Privacy Policy & GDPR

The data controller for Inbox Buddy is:

Eorghe SRL
Romania
Contact: contact page

We process the minimum data necessary to provide the service:

• Google OAuth tokens (access token + refresh token) — used to call the Gmail API on your behalf. Stored only in an encrypted, httpOnly session cookie. Never written to a database.
• Your Gmail address and display name — retrieved from Google at sign-in and held in the same session cookie to display in the UI.
• Email metadata (sender address, sender name, unread count) — fetched live from Gmail on each page load. Never stored anywhere outside your browser session.

We do not read, store, or process email bodies or subjects.

Processing is based on your explicit consent given during the Google OAuth flow and your acceptance of these terms (Art. 6(1)(a) GDPR), and on our legitimate interest in providing the service you requested (Art. 6(1)(f) GDPR).

All session data is stored in a browser cookie with a maximum lifetime of 7 days. Signing out immediately clears the cookie. No data is persisted in any server-side database.

We do not sell, rent, or share your personal data with third parties, except:

• Google LLC — as the OAuth and Gmail API provider. Your use of Google services is governed by Google's Privacy Policy.
• Cloudflare — as the infrastructure/hosting provider. Cloudflare may process request metadata (IP address, user-agent) as part of normal network operations.

As a data subject in the EU/EEA you have the right to:

• Access — request a copy of any personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Restriction — request that we limit processing of your data.
• Portability — receive your data in a portable format.
• Object — object to processing based on legitimate interest.
• Withdraw consent — at any time, by signing out and revoking access in your Google Account settings.

To exercise these rights, contact us via the contact page. You also have the right to lodge a complaint with the Romanian data protection authority (ANSPDCP) or your local supervisory authority.

We use a single, strictly necessary gmail_cleaner_session cookie. This cookie ishttpOnly, Secure, and SameSite=Lax. It is essential for the service to function and does not require consent under ePrivacy rules. We do not use analytics, advertising, or tracking cookies.

Session data is encrypted using a server-side secret key. Communication between your browser and our servers is encrypted via HTTPS/TLS.

We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent revision.