Privacy Policy

Last updated: April 18, 2026

1. Who We Are

The data controller responsible for processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) and equivalent data-protection laws worldwide is:

Christian Louis IT Beratung
Alter Steinweg 3, 20459 Hamburg, Germany

Contact: christian@inboxconverge.com

For all data-protection enquiries (access, erasure, correction, objection or complaints) please use the email address above. We respond within 30 days (or the period required by applicable law).

2. Scope of This Policy

This policy applies to the InboxConverge web application and all associated services. It covers all users worldwide, including those in the European Union (EU), European Economic Area (EEA), United Kingdom, Switzerland, and the United States.

A German-language version of this policy is available at /datenschutz.

3. What Data We Collect and Why

3.1 Account and Authentication Data

When you create an account or sign in with Google we may receive your name, email address, and profile picture from Google OAuth 2.0. We use this data solely to authenticate you and identify your account within InboxConverge.

Legal basis (GDPR Art. 6): (b) contract performance.

3.2 Source Mailbox Credentials

To fetch email from your legacy POP3 / IMAP accounts you provide server details and credentials. These are stored encrypted at rest using AES-256 and are never transmitted to any third party.

Legal basis (GDPR Art. 6): (b) contract performance.

3.3 Gmail API OAuth Tokens

To inject email into your Gmail account, InboxConverge requests the following Google OAuth 2.0 scopes:

https://www.googleapis.com/auth/gmail.insert — inserts messages directly into your Gmail mailbox without sending them through SMTP.
https://www.googleapis.com/auth/gmail.labels — creates and manages Gmail labels so imported messages can be tagged (e.g. “imported”).
https://www.googleapis.com/auth/gmail.readonly — reads your Gmail profile (email address) to confirm the connection is working.

The resulting access and refresh tokens are stored encrypted at rest. Tokens are refreshed automatically by the service when they expire and the refreshed token is persisted back to the database. You can revoke access at any time from your Google Account permissions page.

Legal basis (GDPR Art. 6): (b) contract performance.

3.4 Email Content

Email bodies and attachments are read from your source accounts and written to your Gmail account. They are processed in memory only; no email content is written to persistent storage other than within your own Gmail account.

Legal basis (GDPR Art. 6): (b) contract performance.

3.5 Processing Logs

We retain limited operational logs (message subject line, sender address, timestamp, success/failure flag) for up to 90 days. These are used to diagnose delivery problems and are accessible only to you and our operations team.

Legal basis (GDPR Art. 6): (f) legitimate interests.

4. Google API Services — Limited Use Disclosure

Limited Use Policy Compliance

InboxConverge’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, InboxConverge commits to the following with respect to data obtained via Google APIs:

Single purpose: Google user data is used only to deliver the core service — importing email from legacy mailboxes into your Gmail account.
No transfer to third parties: We do not sell, rent, transfer, or disclose Google user data to third parties, except as necessary to provide the service (e.g. the Gmail API call itself) or as required by law.
No advertising: We do not use Google user data to serve advertisements or for advertising-related purposes.
No human reading: We do not allow humans to read your Gmail data unless you have given us explicit permission to do so (e.g. for diagnosing a reported technical problem), or it is required by law.
No profiling: We do not use Google user data to build profiles, perform analytics, or engage in behavioural tracking beyond what is strictly necessary to operate the service.
Security: All data obtained from Google APIs is stored with AES-256 encryption at rest and transmitted only over TLS-encrypted connections.

5. Data Minimisation and Purpose Limitation

We collect only the minimum personal data needed to operate the service.
Email content is processed solely for the forwarding purpose you initiate.
No advertising, behavioural tracking, or profiling is performed.
No tracking cookies or analytics scripts are loaded.

6. Cookies and Similar Technologies

The service uses only strictly necessary session cookies to maintain your authenticated session. These cookies are essential for the service to function and are exempt from prior-consent requirements under the EU ePrivacy Directive (Art. 5(3)). We do not use analytics cookies, advertising cookies, or tracking pixels.

7. Third-Party Services

Google OAuth / Gmail API:Authentication and Gmail delivery are handled via Google’s APIs. Google processes your credentials according to its own Privacy Policy.

No sale or sharing for advertising: We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

8. International Data Transfers

Where personal data is transferred outside the EEA we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) pursuant to EU Decision 2021/914/EU and European Commission adequacy decisions.

9. Data Retention

Session data: deleted on logout or session expiry.
Account configuration and metadata: retained for the duration of your use of the service.
Processing logs: retained for up to 90 days.
OAuth tokens: stored encrypted and revocable at any time via your Google Account.
Account deletion: all data associated with your account is permanently deleted within 30 days of account closure. You can request deletion by emailing christian@inboxconverge.com.

10. Data Security

AES-256 encryption of credentials at rest.
TLS / HTTPS for all communications.
Role-based access controls to protect personal data.
CSRF protection for all state-changing requests.

11. Your Rights (EU / EEA / UK / Switzerland)

Right of access (Art. 15): a copy of the data held about you.
Right to rectification (Art. 16): correction of inaccurate data.
Right to erasure (Art. 17): deletion of your personal data.
Right to restriction (Art. 18): temporary suspension of processing.
Right to portability (Art. 20): data in a machine-readable format.
Right to object (Art. 21): objection to processing based on legitimate interests.

To exercise any of these rights, contact us at christian@inboxconverge.com. Complaints may be directed to the relevant supervisory authority (in Germany: BfDI).

12. Additional Rights — United States (CCPA / CPRA)

If you are a California resident or resident of another US state with applicable privacy legislation, you have the right to know, delete, correct, and opt out of the sale of personal information. We do not sell or share personal information. Contact: christian@inboxconverge.com.

13. Additional Rights — Canada (PIPEDA / Law 25)

If you are in Canada, you have the right to access, correct, and withdraw consent under PIPEDA and provincial privacy laws. Contact: christian@inboxconverge.com.

14. Additional Rights — Other Jurisdictions

Users in Brazil (LGPD), Japan (APPI), Australia (Privacy Act 1988), South Korea (PIPA), Singapore (PDPA), and other markets may exercise equivalent data-protection rights under applicable national law. Contact: christian@inboxconverge.com.

15. Changes to This Policy

We may update this policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. For material changes we will notify users via an in-app notice or email.

16. Contact Us

For questions or concerns about this policy or your data, please contact: christian@inboxconverge.com

Christian Louis IT Beratung
Alter Steinweg 3, 20459 Hamburg, Germany