InboxLedger← Home

Privacy Policy

Last updated: April 2026

1. What we collect

InboxLedger collects only what's required to deliver the service:

  • Email address — from your Stripe payment, used to identify your account.
  • Stripe payment ID — to confirm your one-time purchase.
  • Gmail OAuth tokens — encrypted access tokens that let us read your inbox (read-only) on your behalf.
  • Extracted invoice data — vendor, amount, date, and category for each financial email we identify.

2. What we DON'T collect

  • We never store the full content of your emails.
  • We never read non-financial emails — they are skipped during the scan.
  • We do not collect your contacts, calendar, drive files, or any other Google data.
  • We do not collect IP addresses, browser fingerprints, or behavioral analytics.

3. Gmail access

We request the gmail.readonly OAuth scope. This is the minimum scope needed to scan for invoices. We cannot send, delete, or modify any emails. You can revoke our access at any time from your Settings page or directly from Google Account permissions.

Our use of Gmail data complies with the Google API Services User Data Policy, including the Limited Use requirements.

4. AI processing

We send the subject, sender, and body of financial-looking emails to Anthropic's Claude API for analysis. Anthropic does not train models on this data and processes it only to return invoice details to us. See Anthropic's privacy policy.

5. Data storage

Your data is stored in Supabase (hosted on AWS US East). Access is restricted to our service role and protected by Row-Level Security. We use HTTPS for all data in transit.

6. Data deletion

You can delete all your data at any time from Settings → Delete Account. This permanently removes your user record, all extracted invoices, and revokes our Gmail access. Deletion is immediate and irreversible.

7. Third parties

We share data only with these processors:

  • Stripe — payment processing
  • Google — Gmail OAuth
  • Anthropic — AI analysis of email content
  • Supabase — database hosting
  • Vercel — application hosting

We never sell your data, ever.

8. Cookies

We use a single session cookie (inboxledger_uid) to keep you signed in. It contains only your user ID, is HTTP-only, and expires after 30 days.

9. Contact

Questions about privacy? Email us at support@inboxledger.com.