UniboxUnibox
Get started

Privacy Policy

Privacy

Last updated: May 2026. We try to write privacy policies in plain English; the legal version is available on request.

What data we collect

Account data: your email address, role (admin or member), and Google user ID — used for authentication and access control.

Workspace metadata: aliases, tags, statuses, internal notes, audit log entries, workflow definitions and run history. This is the data Unibox is built to manage.

Mail content: we read mail through Google's Gmail API on demand to render threads in our UI. We do not duplicate or persistently store message bodies in our database.

Operational logs: timestamps, IP addresses, error stack traces. Used for debugging and security auditing only.

What we don't collect

We don't train AI models on your mail. AI features (suggested replies, classify, summarize) call your own configured provider with your own API key — Unibox forwards the request body and returns the response.

We don't sell your data. We don't share it with third parties for marketing.

Where it lives

Mail remains in Google Workspace; we never replicate it. Metadata and audit logs live in our Postgres database hosted in the EU.

OAuth tokens are encrypted at rest with Fernet. Stripping a workspace deletes the encrypted tokens and revokes Google's grant.

How long we keep it

Audit logs: 90 days, then automatically deleted.

Workflow run history: 30 days, then automatically deleted.

OAuth state tokens: 10 minutes (used only during the OAuth handshake).

Workspace metadata: kept while your workspace is active; deleted within 30 days of workspace deletion.

Your rights (GDPR)

You have the right to access, correct, export, and delete your personal data. Deleting your workspace via Settings → Integrations triggers token revocation and a 30-day metadata cleanup. For an export of metadata, email privacy@unibox.cx and we'll deliver it within 7 days.

Sub-processors

Hosting: Railway (US/EU). Database: Postgres on Railway.

Email infrastructure: customer's own Google Workspace.

Optional AI providers: whichever provider you configure (Anthropic, OpenAI, Google, Mistral). We never call an AI without your explicit configuration.

Cookies

We set one cookie for session state on the marketing site. The product itself uses localStorage for the auth JWT and a one-time keyboard-shortcut hint dismissal. No tracking pixels.

Contact

Privacy questions, data subject requests, breach disclosures: privacy@unibox.cx.

See also our Terms and Data Processing Addendum.