Inboxia

Privacy Policy

Last updated: April 15, 2026

1. Data Controller

Inboxia (hereinafter, “we”, “the Platform”) is an AI-powered automated customer service SaaS platform, operated from Spain.

2. Data We Collect

2.1 Registration data

When creating an account on Inboxia, we collect:

  • Full name, email address and password (encrypted with bcrypt)
  • Phone number (optional)
  • Preferred timezone
  • Profile picture (optional)

2.2 Business data

To configure your AI agents, we collect information that you voluntarily provide:

  • Business name, address, description and type of activity
  • Service and/or product catalog (names, prices, descriptions)
  • Opening hours and calendar configuration
  • Business logo and images

2.3 Knowledge base

To train your AI agents, you can voluntarily upload:

  • PDF documents, Excel files
  • Web page URLs for content extraction
  • Manually written frequently asked questions (FAQs)

This data is processed and stored in a vectorized format to allow real-time semantic search. Only your AI agent has access to your knowledge base.

2.4 Conversation data

Inboxia acts as a data processor on behalf of the client, who is the data controller for the data of their end users.

When connecting your communication channels (WhatsApp, Instagram, Messenger), Inboxia processes:

  • Sent and received text messages
  • Media files (photos, videos, audios, documents) shared in the conversations
  • Contact details of the customers who write to you (name, platform number/ID)
  • Conversation metadata (dates, statuses, tags)

2.5 Payment data

Payments are fully processed through Stripe. Inboxia does not store credit card data or sensitive financial information. We only store the Stripe customer equivalent and subscription status.

2.6 Third-party connection data

When connecting external services, we store:

  • WhatsApp: Session data to maintain active connection
  • Instagram: Long-lived access token, username, account ID
  • Messenger: Page access token, page ID, page name
  • Google Calendar: OAuth access token for calendar synchronization

3. Purpose of Processing

We use your data to:

  • Provide the service: Manage your AI agents, process conversations, schedule appointments and offer platform functionalities
  • AI Processing: Your data is sent to OpenAI (GPT-4, Whisper, Vision) to generate intelligent responses, transcribe audios and analyze images, always within the context of your conversations
  • Service improvement: Analyze platform usage to improve features
  • Communications: Send you account-related emails (verification, plan changes, security alerts)
  • Billing: Manage your subscription and process payments through Stripe

4. Legal Basis for Processing

  • Performance of a contract: Processing is necessary to provide the service you have requested (Art. 6.1.b GDPR)
  • Consent: For the use of non-essential cookies and commercial communications (Art. 6.1.a GDPR)
  • Legitimate interest: For fraud prevention and platform security (Art. 6.1.f GDPR)

5. Data Sharing with Third Parties

Inboxia shares data with the following service providers, exclusively to operate the platform and provide the features you request:

  • OpenAI (USA) — Natural language processing, image analysis and audio transcription. Data is sent under OpenAI's enterprise-grade API policy, which does not use the data to train their models. Google user data is never sent to OpenAI.
  • Stripe (USA) — Payment processing and subscription management
  • Meta Platforms (USA) — For integration with Instagram and Messenger (official API)
  • Google (USA) — For Google Calendar synchronization (only with users who have explicitly granted the corresponding OAuth permissions)
  • MongoDB Atlas — Encrypted database storage

International data transfers are carried out under the European Commission's Standard Contractual Clauses and/or the EU-US Data Privacy Framework.

We do not transfer or disclose your information to third parties for purposes other than the ones described in this policy. In particular, we do not sell, rent or otherwise share your data for advertising, marketing profiling, data brokerage, resale to information brokers, credit-worthiness evaluation, lending purposes, or targeted/personalized/retargeted advertising.

6. Google User Data

When you connect your Google account to use the Google Calendar integration, Inboxia's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6.1 What Google user data we access

  • Your Google account email address and profile name (to identify the connected account in our dashboard)
  • Google Calendar events, calendars and availability for the calendars you explicitly select (read/write access to create, update, delete and query appointments booked by your AI agent)
  • OAuth access and refresh tokens, stored encrypted at rest

6.2 How we use Google user data

Google user data is used solely to provide and improve the user-facing Calendar features you have activated: reading availability so the AI agent can offer time slots, and creating, modifying or cancelling events on your behalf during conversations with your customers.

6.3 Who we share Google user data with

Inboxia does not share, transfer or disclose your Google user data to any third party, except:

  • With you and your end users — event details are shown in the Inboxia dashboard and communicated to the customers you are chatting with, as part of the service you have configured.
  • Google itself — to perform the Calendar API calls you have authorized.
  • Infrastructure providers acting as data processors under strict confidentiality — Hetzner (EU, server hosting) and MongoDB Atlas (encrypted database). These providers cannot access Google user data in a usable form and cannot use it for their own purposes.
  • When legally required — to comply with applicable law, regulation, legal process or enforceable governmental request.
  • With your explicit consent — for any other transfer, we will request your affirmative consent in advance.

6.4 Prohibited uses

In accordance with the Google API Services User Data Policy, Inboxia explicitly does NOT:

  • Transfer Google user data to third parties for serving advertisements, including retargeted, personalized or interest-based advertising
  • Sell Google user data or share it with data brokers or information resellers
  • Use Google user data to determine credit-worthiness or for lending purposes
  • Use Google user data to train, fine-tune or evaluate generalized AI/ML models; the AI agent only reads the specific event information needed to respond to each customer conversation in real time, and this data is not retained for model training
  • Allow humans to read Google user data, unless we have obtained your affirmative consent for specific data, it is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized and is used for internal operations

6.5 Revoking access and deletion

You can revoke Inboxia's access to your Google account at any time from the integrations section of your dashboard or from your Google Account permissions page. Upon revocation, OAuth tokens are deleted from our systems within 7 days. You can also request deletion of all Google-derived data we hold by contacting agent@inbox-ia.com.

7. Data Retention

  • Account data: As long as you keep your account active and during the subsequent legal period
  • Conversations: As long as you keep your account active. Multimedia files are automatically deleted after 30 days
  • Payment data: According to applicable tax obligations (minimum 5 years)
  • Knowledge base: Until you manually delete it or cancel your account

8. Your Rights (GDPR)

As a user, you have the right to:

  • Access: Request a copy of the data we have about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request the deletion of your data (“right to be forgotten”)
  • Portability: Receive your data in a structured format
  • Object: Object to the processing of your data
  • Restriction: Request the restriction of processing

To exercise any of these rights, contact us at agent@inbox-ia.com. We will respond within a maximum of 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

9. Security

We implement technical and organizational security measures to protect your data:

  • Passwords encrypted with bcrypt
  • Communications encrypted with HTTPS/TLS
  • Authentication via JWT tokens
  • Third-party tokens securely stored and automatically renewed
  • Fraud prevention system to detect misuse

10. Minors

Inboxia is not directed to children under 16. We do not knowingly collect data from minors. If we discover that a minor has registered, we will delete their account and associated data.

11. Changes to this Policy

We reserve the right to update this privacy policy. We will notify you of any significant changes via the platform or by email. Continued use of the service after the changes implies acceptance of the updated policy.

12. Contact

For any inquiries regarding privacy or data protection, you can contact us at: