Privacy

Key Points

tl;dr It's your data, not ours. Nobody can access your emails.
  1. ActiveInbox is a 'Local Client Application' (a Google term), meaning all your Gmail data is only transferred between your computer and Google's servers. Nobody from our team can ever access your email. Full details: ActiveInbox Security.
  2. We comply with the GDPR: your data is yours. We only use the minimum of your personal information (PII) necessary to make ActiveInbox work. You can request to see it, or delete it, at any time.
  3. This policy was last updated on 28th September, 2022. We will announce any changes, and you can always alter your consent.

Consenting

tl;dr ActiveInbox only asks for what it needs, and nothing more.

Google Data Access

When you sign up for ActiveInbox, it requests consent to locally access the minimum required of your Gmail data to make it work (e.g. to add labels to your emails), and to confirm if you wish to receive marketing emails from us.

We may ask for heightened data scopes at the point a feature needs it. (E.g. access to your calendar to put an email on an event).

You can uninstall and revoke ActiveInbox permissions at any time - just log into your Google Account.

Data Retention

At any time, you can request to know all the information we hold about you, and request it be deleted, or alter your consent from that point forward. (By contacting support, or using any account management tools we provide).

Communication

You opt in to our marketing emails, and can unsubscribe from them at any time.

To enable you to use ActiveInbox, we send interactive onboarding emails only during your trial to learn it.

To fulfil our legal obligations, even if you unsubscribe we may still send you emails related to security or billing.

What we do with the Gmail data scopes you approve

ActiveInbox's use and transfer of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.

These are the scopes you can approve. All data is kept within your computer, except Email IDs.

Google Data OAuth Scope Why Used Who Can Access Transit Path Storage Location
Email Meta (id, subject, to/from, date, labels); All Labels auth/gmail.modify Renders task list, shows controls for a specific email, allows add/removal label to email Only User (ActiveInbox Client) Between Gmail server and user local client Cache of Gmail label/message data stored in browser's local storage.
Email body and attachments auth/gmail.modify Used to make Suggestions for tasks, by looking to see if a question is unanswered. Only User (ActiveInbox Client) Between Gmail server and user local client Cache of Gmail label/message data stored in browser's local storage.
Email IDs auth/gmail.modify Attach ActiveInbox Notes and Sub Tasks to your Gmail emails, using their Gmail ID. Theoretically, as its on our server, developers have access, but are prohibited by contract. Also we don't believe the IDs are maliciously useable (so not sensitive). Email IDs move from local client to the ActiveInbox server when Notes and Sub Tasks are saved. Email IDs stored in ActiveInbox server database
Calendars and Events auth/gmail.modify Attach emails to Calendar events Only User (ActiveInbox Client) Between Google server and user local client Cache of calendar / events data stored in browser's local storage.

What We Store on our Servers

tl;dr We only store data that can't be stored as a Gmail Label (e.g. your Notes).

