Privacy & Email Safety

EarBox is designed around data minimization. We aim to process newsletters only and avoid personal email.

Effective date: May 2026

The core promise

- You connect Gmail once. We request the minimum permissions required to detect newsletters.

- We apply two filters before processing: Gmail categorization, then a List‑Unsubscribe check.

- If it’s not a newsletter, we drop it. Your personal emails never reach our pipeline.

How the filtering works

- Step 1: Gmail categorizes mail (e.g. Promotions / Updates).

- Step 2: We receive a “new mail” notification.

- Step 3: Before processing, we verify List‑Unsubscribe.

- Step 4: If it’s a newsletter, we generate an audio briefing. Otherwise we discard it.

What data we access

- Gmail metadata used for detection (e.g. sender address, subject, date, and unsubscribe-related headers).

- Newsletter content only when it matches the newsletter filters described above.

- Account identifiers needed to associate content with your EarBox account.

What we store

- Your selected newsletter sources (senders you enable/disable) and basic source metadata.

- Generated briefings (titles, summaries, and related metadata) associated with your account.

- OAuth tokens required to keep the integration working. You can disconnect at any time to revoke ongoing access.

Security & data protection

- Encryption in transit: we use HTTPS/TLS to protect data sent between your device, EarBox, and our service providers.

- Encryption at rest: our infrastructure providers encrypt stored data at rest as part of their managed services.

- Access controls: access to stored OAuth tokens and user data is restricted and limited to what is required to operate the service.

- Least privilege: we use scoped access and server-side credentials for backend operations. We do not store your Gmail password.

- Monitoring: we may log operational events to detect abuse and diagnose issues, and we rotate secrets if we suspect compromise.

Third‑party processors

- We use infrastructure providers to host the application and database (e.g. Supabase).

- We may use AI or audio providers to generate summaries and audio from newsletter content that you opted into.

- We do not sell your email data.

Google API data use (Limited Use)

- EarBox’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

- We use Gmail data only to provide user-facing features inside EarBox (newsletter detection, summaries, and briefings).

- We do not use Google user data to train or improve generalized AI/ML models.

What we don’t do

- We don’t read your personal emails.

- We don’t analyze attachments.

- We don’t sell email data.

Retention & deletion

- You can disconnect Gmail at any time to stop ongoing access.

- We keep the minimum OAuth tokens required for the integration while it is connected. Disconnecting removes stored tokens for continued access.

- You can delete briefings and saved items from within the app. If you need full account deletion, contact us via the email address listed on the OAuth consent screen.

Your controls

- You can disconnect Gmail at any time in the product.

- You can enable/disable individual senders to control what is processed.

- You can delete briefings and saved items from your account within the app.

Early access & waitlist

During early access, we may limit access to a subset of users. The public landing page may collect emails for a waitlist, and users may be onboarded in waves.

Contact

For privacy questions, contact us via the email address listed on the OAuth consent screen.