Command Inbox

Last updated June 17, 2026

Privacy Policy

Command Inbox ("we," "us," or "our") provides a keyboard-first email and calendar workspace that connects to your Google account. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Information we collect

Account information

When you sign in with Google, we receive your name, email address, and profile image from your Google account. We use this to create your account and identify you within the service.

Google Gmail and Calendar data

With your permission, we access Gmail and Google Calendar through Google's APIs. This includes email threads, message content, attachments metadata, calendar events, and availability. We use this data to triage your inbox, surface commitments, create calendar invites, send drafts, and power search and agent workflows you initiate.

Data you create in Command Inbox

We store app-specific data such as triage lanes, snoozes, meeting links, contacts you add, AI provider preferences, and chat history with the in-app agent.

AI processing

Email content may be sent to AI providers (such as OpenAI or Google Gemini) for classification, drafting, and agent tasks. You can supply your own API keys in Settings; otherwise we may use platform-provided keys as a fallback. AI providers process data according to their own policies.

Technical data

We collect standard server logs (IP address, browser type, timestamps) and session cookies required for authentication and security.

How we use your information

  • Provide, maintain, and improve Command Inbox
  • Authenticate you and keep your session secure
  • Classify email, extract commitments, and run workflows you request
  • Sync calendar availability and create events on your behalf when you approve actions
  • Send real-time updates to your browser via our realtime provider
  • Respond to support requests and fix bugs

We do not sell your personal information.

How we store and protect data

Application data is stored in encrypted databases hosted by our infrastructure providers (including Neon Postgres). OAuth tokens and sensitive credentials are encrypted at rest. Email and calendar data is also cached through the Corsair integration layer to reduce API calls and improve performance.

No system is perfectly secure. We use industry-standard practices, but we cannot guarantee absolute security.

Third-party services

We rely on third parties to operate Command Inbox, including:

  • Google (Gmail, Calendar, OAuth)
  • Corsair (email and calendar integration)
  • Neon (database hosting)
  • Vercel (application hosting)
  • Pusher (realtime updates)
  • AI providers you select or that we use as fallback (OpenAI, Google)

Each provider processes data under its own terms and privacy policies. We share only what is necessary to deliver the service.

Data retention

We retain your data while your account is active. If you disconnect Google or delete your account, we delete or anonymize associated data within a reasonable period, except where we must retain information for legal, security, or backup purposes.

Your choices

  • Revoke Google access — disconnect in Settings or via your Google Account permissions
  • Bring your own AI keys — use your own provider keys instead of platform fallbacks
  • Request deletion — contact us to request account and data deletion

Children

Command Inbox is not directed at children under 13. We do not knowingly collect information from children.

Changes

We may update this policy from time to time. We will post the revised version on this page and update the "Last updated" date.

Contact

Questions about this policy? Open an issue on our GitHub repository.