Precise Data Record & Impact Assessment

Data Description Customer Benefit Data Subject Category / Personal Data Category Data Source Storage Location Quality Maintenance Retention Duration Legal Basis Breach Risk Severity Specific Breach Identification
Email / Name The email address is key to the data that makes the app work, first names create a personal experience and addresses create necessary accounting info. As a team we may also reference customer's support requests and interviews for producting planning, using email address and name. Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier User submitted Database, and every 3rd party service listed Users can update email address but not name, but unlikely to change. Up to 12 months after last use. Consent + Legitimate interest: as an email app, it makes sense to hang entire accounts from the email address, and address people by name. Minor. If breached, liable to spam. Fake accounts are kept amongst accounts, as fingerprints for Dark Web monitoring
Partial Address / IP address / Last 4 digits of credit card Tracing payment history Current Personnel, Former Personnel, Customers, Application End Users / Location data User submitted Database, Xero, CarpenterBox Proven and immutable Minimum 7 years Legal obligation: financial record keeping Minor. If breached, could be used for social engineering.
High level location (at resolution of city) Find timezone, to deliver timely notifications (including marketing material) Current Personnel, Former Personnel, Customers, Application End Users / Location data Deduced from IP address or user submitted Database User can override timezone Up to 12 months after last use Legitmate Interest: we advocate a workflow of ethos that penalises out-of-hours emailing, so this lets us send our communication during the day time. Minor. If breached, could be used for social engineering.
Year of birth To use our app, and receive communications, with the correct legal protections. Current Personnel, Former Personnel, Customers, Application End Users / Age User submitted Database User can alter Up to 12 months after last use Consent + Legal Obligation Minor. If breached, could be used for social engineering.
Email Notes & Sub Tasks Productive feature to add private actionable information to emails (kept on our server to sync across machines and backup) Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data (if entered by user - it’s freeform so no restriction) User submitted Database User can alter Up to 12 months after last use Consent + Legitimate interest: without our server, they cannot store and sync their notes between multiple machines. Significant. They may well contain embarrassing/compromising opinions about people close to the person.
Product Preferences Sync feature choices between machines, and backup Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships User submitted Database Can be ammended at any time Up to 12 months after last use Consent + Legitimate Interest: it's core functionality to choose features Negligible
Registered interest for beta products we propose Stay informed on new features/products we’re working on, and gain beta access. Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier User submitted Database It’s simple yes/no, but becomes less relevant with time. Up to 12 months after last use Consent Negligible
Referrals Be rewarded for referring colleagues Current Personnel, Former Personnel, Customers, Application End Users / Basic Profile Identifier, Relationships User submitted Database Perfect Up to 12 months after last use Consent Minor. Relationships between people could be used for social engineering and targetted spam
Job title, job seniority, organisation Helps us understand their feedback, and prioritise access to beta, and group accounts into teams Current Personnel, Former Personnel, Customers, Application End Users / Location, Economic Identifiers User submitted in surveys Database User can update at any time, but likely to become irrelevant in time as careers progress. Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + minor legitimate interest: help us enhance productivity features for specific roles Minor. Could be used for targetted spam, social engineering.
Website / App interaction It helps us with user education and product improvement to understand how people engage with our help pages and features, especially in the first few days. Current Personnel, Former Personnel, Customers, Application End Users / NA User submitted in surveys Database Perfect Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + minor legitimate interest: We can provide targetted education, and overcome functional issues during onboarding Negligible
Surveys Helps us offer them personalised help as part of the onboarding process, and gives us rich information about how they work to improve the product. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category (it's free form text input) User submitted in surveys Database + Google Drive + Dropbox It becomes less relevant as the product ages, workflow habits change, and opinions change. Pseudo-anonymised immediately. Anonymised up to 12 months after last use. Consent + legitimate interest: the user expects us to store their survey after they enter it Minor. It’s mostly long form content, so they could have theoretically entered information about themselves (most likely role, workflow habits, tools they use). Conceivably a boss could use it to judge their performance (they’re likely to be talking about weaknesses), or a spammer could target them more accurately.
Email reads Read receipts require us to record it was read, and to prevent duplicate read-reporting Current Personnel, Former Personnel, Customers, Application End Users / Pseudo-anonymised Basic Identifier, Location The recipient does not consent to being tracked, but they are not identifiable Database Perfect Pseudo-anonymised immediately (the sender isn't linked to an identifiable recipient [only Gmail IDs are stored without accessible PII in the database], the recipients IP address is truncated to lose identifiable resolution), and the receipt is deleted entirely within 2 weeks. Legitimate interest: it's a productivity feature for the sender, and the recipient isn't identifiable. Negligible. It's not useful to anyone but the sender that an email was read.
OAuth Tokens Provide the access to user emails in Gmail, and to modify Gmail labels, that powers the majority of ActiveInbox's features. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data Explicit user consent during login to ActiveInbox Local machine within browser extension Perfect The tokens are kept on the machine until ActiveInbox is uninstalled, and the token is invalidated after 6 months of inactivity. Consent + Legitimate interest: it's essential for ActiveInbox's productivity features. Major. The tokens provide the keys for anyone to access a user's Gmail data. However, Google has highly sophisticated intrusion systems that are triggered by any unusual behaviour, limiting the utilisation of stolen tokens.
Email cache To speed up ActiveInbox, emails that are tasks are cached into the local machine. Current Personnel, Former Personnel, Customers, Application End Users / Potentially special category data Implicit consent as it follows the user's approval for the software to locally access their emails. Local machine within browser extension Perfect The email cache is kept on the machine until ActiveInbox is uninstalled, or the data is purged for performance. Consent + Legitimate interest: ActiveInbox is much more useful when it runs quickly. Significant. The cached data may contain special category data.

