Key Points
tl;dr It's your data, not ours. Nobody can access your emails.
- ActiveInbox is a 'Local Client Application' (a Google term), meaning all your Gmail data is only transferred between your computer and Google's servers. Nobody from our team can ever access your email. Full details: ActiveInbox Security.
- We comply with the GDPR: your data is yours. We only use the minimum of your personal information (PII) necessary to make ActiveInbox work. You can request to see it, or delete it, at any time.
- This policy was last updated on 28th September, 2022. We will announce any changes, and you can always alter your consent.
Consenting
tl;dr ActiveInbox only asks for what it needs, and nothing more.
Google Data Access
When you sign up for ActiveInbox, it requests consent to locally access the minimum required of your Gmail data to make it work (e.g. to add labels to your emails), and to confirm if you wish to receive marketing emails from us.
We may ask for heightened data scopes at the point a feature needs it. (E.g. access to your calendar to put an email on an event).
You can uninstall and revoke ActiveInbox permissions at any time - just log into your Google Account.
Data Retention
At any time, you can request to know all the information we hold about you, and request it be deleted, or alter your consent from that point forward. (By contacting support, or using any account management tools we provide).
Communication
You opt in to our marketing emails, and can unsubscribe from them at any time.
To enable you to use ActiveInbox, we send interactive onboarding emails only during your trial to learn it.
To fulfil our legal obligations, even if you unsubscribe we may still send you emails related to security or billing.
What we do with the Gmail data scopes you approve
ActiveInbox's use and transfer of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.
These are the scopes you can approve. All data is kept within your computer, except Email IDs.
| Google Data | OAuth Scope | Why Used | Who Can Access | Transit Path | Storage Location |
|---|---|---|---|---|---|
| Email Meta (id, subject, to/from, date, labels); All Labels | auth/gmail.modify | Renders task list, shows controls for a specific email, allows add/removal label to email | Only User (ActiveInbox Client) | Between Gmail server and user local client | Cache of Gmail label/message data stored in browser's local storage. |
| Email body and attachments | auth/gmail.modify | Used to make Suggestions for tasks, by looking to see if a question is unanswered. | Only User (ActiveInbox Client) | Between Gmail server and user local client | Cache of Gmail label/message data stored in browser's local storage. |
| Email IDs | auth/gmail.modify | Attach ActiveInbox Notes and Sub Tasks to your Gmail emails, using their Gmail ID. | Theoretically, as its on our server, developers have access, but are prohibited by contract. Also we don't believe the IDs are maliciously useable (so not sensitive). | Email IDs move from local client to the ActiveInbox server when Notes and Sub Tasks are saved. | Email IDs stored in ActiveInbox server database |
| Calendars and Events | auth/gmail.modify | Attach emails to Calendar events | Only User (ActiveInbox Client) | Between Google server and user local client | Cache of calendar / events data stored in browser's local storage. |
What We Store on our Servers
tl;dr We only store data that can't be stored as a Gmail Label (e.g. your Notes).
- Your email address, as the identifier for your ActiveInbox account.
- Your ActiveInbox Preferences.
- Your timezone, derived from your IP address, for timezone related functionality and appropriately timed notifications.
- The notes and sub-tasks you add to emails (associated only with the email's ID)
- The rank order of your emails, when you drag up & down (associated only with the email's ID)
- To guide our product development, we store your interaction with our website, which is used to make improvements using aggregate data. We also store how you use the product, but with no personal information (e.g. it'll record "Due Date Set", but not what the due date was).
- Any feedback you optionally give us (e.g. surveys, job role).
Precise Data Record & Impact Assessment
- Accurate up to 22nd January, 2021. If you want an accurate current assessment, please contact [email protected]
- You'll see we typically retain core app data for 12 months as that is the period in which people return to the app (and we don't want them to have a negative experience of having lost information). It can be deleted prior to this upon request.
- 'Specific Breach Identification' is in addition to all the default Security measures for breach identification.
