Privacy Policy

Last updated: October 10, 2025

📧 About Gmail Permissions

Google shows this permission: "View, compose, and send emails from your Gmail account"

This looks scary, but here's what we ACTUALLY do:

  • Read only the recipient address to detect email aliases (ex: your+amazon@gmail.com)
  • Create labels based on the detected alias (ex: "amazon" folder)
  • Move emails to the appropriate label (remove from INBOX, add to folder)

What we NEVER do:

  • Read the body/content of your emails
  • Compose or send emails on your behalf
  • Share your data with third parties or use it for advertising

💡 Why this broad permission? Google groups permissions broadly. To move emails between folders, we need the gmail.modify scope, which unfortunately has this scary description. But we only use it for organizing your emails, nothing else.

1. Introduction

Sortbox ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email management service ("the Service").

The Service is operated by Nicolas Magne, an independent developer based in France.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

When you create an account and connect your Gmail, we collect:

  • Google Account Information: Name, email address, profile picture
  • Authentication Data: OAuth 2.0 access tokens and refresh tokens

2.2 Gmail Data We Access

With your explicit consent, we access the following Gmail data through the Gmail API:

  • Email Metadata: Subject lines, sender addresses, recipient addresses, timestamps
  • Labels: Existing labels and label information
  • Message IDs: Unique identifiers for messages
  • History Information: Changes to your mailbox for real-time synchronization

Important: We do NOT read, store, or access the body content of your emails.

2.3 Automatically Collected Information

  • Usage Data: Features used, actions performed, timestamps
  • Technical Data: Browser type, device information, IP address
  • Analytics Data: Number of emails processed, labels created, sorting statistics

3. How We Use Your Information

We use the collected information solely to:

  • Provide the Service: Automatically sort and organize your emails based on recipient addresses
  • Create and Manage Labels: Create Gmail labels dynamically based on email aliases
  • Move Messages: Automatically move emails to appropriate labels
  • Display Analytics: Show you statistics about your email organization
  • Maintain Your Account: Authenticate and manage your user account
  • Improve the Service: Understand usage patterns to enhance features
  • Security: Monitor for suspicious activity and prevent abuse

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

  • Consent: You explicitly consent to Gmail access when connecting your account
  • Contract Performance: Processing is necessary to provide the Service you requested
  • Legitimate Interest: We have a legitimate interest in improving and securing the Service

You can withdraw your consent at any time by disconnecting your Gmail account.

5. How We Share Your Information

5.1 Third-Party Services

We integrate with the following third-party services:

  • Google (Gmail API): To access and manage your Gmail data
  • Google Cloud Pub/Sub: To receive real-time notifications about mailbox changes

5.2 We Do NOT Share Your Data

We will NEVER:

  • Sell your personal data to third parties
  • Share your email data with advertisers
  • Use your data for marketing purposes beyond the Service
  • Disclose your information except as required by law

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if necessary to protect our rights, property, or safety.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data transmission uses HTTPS/TLS encryption
  • Secure Storage: OAuth tokens are encrypted at rest in our database
  • Access Control: Strict access controls limit who can access data
  • Regular Audits: We regularly review our security practices
  • OAuth 2.0: We use Google's secure OAuth 2.0 protocol for authentication

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

  • Active Accounts: We retain OAuth tokens and account data while your account is active
  • After Disconnection: When you disconnect your Gmail account, we immediately revoke access tokens
  • After Account Deletion: All personal data is permanently deleted within 30 days of account deletion
  • Analytics Data: Anonymized usage statistics may be retained for service improvement

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing of your data
  • Right to Withdraw Consent: Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, please contact us at nicolas.magne.ideas@gmail.com.

9. Cookies and Tracking Technologies

We use the following technologies:

  • Essential Cookies: Required for authentication and session management
  • Functional Cookies: Remember your preferences and settings
  • Analytics: Understand how users interact with the Service (anonymized)

You can control cookies through your browser settings, but this may affect Service functionality.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place:

  • Data is stored in secure, GDPR-compliant data centers
  • We use standard contractual clauses for international transfers
  • Google's infrastructure complies with international data protection standards

11. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Google API Services User Data Policy

Sortbox's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request Gmail permissions necessary to provide the email sorting functionality
  • We do not use Gmail data for serving advertisements
  • We do not allow humans to read your email content unless explicitly required for security or compliance purposes, and only with your consent
  • We do not transfer Gmail data to third parties except as necessary to provide the Service

13. Revoking Access

You can revoke Sortbox's access to your Gmail at any time by:

Upon revocation, we will immediately stop accessing your Gmail and delete associated OAuth tokens.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Sending an email to your registered address
  • Posting a notice in the Service
  • Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Data Controller Information

The data controller for your personal data is:

Nicolas Magne

Independent Developer

France

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: nicolas.magne.ideas@gmail.com

We will respond to your inquiry within 30 days.

17. Supervisory Authority

If you are located in the European Economic Area, you have the right to lodge a complaint with a data protection supervisory authority.

For France, the supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).

By using Sortbox, you acknowledge that you have read and understood this Privacy Policy.