could be used for social engineering.|
|Email Notes & Sub Tasks||Productive feature to add private actionable information to emails (kept on our server to sync across machines and backup)||Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data (if entered by user - it’s freeform so no restriction)||User submitted||Database||User can alter||Up to 12 months after last use||Consent + Legitimate interest: without our server, they cannot store and sync their notes between multiple machines.||Significant. They may well contain embarrassing/compromising opinions about people close to the person.|
|Product Preferences||Sync feature choices between machines, and backup||Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships||User submitted||Database||Can be ammended at any time||Up to 12 months after last use||Consent + Legitimate Interest: it's core functionality to choose features||Negligible|
|Registered interest for beta products we propose||Stay informed on new features/products we’re working on, and gain beta access.||Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier||User submitted||Database||It’s simple yes/no, but becomes less relevant with time.||Up to 12 months after last use||Consent||Negligible|
|Referrals||Be rewarded for referring colleagues||Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships||User submitted||Database||Perfect||Up to 12 months after last use||Consent||Minor. Relationships between people could be used for social engineering and targetted spam|
|Job title, job seniority, organisation||Helps us understand their feedback, and prioritise access to beta, and group accounts into teams||Current Personnel, Former Personnel, Customers, Application End Users / Location, Economic Identifiers||User submitted in surveys||Database||User can update at any time, but likely to become irrelevant in time as careers progress.||Pseudo-anonymised immediately. Anonymised up to 12 months after last use.||Consent + minor legitimate interest: help us enhance productivity features for specific roles||Minor. Could be used for targetted spam, social engineering.|
|Website / App interaction||It helps us with user education and product improvement to understand how people engage with our help pages and features, especially in the first few days.||Current Personnel, Former Personnel, Customers, Application End Users / NA||User submitted in surveys||Database||Perfect||Pseudo-anonymised immediately. Anonymised up to 12 months after last use.||Consent + minor legitimate interest: We can provide targetted education, and overcome functional issues during onboarding||Negligible|
|Surveys||Helps us offer them personalised help as part of the onboarding process, and gives us rich information about how they work to improve the product.||Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category (it's free form text input)||User submitted in surveys||Database + Google Drive + Dropbox||It becomes less relevant as the product ages, workflow habits change, and opinions change.||Pseudo-anonymised immediately. Anonymised up to 12 months after last use.||Consent + legitimate interest: the user expects us to store their survey after they enter it||Minor. It’s mostly long form content, so they could have theoretically entered information about themselves (most likely role, workflow habits, tools they use). Conceivably a boss could use it to judge their performance (they’re likely to be talking about weaknesses), or a spammer could target them more accurately.|
|Email reads||Read receipts require us to record it was read, and to prevent duplicate read-reporting||Current Personnel, Former Personnel, Customers, Application End Users / Pseudo-anonymised Basic Identifier, Location||The recipient does not consent to being tracked, but they are not identifiable||Database||Perfect||Pseudo-anonymised immediately (the sender isn't linked to an identifiable recipient [only Gmail IDs are stored without accessible PII in the database], the recipients IP address is truncated to lose identifiable resolution), and the receipt is deleted entirely within 2 weeks.||Legitimate interest: it's a productivity feature for the sender, and the recipient isn't identifiable.||Negligible. It's not useful to anyone but the sender that an email was read.|
|OAuth Tokens||Provide the access to user emails in Gmail, and to modify Gmail labels, that powers the majority of ActiveInbox's features.||Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data||Explicit user consent during login to ActiveInbox||Local machine within browser extension||Perfect||The tokens are kept on the machine until ActiveInbox is uninstalled, and the token is invalidated after 6 months of inactivity.||Consent + Legitimate interest: it's essential for ActiveInbox's productivity features.||Major. The tokens provide the keys for anyone to access a user's Gmail data. However, Google has highly sophisticated intrusion systems that are triggered by any unusual behaviour, limiting the utilisation of stolen tokens.|
|Email cache||To speed up ActiveInbox, emails that are tasks are cached into the local machine.||Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data||Implicit consent as it follows the user's approval for the software to locally access their emails.||Local machine within browser extension||Perfect||The email cache is kept on the machine until ActiveInbox is uninstalled, or the data is purged for performance.||Consent + Legitimate interest: ActiveInbox is much more useful when it runs quickly.||Significant. The cached data may contain special category data.|
3rd Party Services Utilised
These services help us deliver ActiveInbox. If you have any reason to distrust them, please contact us.
- Customer.IO & Mailgun. They deliver our emails (tips, announcements, etc.) on our behalf (we pass them your email address and first name).
- Heroku (owned by Salesforce), Google Cloud Platform and Amazon Web Services. They host our server. This is where your data gets stored.
- Google Analytics, Facebook Pixel. We these for product and benefit testing - product development, basically. The Facebook Pixel gets used to enable us to promote ActiveInbox benefits to visitors-who-are-also-active-Facebook-users later, by recording (as a cookie) the machine that visited our website. We do not pass your email address to any of these services.
- Facebook Advertising (only for ActiveInbox adverts). If you opt in, we'll occassionally experiment with their Lookalike advertising programme (showing our adverts to people similar to our customers, helping us grow), by including you in a bulk email list. This doesn't happen by default.
- Stripe and PayPal. For payments. Your email address passes through these systems. They process your bank cards (the sensitive bank information is never available to us).
- Calendly. Scheduling customer calls.
- Xero and CarpenterBox. For our accounting. We provide them with your email address for the financial record.
- Google Suite, Dropbox, Slack, Waffle, Trello, Asana. All document surrounding our business, including customer interviews.
- Disqus, Wordpress. For the blog and comments.
- Apple Store, Google Play Store, Chrome Web Store. The directory listings for the ActiveInbox app.