| Data Description | Customer Benefit | Data Subject Category / Personal Data Category | Data Source | Storage Location | Quality Maintenance | Retention Duration | Legal Basis | Breach Risk Severity | Specific Breach Identification |
|---|---|---|---|---|---|---|---|---|---|
| Email / Name | The email address is key to the data that makes the app work, first names create a personal experience and addresses create necessary accounting info. As a team we may also reference customer's support requests and interviews for producting planning, using email address and name. | Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier | User submitted | Database, and every 3rd party service listed | Users can update email address but not name, but unlikely to change. | Up to 12 months after last use. | Consent + Legitimate interest: as an email app, it makes sense to hang entire accounts from the email address, and address people by name. | Minor. If breached, liable to spam. | Fake accounts are kept amongst accounts, as fingerprints for Dark Web monitoring |
| Partial Address / IP address / Last 4 digits of credit card | Tracing payment history | Current Personnel, Former Personnel, Customers, Application End Users / Location data | User submitted | Database, Xero, CarpenterBox | Proven and immutable | Minimum 7 years | Legal obligation: financial record keeping | Minor. If breached, could be used for social engineering. | |
| High level location (at resolution of city) | Find timezone, to deliver timely notifications (including marketing material) | Current Personnel, Former Personnel, Customers, Application End Users / Location data | Deduced from IP address or user submitted | Database | User can override timezone | Up to 12 months after last use | Legitmate Interest: we advocate a workflow of ethos that penalises out-of-hours emailing, so this lets us send our communication during the day time. | Minor. If breached, could be used for social engineering. | |
| Year of birth | To use our app, and receive communications, with the correct legal protections. | Current Personnel, Former Personnel, Customers, Application End Users / Age | User submitted | Database | User can alter | Up to 12 months after last use | Consent + Legal Obligation | Minor. If breached, could be used for social engineering. | |
| Email Notes & Sub Tasks | Productive feature to add private actionable information to emails (kept on our server to sync across machines and backup) | Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data (if entered by user - it’s freeform so no restriction) | User submitted | Database | User can alter | Up to 12 months after last use | Consent + Legitimate interest: without our server, they cannot store and sync their notes between multiple machines. | Significant. They may well contain embarrassing/compromising opinions about people close to the person. | |
| Product Preferences | Sync feature choices between machines, and backup | Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships | User submitted | Database | Can be ammended at any time | Up to 12 months after last use | Consent + Legitimate Interest: it's core functionality to choose features | Negligible | |
| Registered interest for beta products we propose | Stay informed on new features/products we’re working on, and gain beta access. | Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier | User submitted | Database | It’s simple yes/no, but becomes less relevant with time. | Up to 12 months after last use | Consent | Negligible | |
| Referrals | Be rewarded for referring colleagues | Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships | User submitted | Database | Perfect | Up to 12 months after last use | Consent | Minor. Relationships between people could be used for social engineering and targetted spam | |
| Job title, job seniority, organisation | Helps us understand their feedback, and prioritise access to beta, and group accounts into teams | Current Personnel, Former Personnel, Customers, Application End Users / Location, Economic Identifiers | User submitted in surveys | Database | User can update at any time, but likely to become irrelevant in time as careers progress. | Pseudo-anonymised immediately. Anonymised up to 12 months after last use. | Consent + minor legitimate interest: help us enhance productivity features for specific roles | Minor. Could be used for targetted spam, social engineering. | |
| Website / App interaction | It helps us with user education and product improvement to understand how people engage with our help pages and features, especially in the first few days. | Current Personnel, Former Personnel, Customers, Application End Users / NA | User submitted in surveys | Database | Perfect | Pseudo-anonymised immediately. Anonymised up to 12 months after last use. | Consent + minor legitimate interest: We can provide targetted education, and overcome functional issues during onboarding | Negligible | |
| Surveys | Helps us offer them personalised help as part of the onboarding process, and gives us rich information about how they work to improve the product. | Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category (it's free form text input) | User submitted in surveys | Database + Google Drive + Dropbox | It becomes less relevant as the product ages, workflow habits change, and opinions change. | Pseudo-anonymised immediately. Anonymised up to 12 months after last use. | Consent + legitimate interest: the user expects us to store their survey after they enter it | Minor. It’s mostly long form content, so they could have theoretically entered information about themselves (most likely role, workflow habits, tools they use). Conceivably a boss could use it to judge their performance (they’re likely to be talking about weaknesses), or a spammer could target them more accurately. | |
| Email reads | Read receipts require us to record it was read, and to prevent duplicate read-reporting | Current Personnel, Former Personnel, Customers, Application End Users / Pseudo-anonymised Basic Identifier, Location | The recipient does not consent to being tracked, but they are not identifiable | Database | Perfect | Pseudo-anonymised immediately (the sender isn't linked to an identifiable recipient [only Gmail IDs are stored without accessible PII in the database], the recipients IP address is truncated to lose identifiable resolution), and the receipt is deleted entirely within 2 weeks. | Legitimate interest: it's a productivity feature for the sender, and the recipient isn't identifiable. | Negligible. It's not useful to anyone but the sender that an email was read. | |
| OAuth Tokens | Provide the access to user emails in Gmail, and to modify Gmail labels, that powers the majority of ActiveInbox's features. | Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data | Explicit user consent during login to ActiveInbox | Local machine within browser extension | Perfect | The tokens are kept on the machine until ActiveInbox is uninstalled, and the token is invalidated after 6 months of inactivity. | Consent + Legitimate interest: it's essential for ActiveInbox's productivity features. | Major. The tokens provide the keys for anyone to access a user's Gmail data. However, Google has highly sophisticated intrusion systems that are triggered by any unusual behaviour, limiting the utilisation of stolen tokens. | |
| Email cache | To speed up ActiveInbox, emails that are tasks are cached into the local machine. | Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data | Implicit consent as it follows the user's approval for the software to locally access their emails. | Local machine within browser extension | Perfect | The email cache is kept on the machine until ActiveInbox is uninstalled, or the data is purged for performance. | Consent + Legitimate interest: ActiveInbox is much more useful when it runs quickly. | Significant. The cached data may contain special category data. |
3rd Party Services Utilised
These services help us deliver ActiveInbox. If you have any reason to distrust them, please contact us.
