This Privacy Policy explains how Inboxless collects, uses, stores, shares, and protects information when you visit the site, create an account, connect a mailbox, import leads, send outreach, receive replies, or otherwise use the product.

Inboxless is operated by YVV Studio. This policy applies to the public site, the authenticated product, and the workflows directly required to operate them.

Inboxless is a business outreach workspace. In practice that means the service processes two broad categories of information: account and operational data that belongs to the workspace user, and contact or communication data that the user chooses to place into the workspace in order to run outbound activity. This policy covers both categories because both are necessary to make the product work.

If you use Inboxless on behalf of a company, team, client, or employer, you are responsible for making sure you have the authority to provide the information you upload and to use the service for the intended outreach activity. Where the user acts as the controller for prospect, customer, or partner data, Inboxless and its operator YVV Studio act as a service provider or processor for that workspace content.

Inboxless collects information you provide directly, information generated by your use of the service, and information imported from connected systems. The exact data involved depends on which features you actually use.

Account and authentication data may include your email address, password credentials handled through the authentication stack, session and access tokens, password reset metadata, workspace identifiers, and account timestamps. Preference and UI state data may include theme choice or similar local product settings stored to keep the interface consistent across sessions.

CRM and outreach workspace data may include lead names, first and last names, email addresses, phone numbers, company names, website URLs, tags, notes, status values, source fields, raw lead payloads, follow-up timing, template names, subject lines, template body content, campaign definitions, automation steps, and user-authored notes about the next action to take.

We receive information from you when you sign up, sign in, create leads, compose templates, write notes, connect Gmail, launch campaigns, or interact with inbox features. We also receive data from the systems you connect or trigger through normal product use.

If you connect Gmail, Inboxless receives message and account data from Google only to the extent required to sync conversations, send mail on your behalf, track replies, update unread state, and show conversation history inside the workspace. If you disconnect Gmail, new sync activity stops, subject to data retention and legal obligations described below.

Some technical information is generated automatically by the application and infrastructure, such as timestamps, request metadata, job execution results, error codes, device or browser context implied by HTTP requests, and session or security checks required to authenticate requests and defend the product from abuse.

We use information to operate the service you asked us to provide. That includes creating and securing accounts, authenticating users, storing lead records, generating outreach workflows, rendering the inbox, syncing connected mailbox data, recording message history, and allowing you to see which conversations require attention.

We also use information to maintain and improve the service. That includes debugging failures, investigating broken sync jobs, enforcing data integrity, preventing duplicate records, responding to support requests, and understanding whether core product workflows are functioning as intended.

Where reasonably necessary, we use information to protect the product, other users, and third parties. That includes enforcing rate limits, protecting connected mailbox credentials, preventing misuse of sending features, and investigating conduct that appears fraudulent, abusive, unlawful, or incompatible with these terms.

Where privacy laws require a legal basis, Inboxless generally relies on contract or pre-contractual necessity to provide the service you requested, legitimate interests to secure and improve the product, and legal obligations where retention, audit, or disclosure is required by applicable law. In limited cases, we may rely on consent, for example where a specific connected-service authorization flow requires it.

You remain responsible for the legality of the contact data and communications you place into the product. Inboxless provides workflow infrastructure; it does not independently validate that every prospect list, outreach message, or recipient relationship is lawful in your jurisdiction or the recipient's jurisdiction.

You are expected to maintain an appropriate legal basis for contact processing, comply with opt-out obligations, and avoid uploading or sending information that you do not have the right to use. If you operate in a regulated environment or process special categories of personal data, you must evaluate whether Inboxless is appropriate for that use before continuing.

Inboxless does not sell personal information and is not designed as an advertising data broker. We share information only where sharing is necessary to run the service, where you direct us to do so through a feature you use, or where disclosure is required for legal or security reasons.

In practice, data may be made available to infrastructure, hosting, database, authentication, and email integration providers that support the product; to Google when you connect Gmail and authorize the related scopes; and to professional advisers or authorities when required to protect rights, respond to disputes, or comply with law.

Any such sharing is limited to the information reasonably necessary for the relevant service or legal purpose. We expect providers that process Inboxless data on our behalf to operate under confidentiality and security obligations appropriate to the sensitivity of the data involved.

We retain information for as long as it is reasonably necessary to provide the service, maintain the integrity of workspace history, investigate security events, comply with law, resolve disputes, and enforce agreements. Different categories of data may be retained for different periods depending on operational need and legal risk.

Lead records, templates, campaign settings, follow-up history, inbox metadata, and message content stored in the product may remain in the workspace until deleted by the user, removed as part of account closure, or purged under internal retention practices. Backup and log systems may retain copies for a limited additional period where technically necessary.

Connected mailbox tokens are retained only for as long as the mailbox remains connected and the service needs the tokens to perform authorized actions, unless earlier deletion is required. When a token is rotated, revoked, or no longer valid, replacement or cleanup may occur as part of normal service operations.

Inboxless uses administrative, technical, and organizational measures designed to protect data against unauthorized access, misuse, loss, and disclosure. Those measures include authentication controls, row-level access restrictions within the data layer, server-side authorization checks, token handling controls, encrypted storage of mailbox credentials, and operational logging to investigate failures and abuse.

No cloud service can guarantee absolute security, and no policy should be read as a promise that a breach can never happen. Users should still use strong passwords, protect their devices, limit who has access to their workspace, and disconnect third-party accounts that are no longer needed.

If we become aware of a confirmed incident that materially affects personal information stored in Inboxless, we may investigate, contain, remediate, and notify affected parties as required by applicable law and the circumstances of the event.

Inboxless may rely on service providers or infrastructure that process data in more than one country. As a result, information may be transferred to and processed in jurisdictions other than the one where you or your contacts are located.

Where applicable law requires transfer safeguards, we intend to use appropriate legal, contractual, or technical measures that are reasonably available for the product and the providers involved. You should not use the service for data that cannot lawfully be transferred under the rules that apply to your organization.

Depending on your jurisdiction, you or the individuals whose data you control may have rights to access, correct, delete, export, restrict, or object to certain processing. Because Inboxless often acts as a processor for workspace content, requests relating to lead or message data may need to be directed first to the workspace owner or organization that uploaded the information.

You can also exercise certain controls directly in the product by editing or deleting workspace records, disconnecting Gmail, marking messages, and updating templates. If you need help with a request that cannot reasonably be completed from within the interface, use the support or contact channel made available with the service.

Where consent is the basis for a specific integration or communication step, you may withdraw that consent, although the withdrawal will not retroactively affect earlier lawful processing. Some data may still be retained where required for security, audit, fraud prevention, or legal compliance.

Inboxless is a business product and is not intended for children. Do not use the service to knowingly collect, store, or send personal information about children where doing so would violate applicable law.

The product is also not intended to be a repository for highly sensitive categories of data unless you have independently determined that the use is lawful, appropriate, and supported by adequate controls. In ordinary use, users should avoid uploading health data, financial account credentials, government identification numbers, or similarly sensitive content unless there is a compelling lawful reason and you have assessed the risks.

We may update this Privacy Policy as the product evolves, the law changes, or our operational practices change. When we do, we may update the revision date and publish the new version through the site or the product.

Your continued use of Inboxless after the effective date of an updated policy means the updated version governs your use going forward, to the extent permitted by law. If a change materially affects how sensitive data is handled, additional notice may be appropriate.