Privacy Policy

Last updated: 1 January 2026

InboxCorvid is committed to protecting your privacy and your customers' data. We process email data solely to provide the Service and never sell, rent, or use it for advertising.

1. Who We Are

InboxCorvid is operated by Colin Cross (trading as InboxCorvid). For any privacy-related enquiries, please contact us at: colincrossa@gmail.com

InboxCorvid operates as a data processor on behalf of its business clients (who are the data controllers) with respect to end-customer email data. InboxCorvid is also a data controller for the personal data of its own registered business clients.

2. Data We Collect About You (Our Client)

When you create an InboxCorvid account, we collect:

Business name — used to personalise your dashboard and AI replies
Contact email address — used for account communications and password resets
Username — used for account login
Password — stored as a salted PBKDF2-SHA512 hash; we never store your plain-text password
Email credentials (IMAP/SMTP) — stored encrypted on our server, used solely to connect to your inbox
Business profile information — industry, tone, products, refund policy, and other settings you provide to configure the AI
Usage data — activity logs showing when the AI agent ran, how many emails were processed, and outcomes

3. Data We Process on Your Behalf (Your Customers' Emails)

When InboxCorvid connects to your inbox, it accesses and processes incoming email messages. This includes:

Email sender address
Email subject line
Email body text

This data is used solely to:

Categorise the email using AI
Generate a professional reply draft
Store a summary in your contact history for CRM purposes

We do not store full email bodies after processing. Only the AI-generated summary, category, sentiment, and reply status are retained in your contact history.

As a business client, you are the data controller for your customers' data. You are responsible for ensuring you have an appropriate legal basis (such as legitimate interest or contractual necessity) for processing your customers' emails through a third-party service, and for disclosing this in your own Privacy Policy.

4. How We Use Your Data

We use the data we collect to:

Provide, operate, and improve the Service
Authenticate your account and maintain security
Send you important account communications (password resets, service notices)
Generate analytics and activity reports for your dashboard
Investigate security incidents or abuse

We do not use your data or your customers' data for advertising, profiling, or any purpose unrelated to operating the Service.

5. AI Processing (Google Gemini)

InboxCorvid uses Google Gemini, an AI model operated by Google LLC, to analyse and respond to emails. When an email is processed, its body text is sent to the Gemini API. This data is subject to Google's Privacy Policy and Google's API data use terms. Google states that data submitted via the Gemini API is not used to train their models by default.

By using InboxCorvid, you consent to email content being transmitted to Google's Gemini API for processing.

6. Data Storage and Security

Your data is stored on secure servers. We implement the following security measures:

Passwords hashed using PBKDF2-SHA512 with unique per-user salts
HTTPS enforced for all connections
Rate limiting on all authentication endpoints
Two-factor authentication for developer access
SSRF protection preventing connections to internal network addresses

No method of data storage or transmission is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security.

7. Data Retention

Account data — retained for as long as your account is active, then deleted within 30 days of account closure
Activity logs — retained for up to 90 days
Contact history and CRM summaries — retained until you delete them or close your account
Email body content — not retained after AI processing is complete

8. Your Rights (GDPR)

If you are based in the UK or EU, you have the following rights under the UK GDPR and EU GDPR:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your personal data ("right to be forgotten")
Right to restriction — request that we restrict processing of your data
Right to data portability — receive your data in a structured, commonly used format
Right to object — object to processing based on legitimate interests

To exercise any of these rights, please contact us at colincrossa@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

InboxCorvid uses a single session cookie to keep you logged in. This cookie is strictly necessary for the operation of the Service and does not track you across other websites. No third-party tracking or advertising cookies are used.

10. Third-Party Services

InboxCorvid integrates with the following third-party services:

Google Gemini API — for AI email processing (see Section 5)
Your email provider (Gmail, Outlook, etc.) — via standard IMAP/SMTP protocols

We do not share your data with any other third parties except as required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice in the dashboard. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

12. Contact Us

For any privacy questions, data requests, or concerns, please contact:

InboxCorvid — Data Privacy
Email: colincrossa@gmail.com