| Processor | Reason | Data description | Data Subject Category / Personal Data Category | Duration | Data in country | Basis for Transfer outside EEA | Covered by Data Processing Agreement |
|---|---|---|---|---|---|---|---|
| Customer.IO | Email delivery | Email address, name | Customers, Application End Users / Basic Profile Identifier | Up to 12 months after last app use. | US | EU-US Privacy Shield | Yes |
| Mailgun | Email delivery | Email address, name | Customers, Application End Users / Basic Profile Identifier | Up to 12 months after last app use. | US | EU-US Privacy Shield | Yes |
| Heroku (owned by Salesforce) | Host our server and database. Heroku uses AWS technology. See Heroku's Commitment to Trust. | See Data Record for everything that has 'Database' as Storage Location | See Data Record for everything that has 'Database' as Storage Location | See Data Record for everything that has 'Database' as Storage Location | US | EU-US Privacy Shield | Yes |
| Amazon Web Services | Host our marketing server, provides email delivery via Mailgun. | Email address, name | Customers, Application End Users / Basic Profile Identifier | Up to 12 months after last app use. | US | EU-US Privacy Shield | Yes |
| Google Analytics | Understand who visits our Chrome Web Store page, and our website, to improve how we communicate what ActiveInbox does (including support pages). | Tracking cookie with no PII | Customers, Website Visitors, Application End Users / Basic Profile Identifier | Up to 12 months. | US | EU-US Privacy Shield | Yes |
| Facebook Advertising | Communicate about ActiveInbox to previous visitors, on Facebook. | Tracking cookie with no PII, or pseudo-anonymised (hashed) email address. | Customers, Website Visitors, Application End Users / Basic Profile Identifier | Up to 12 months. | US | EU-US Privacy Shield | Yes |
| Stripe | Payment. As part of processing your credit card, Stripe is responsible for anti-fraud, and for linking your purchase to your ActiveInbox subscription, so retains basic personal information. | Email address, name, address, last 4 digits of card. | Customers, Application End Users / Basic Profile Identifier and Location data | Minimum 7 years | US | EU-US Privacy Shield | Yes |
| PayPal | Payment. As part of processing your credit card, Paypal is responsible for anti-fraud, and for linking your purchase to your ActiveInbox subscription, so retains basic personal information. | Email address, name, address, last 4 digits of card. | Customers, Application End Users / Basic Profile Identifier and Location data | Minimum 7 years | US | EU-US Privacy Shield | Yes |
| Xero | Accounting software. | Email address, country (derived from IP or credit card) | Customers, Application End Users / Basic Profile Identifier and Location data | Minimum 7 years | US | EU-US Privacy Shield | Yes |
| MHA Carpenter Box | Accounting services. | Email address, country (derived from IP address or credit card), IP address | Customers, Application End Users / Basic Profile Identifier and Location data | Minimum 7 years | UK | Yes | Yes |
| Calendly | Meeting scheduling | Email address, name, time zone and country | Customers, Application End Users / Basic Profile Identifier and Location data | Up to 1 year | US | EU-US Privacy Shield | Yes |
| Dropbox | Tracking customer service requests (we pseudo-anonymise where possible). | Email address, name, country | Customers, Application End Users / Basic Profile Identifier and Location data | Up to 3 years | US | EU-US Privacy Shield | Yes |
| Google Drive / Suite | Tracking customer service requests (we pseudo-anonymise where possible). | Email address, name, country | Customers, Application End Users / Basic Profile Identifier and Location data | Up to 3 years | US | EU-US Privacy Shield | Yes |
| Trello | Tracking customer service requests (we pseudo-anonymise where possible). | Email address, name, country | Customers, Application End Users / Basic Profile Identifier and Location data | Up to 3 years | US | EU-US Privacy Shield | Yes |
| Slack | Tracking customer service requests (we pseudo-anonymise where possible). | Email address, name, country | Customers, Application End Users / Basic Profile Identifier and Location data | Up to 3 years | US | EU-US Privacy Shield | Yes |