Privacy Policy

Last updated: 26 April 2026

This policy applies to Inbox by Alkmist at inbox.alkmist.com.

1. Who we are

Inbox by Alkmist (the "Service") is operated by Alkmist, a company incorporated in Belgium ("Alkmist", "we", "our", or "us"). We are the data controller for personal data processed through the Service, except where we act as a data processor on your behalf (for example, the contents of the emails in your mailbox).

Registered office: Ravensteinstraat 2 bus 3, 9000 Gent, Belgium
Company / VAT number: BE 1026.308.203

Contacts

Privacy / legal: legal@alkmist.com
User support: support@alkmist.com
OAuth verification (Google / Microsoft reviewers): oauth-verification@alkmist.com

This Service is governed by the laws of Belgium, without regard to its conflict-of-laws rules.

2. What we collect and why

When you sign in with Google or Microsoft and use the Service, we access and process the following categories of data:

Account profile: your name, email address, and profile picture from your Google or Microsoft account, used to authenticate you and display your account inside the app.
OAuth tokens: the access and refresh tokens issued by Google or Microsoft so we can call their APIs on your behalf. We never see or store your password.
Email metadata and content: headers (sender, recipients, subject, timestamps, labels, threads), body text, and attachments. We use this to triage, prioritise, search, summarise, and act on your inbox on your instruction.
Calendar events: events from your connected calendar so we can show meetings alongside email and create events you ask us to create.
Email signature: a one-time read of your existing signature so we can import it into the compose window.
Usage and product analytics: page views, feature use, and errors, captured by PostHog (EU instance). Email body text and addresses are masked in any session replays.
Billing data: if you subscribe, Stripe processes your payment details. We receive a customer ID and subscription status only — we never receive or store full card numbers.

3. Google API scopes

When you connect a Google account, we request only the scopes below. Each scope maps to a specific user-facing feature.

`https://www.googleapis.com/auth/gmail.readonly`

Why: read messages and threads from your Gmail inbox so we can display, triage, prioritise, search, and summarise them inside the app. Without this scope, the app cannot show your inbox.

`https://www.googleapis.com/auth/gmail.modify`

Why: apply labels, archive messages, and mark messages as read or unread when you ask us to. We use this only for actions you explicitly trigger in the UI (for example, clicking "Archive" or "Mark read"). We do not delete messages and do not modify your inbox without an explicit instruction from you.

`https://www.googleapis.com/auth/gmail.send`

Why: send replies and new messages that you compose inside the app, through your own Gmail account. We never send messages on your behalf without an explicit "Send" action from you.

`https://www.googleapis.com/auth/gmail.settings.basic`

Why: read your existing Gmail signature once, so the in-app compose window can pre-fill it. We do not modify Gmail settings, filters, vacation responders, or forwarding rules.

`https://www.googleapis.com/auth/calendar.events`

Why: read upcoming events so we can show meetings alongside the related emails, and create or update events when you take a "Schedule meeting" action inside the app.

4. Microsoft Graph scopes

When you connect a Microsoft (Outlook / Microsoft 365) account, we request only the scopes below.

`Mail.Read`

Why: read messages and folders from your Outlook mailbox so we can display, triage, prioritise, search, and summarise them. The Microsoft equivalent of gmail.readonly.

`Mail.ReadWrite`

Why: apply categories, move messages between folders, and mark messages as read or unread when you ask us to. We never modify your mailbox without an explicit instruction.

`Mail.Send`

Why: send replies and new messages that you compose inside the app, through your own Outlook account. Triggered only by an explicit "Send" action from you.

`Calendars.Read`

Why: read upcoming events so we can show meetings alongside the related emails.

`Calendars.ReadWrite`

Why: create or update calendar events when you take a "Schedule meeting" action inside the app.

5. Limited Use commitment

5.1 Google API Services User Data Policy

Inbox by Alkmist's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In concrete terms, this means:

We use Google user data only to provide and improve user-facing features described in this policy.
We do not transfer Google user data except as needed to provide those features, comply with applicable law, or as part of a merger / acquisition with continued protections.
We do not use Google user data for advertising.
We do not sell Google user data.
No human at Alkmist reads your email, except (a) with your explicit consent, (b) for security or abuse investigation, (c) to comply with applicable law, or (d) for aggregated, anonymised, internal operations.
We do not use your Google user data — including the contents of any email or attachment — to train or improve generalised or third-party AI/ML models.

5.2 Microsoft Graph data

The same commitments apply to data we receive through Microsoft Graph: we use it only to provide the features described in this policy, we do not sell it, we do not use it for advertising, no Alkmist human reads it outside the narrow exceptions above, and we do not use it to train AI/ML models.

6. How AI processes your email

Many features of the Service (triage, summarisation, suggested replies, priority scoring) use large language models (LLMs).