3rd Party Services Utilised

These services help us deliver ActiveInbox. If you have any reason to distrust them, please contact us.

Processor Reason Data description Data Subject Category / Personal Data Category Duration Data in country Basis for Transfer outside EEA Covered by Data Processing Agreement
Customer.IO Email delivery Email address, name Customers, Application End Users / Basic Profile Identifier Up to 12 months after last app use. US EU-US Privacy Shield Yes
Mailgun Email delivery Email address, name Customers, Application End Users / Basic Profile Identifier Up to 12 months after last app use. US EU-US Privacy Shield Yes
Heroku (owned by Salesforce) Host our server and database. Heroku uses AWS technology. See Heroku's Commitment to Trust. See Data Record for everything that has 'Database' as Storage Location See Data Record for everything that has 'Database' as Storage Location See Data Record for everything that has 'Database' as Storage Location US EU-US Privacy Shield Yes
Amazon Web Services Host our marketing server, provides email delivery via Mailgun. Email address, name Customers, Application End Users / Basic Profile Identifier Up to 12 months after last app use. US EU-US Privacy Shield Yes
Google Analytics Understand who visits our Chrome Web Store page, and our website, to improve how we communicate what ActiveInbox does (including support pages). Tracking cookie with no PII Customers, Website Visitors, Application End Users / Basic Profile Identifier Up to 12 months. US EU-US Privacy Shield Yes
Facebook Advertising Communicate about ActiveInbox to previous visitors, on Facebook. Tracking cookie with no PII, or pseudo-anonymised (hashed) email address. Customers, Website Visitors, Application End Users / Basic Profile Identifier Up to 12 months. US EU-US Privacy Shield Yes
Stripe Payment. As part of processing your credit card, Stripe is responsible for anti-fraud, and for linking your purchase to your ActiveInbox subscription, so retains basic personal information. Email address, name, address, last 4 digits of card. Customers, Application End Users / Basic Profile Identifier and Location data Minimum 7 years US EU-US Privacy Shield Yes
PayPal Payment. As part of processing your credit card, Paypal is responsible for anti-fraud, and for linking your purchase to your ActiveInbox subscription, so retains basic personal information. Email address, name, address, last 4 digits of card. Customers, Application End Users / Basic Profile Identifier and Location data Minimum 7 years US EU-US Privacy Shield Yes
Xero Accounting software. Email address, country (derived from IP or credit card) Customers, Application End Users / Basic Profile Identifier and Location data Minimum 7 years US EU-US Privacy Shield Yes
MHA Carpenter Box Accounting services. Email address, country (derived from IP address or credit card), IP address Customers, Application End Users / Basic Profile Identifier and Location data Minimum 7 years UK Yes Yes
Calendly Meeting scheduling Email address, name, time zone and country Customers, Application End Users / Basic Profile Identifier and Location data Up to 1 year US EU-US Privacy Shield Yes
Dropbox Tracking customer service requests (we pseudo-anonymise where possible). Email address, name, country Customers, Application End Users / Basic Profile Identifier and Location data Up to 3 years US EU-US Privacy Shield Yes
Google Drive / Suite Tracking customer service requests (we pseudo-anonymise where possible). Email address, name, country Customers, Application End Users / Basic Profile Identifier and Location data Up to 3 years US EU-US Privacy Shield Yes
Trello Tracking customer service requests (we pseudo-anonymise where possible). Email address, name, country Customers, Application End Users / Basic Profile Identifier and Location data Up to 3 years US EU-US Privacy Shield Yes
Asana Tracking customer service requests (we pseudo-anonymise where possible). Email address, name, country Customers, Application End Users / Basic Profile Identifier and Location data Up to 3 years US EU-US Privacy Shield Yes
Slack Tracking customer service requests (we pseudo-anonymise where possible). Email address, name, country Customers, Application End Users / Basic Profile Identifier and Location data Up to 3 years US EU-US Privacy Shield Yes