We want to be as transparent as possible with your data. If anything isn't crystal clear, please contact us.
This policy was last updated on 1st April, 2019. We will announce any changes, and you can always alter your consent (see below).
Keeping Your Data Safe
Please see our Security Practices
What We Store on our Servers
We only store what cannot be easily stored in Gmail itself:
- Your email address, as the identifier for your ActiveInbox account.
- Your ActiveInbox Preferences.
- Your timezone, derived from your IP address, for timezone related functionality and appropriately timed notifications.
- The notes and sub-tasks you add to emails (associated only with the email's ID)
- The rank order of your emails, when you drag up & down (associated only with the email's ID)
- To guide our product development, we store your interaction with our website, which is used to make improvements using aggregate data. We also store how you use the product, but with no personal information (e.g. it'll record "Due Date Set", but not what the due date was).
- Any feedback you optionally give us (e.g. surveys, job role).
Handling your Gmail data in ActiveInbox (browser addon)
Most data, except email addresses and email IDs, is transferred directly between your computer and Gmail's server.
|Gmail Data||OAuth Scope||Why Used||Who Can Access||Transit Path||Storage Location|
|Email Meta (id, subject, to/from, date, labels); All Labels||auth/gmail.modify and mail.google.com (latter being phased out)||Renders task list, shows controls for a specific email, allows add/removal label to email||Only User (ActiveInbox Client)||Between Gmail server and user client||Cache of data stored in browser's local storage|
|Email body and attachments||Theoretically made available by auth/gmail.modify||Not used (but have to request OAuth Scope permission that includes it, to be able to add/remove labels to emails)||Nobody||Not transited||Not stored outside Gmail server|
|Email IDs||auth/gmail.send||Allows our server to send emails 24/7 (send later)||ActiveInbox Server code (developers have theoretical access, but prohibited by contract)||Email IDs move from Gmail server to user client to ActiveInbox Server back to Gmail server||Email IDs stored in ActiveInbox server database|
We use SSL (https) everywhere, for secure data exchange between your machine and our server.
The data in the database is encrypted to the outside world, and is protected within the Amazon Web Service's ecosystem. Our development employees have access to the data, but are only allowed to temporarily access it with your explicit consent (e.g. to fix a problem).
When you sign up for ActiveInbox, we ask for consent to access your Gmail data (as described above), and to receive emails from us.
We may ask for heightened data scopes at the point a feature needs it. (E.g. the first time you use Send Later, or the GCal integration).
At any time, you can request to know all the information we hold about you, and request it be deleted, or alter your consent from that point forward. (By contacting support, or using any account management tools we provide).
If you no longer want to use ActiveInbox, you can log into your Google Account, and revoke any data permissions you gave ActiveInbox.
You can unsubscribe from our emails at any time.
3rd Party Services Utilised
These services help us deliver ActiveInbox. If you have any reason to distrust them, please contact us.
- Mailchimp, Customer.IO & Mailgun. They deliver our emails (tips, announcements, etc.) on our behalf (we pass them your email address and first name).
- Google Cloud Platform and Amazon Web Services. They host our server. This is where your data (as listed above) gets stored.
- Google Analytics, MixPanel and Facebook Pixel. We these for product and benefit testing - product development, basically. The Facebook Pixel gets used to enable us to promote ActiveInbox benefits to visitors-who-are-also-active-Facebook-users later, by recording (as a cookie) the machine that visited our website. We do not pass your email address to any of these services.
- Facebook Advertising (only for ActiveInbox adverts). If you opt in, we'll occassionally experiment with their Lookalike advertising programme (showing our adverts to people similar to our customers, helping us grow), by including you in a bulk email list. This doesn't happen by default.
- Stripe and PayPal. For payments. Your email address passes through these systems. They process your bank cards (the sensitive bank information is never available to us).
- Xero. For our accounting. We provide them with your email address for the financial record.