No human review. Alkmist staff do not read your email content. Outputs from LLM calls are returned to you, not to a reviewer.
No model training. Email content sent to an LLM provider is not used to train, fine-tune, or improve any AI model — ours or theirs.
Today: OpenAI on the US endpoint. At the time of this policy, email content is processed by OpenAI on their US endpoint, under a zero-retention agreement: prompts and completions are not retained beyond the duration of the request and are not used to train OpenAI models. See OpenAI's Enterprise Privacy commitments.
Soon: EU-residency LLMs. We are migrating LLM processing to EU-residency providers — Mistral models and EU OpenAI deployments accessed via OpenRouter — so that email content no longer leaves the European Union for AI processing. We will update this policy and the subprocessor list when the migration completes.

7. Subprocessors

We use the following subprocessors. Each handles only the categories of data listed.

Subprocessor	Purpose	Data handled	Region
Google Cloud Platform (GCP)	Primary database (Cloud SQL / PostgreSQL) and application hosting (Cloud Run)	All application data, including email content, metadata, and OAuth tokens	`europe-west1` (Belgium)
Cloudflare	DNS, CDN, Web Application Firewall (WAF)	Request metadata (IP, user-agent, URL); HTTPS-terminated traffic	Global edge
Cloudflare R2	Object storage for email attachments	Email attachments (encrypted at rest)	EU
Upstash Redis	Background task queue and short-lived cache	Queue metadata only (job IDs, references). No email content stored in Redis.	EU
OpenAI (today)	LLM processing for triage, summarisation, suggested replies (zero-retention agreement)	Email content sent in prompts; outputs returned to you. Not retained, not used for training.	United States
OpenRouter (planned)	Routing layer for EU-residency LLMs (Mistral and EU OpenAI deployments) — being rolled out	Email content sent in prompts; not retained, not used for training	EU
Stripe	Subscription billing and payments	Billing data (name, email, payment details) — no email content. We receive only a customer ID and subscription status.	EU + US (Stripe global)
PostHog (EU instance)	Product analytics and session replay	Pages visited, features used, errors. No email content: email body, subject, and addresses are masked in session replays.	EU

A current list of subprocessors is maintained in this section. We will update this policy if we add or remove subprocessors.

8. Where your data is stored

Your application data — including email content, metadata, OAuth tokens, and account profile — is stored on Google Cloud Platform in the europe-west1 region (Belgium). Backups remain in the same region.

LLM processing temporarily routes email content to the United States (OpenAI) at the time of writing. We are migrating to EU-residency LLM providers (Mistral and EU OpenAI deployments via OpenRouter); when complete, all LLM processing of email content will stay in the European Union. We do not commit to a binding date for this migration but will update this policy when it ships.

9. Retention

Email content (headers, body, attachments): retained for as long as your subscription is active, so that search and archival keep working across your entire mailbox history.
OAuth tokens: retained while your subscription is active and you have at least one provider connected. Removed when you disconnect a provider or delete your account.
Account deletion: when you delete your account, all email content, attachments, derived data, OAuth tokens, and personal data are purged from primary storage and from backups within 30 days.
Backups: rolling backups follow the same 30-day window — once you delete your account, no backup retains your data beyond 30 days.
Billing records: retained for the period required by Belgian and EU tax law (typically 7 years) to comply with our accounting obligations.

10. Encryption

In transit: all traffic between you, our servers, and our subprocessors is encrypted with TLS 1.2 or higher.
At rest: the database disks (Cloud SQL) are encrypted using GCP-managed encryption keys.
Application-level encryption — OAuth tokens: Google and Microsoft OAuth tokens are additionally encrypted at the application layer using Fernet (AES-128-CBC with HMAC-SHA256), so that anyone with raw database access still cannot impersonate your provider session.
Application-level encryption — email content: we are rolling out application-level encryption for email subject, snippet, and body in addition to disk encryption. This is in deployment at the time of writing and will be the default for new and re-synced data.

11. Your controls

Revoke Google access: myaccount.google.com/permissions. Removing Inbox by Alkmist invalidates our access tokens immediately.
Revoke Microsoft access: myaccount.microsoft.com/consent.
Export your data: contact legal@alkmist.com and we will provide a machine-readable export.
Delete your account: email legal@alkmist.com. All email content and personal data are purged within 30 days.

13. Children's data

The Service is not directed to anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact legal@alkmist.com and we will delete it.

14. Changes to this policy

We may update this Privacy Policy as the Service evolves. We will update the "Last updated" date at the top of this page, and for material changes we will notify you by email and / or by an in-app notice before the change takes effect.

15. Data Processing Agreement

A Data Processing Agreement (DPA) covering Article 28 GDPR is available on request. Email legal@alkmist.com and we will share our standard DPA.

16. Contact

Alkmist
Ravensteinstraat 2 bus 3, 9000 Gent, Belgium
Company / VAT: BE 1026.308.203
Privacy / legal: legal@alkmist.com
User support: support@alkmist.com
OAuth verification: oauth-verification@alkmist.com