Security and Trust
Last updated: April 21, 2026
Inbox Admin reads invoices, receipts, and other documents out of your Gmail inbox and routes them to QuickBooks. That means we touch sensitive financial and business data. This page explains, in plain English, exactly what we see, what we store, who we share it with, and how you get it back or delete it.
1. OAuth Scopes and Why We Request Each One
Inbox Admin asks for the smallest set of permissions it needs for the feature you’re using. You grant each scope through Google’s or Intuit’s own consent screen and can revoke them at any time from your Google account permissions or QuickBooks company settings.
| Scope | When we request it | Justification |
|---|---|---|
| openid | Sign-up and sign-in | Verify the identity of the Google account signing in. Required by Google Identity Services. |
| Sign-up and sign-in | Tie your account to your email address so you can sign back in and we can send billing and security notices. | |
| profile | Sign-up and sign-in | Display your name and profile photo inside the app. No data leaves Google’s account picker. |
| gmail.readonly | Sign-up and inbox audits | Read message headers and attachments so we can classify documents and suggest rules. This scope cannot send, move, or delete any message. |
| gmail.modify | Only when you enable a rule action that applies a Gmail label | Create and apply labels so filed messages land in the folder you picked. Never used to delete messages. |
| gmail.send | Only when you enable a rule action that forwards a message | Forward a matched message to a domain you explicitly allow-listed in the rule. Forwarding is rate-limited and logged. |
| calendar.events | Only when you enable calendar-based actions | Create calendar events for deadlines surfaced from matched messages. We read event metadata we ourselves created. |
| com.intuit.quickbooks.accounting | Only when you connect QuickBooks | Create vendors and bills from classified invoices; read existing vendors to avoid creating duplicates. |
2. Subprocessors
We use a short list of vendors to run the service. We have a signed data-protection agreement with each, and we do not sell your data. We notify customers at least 30 days before adding a new subprocessor.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Google Cloud Platform | Application hosting (Cloud Run), key management (Cloud KMS), attachment storage (Cloud Storage), managed Postgres database (Cloud SQL), document classification (Document AI), model inference (Vertex AI / Gemini), event delivery (Pub/Sub). | Email headers, attachment contents, classification prompts and responses, encrypted OAuth tokens, account and rule data. | United States (us-central1) |
| Stripe | Subscription billing and payment processing. | Billing email, plan, payment-method metadata. Stripe holds the card directly; we never see full card numbers. | United States |
| Intuit (QuickBooks Online) | Optional. Bill and vendor sync when you connect QuickBooks. | Vendor names, bill line items, attachment copies you choose to sync. | United States |
3. Data Retention Timelines
| Data type | Default retention | Who controls it |
|---|---|---|
| Document attachments and classification records | 90 days (configurable 30–3650 days per organization) | You, from Account Settings |
| Gmail message headers and metadata | Cached only as long as needed to run a rule; not retained after classification | Automatic |
| Rule definitions and execution logs | Life of the organization | Deleted when you delete your organization |
| Audit events | Life of the organization, plus 30 days after deletion | Required for security and billing dispute resolution |
| Encrypted OAuth refresh tokens | Deleted immediately when you disconnect Gmail or QuickBooks | You, from Account Settings |
| Stripe billing records | Retained by Stripe according to their policy; required by US tax law | Stripe (subprocessor) |
| Browser fingerprint (trial abuse prevention only) | Stored as a one-way hash; deleted with the account | Automatic |
When you delete an organization, we purge attachments, rule definitions, mailboxes, and encrypted tokens immediately. Audit events and account records are retained for 30 days so we can respond to security or billing questions, then deleted.
4. We Never Train AI Models on Your Data
Inbox Admin does not train, tune, or fine-tune any machine-learning model on your email content, attachments, classifications, or rule definitions. We are an inference-only customer of Google Cloud’s Document AI and Vertex AI. Both products are used under enterprise terms that prohibit Google from using our prompts or responses to train their foundation models.
We do not send your data to OpenAI, Anthropic, or any other model provider. We do not use the consumer Gemini API, which has different data-use terms. This rule is carried forward to every subprocessor in our Data Processing Addendum.
5. Encryption at Rest and in Transit
In transit
- All connections to Inbox Admin web and API are served over TLS 1.2 or higher, with HSTS enabled.
- Calls to Google (Gmail, Calendar, Document AI, Vertex AI, KMS, Cloud Storage) and Intuit are made over mutually authenticated TLS.
- Pub/Sub push notifications are signed; we reject any delivery that does not verify.
At rest
- OAuth refresh tokens (Google and QuickBooks) are encrypted with a dedicated Google Cloud KMS key before they are written to the database. The raw token never touches disk or logs.
- Gmail history checkpoints used to resume delta sync are also KMS-encrypted at rest.
- Attachments are stored in Google Cloud Storage in the United States (
us-central1). GCS provides AES-256 server-side encryption by default, with keys rotated by Google. - Database (Google Cloud SQL for Postgres) is encrypted at rest with Google-managed keys; automated backups are encrypted with the same keys and retained according to our backup policy.
- Secrets (service credentials, API keys, webhook signing keys) live in Google Secret Manager and are injected into Cloud Run at boot. They are never committed to source control.
6. Reporting a Security Issue
We have a staffed inbox for security reports. A human reads every message; we aim to acknowledge within one business day and triage within three.
Please include reproduction steps, impact, and your preferred contact method. We will not pursue legal action for good-faith research that follows responsible-disclosure norms.
For privacy requests (data access, correction, deletion), email privacy@inbox-admin.com or use the self-serve controls in the next section.
7. Self-Serve Data Deletion
You do not need to email us to get your data back or delete it. These controls are live in the product today:
| Action | Where | What happens |
|---|---|---|
| Disconnect Gmail | Account Settings → Mailboxes | Stops the Gmail push watch and deletes the encrypted refresh token immediately. No new messages are read after disconnect. |
| Disconnect QuickBooks | Account Settings → Integrations | Deletes the encrypted QuickBooks token. Previously synced bills stay in your QuickBooks account. |
| Delete an attachment | Dashboard → Review queue | Hard-deletes the GCS object and database row and writes an immutable audit event. |
| Shorten retention | Account Settings → Retention | Sets how long attachments live. A nightly job purges anything older than the new window. |
| Delete your entire organization | Account Settings → Danger zone | Owner only. Confirms twice, then purges attachments, mailboxes, rules, and encrypted tokens. Audit events are retained for 30 days for dispute resolution, then deleted. |
8. What We Don’t Do
It’s as important to be clear about what Inbox Admin never does as what it does.
- No AI training on your data. Your email, attachments, and classifications are never used to train or fine-tune any machine-learning model. Google Cloud is an inference-only relationship.
- No long-term image retention. Attachment images and PDFs live in Cloud Storage only until your organization’s retention window expires (90 days by default, configurable down to 30). After that, a nightly job deletes them. Delete sooner any time.
- No marketing data sharing. We do not sell, rent, or share your data with ad networks, data brokers, or marketing partners. There are no third-party advertising or analytics pixels on the app.
- No Gmail writes beyond labels and allow-listed forwards.We can apply labels you asked for and forward to domains you allow-listed. We cannot and do not delete, archive, or trash Gmail messages.
- Gmail and QuickBooks only. We do not connect to other inbox providers, accounting systems, CRMs, or data warehouses. If we add a new integration in the future, we’ll disclose it here before turning it on.
- No surprise subprocessors. The subprocessor table above is the complete list. We’ll notify you at least 30 days before adding a new one.
- No silent scope expansion. If we need a broader OAuth scope for a new feature, you’ll see a fresh Google or Intuit consent screen. We never piggyback on an existing authorization.