Privacy Policy

Last updated: July 13, 2026

This policy describes how ScrubInbox handles your data when you use the hosted app at app.scrubinbox.com. The self-hosted, open source version of ScrubInbox is not covered by this policy — self-hosters are their own data controller.

The short version: The content of your emails never leaves your browser. To run the paid hosted service we do store a small amount of account and purchase data (your email address, your entitlement, and a running count of how many threads you've scanned and trashed) in a Postgres database at our sub-processor Neon. Payments are handled by Stripe. Subject lines, sender information, and thread bodies are never transmitted to our servers. To keep you signed in without asking for consent every hour, we also store your Google refresh token — encrypted with AES-256-GCM at rest, decryptable only by our Cloudflare Worker.

What data ScrubInbox accesses from Google

When you sign in with Google and grant access, ScrubInbox uses the Gmail API to access:

ScrubInbox does not access the body or content of your emails. It only requests thread metadata (headers and labels).

What we store on our servers

To operate the hosted service we store the following, and only the following, in our Postgres database at Neon (see sub-processors below):

We do not store: email content, subject lines, sender names or addresses, thread IDs, label names, or any Gmail metadata beyond the aggregate counts above.

What stays in your browser

Everything about the emails themselves — sender addresses, subject lines, thread IDs, the domain-grouped scan results, the trashing operation — happens in your browser's memory. To make the paywall round-trip feel less jarring, scan results are temporarily saved to your browser's sessionStorage so they survive the redirect to Stripe and back. sessionStorage is scoped to the browser tab and clears when the tab closes. It is not transmitted anywhere.

The short-lived Google access token used to call the Gmail API from your browser is held in memory only — never written to disk. When it expires (about once an hour), the browser asks our Worker for a fresh one; the Worker decrypts your refresh token, mints a new access token via Google, and returns it. Gmail API calls themselves go directly from your browser to Google — they do not pass through our servers.

To identify your session on subsequent requests, our Worker sets an HttpOnly cookie named sb_session containing a signed JSON Web Token that references your user record. HttpOnly means the cookie cannot be read by JavaScript running in your browser, which meaningfully limits the blast radius of any cross-site-scripting bug.

Sub-processors

To operate the hosted service we rely on the following third-party sub-processors. Each is contractually obligated to handle your data only for the purposes described here.

We do not use a third-party authentication broker — the Google OAuth flow is handled directly by our own Cloudflare Worker.

Google API Services Limited Use Disclosure

ScrubInbox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

Cookies and browser storage

ScrubInbox uses:

ScrubInbox does not set analytics or advertising cookies.

Data retention

We retain your account, entitlement record, and scan-log counts for as long as your account exists. If you request deletion (see below), we will delete these records within 30 days of the request. Stripe retains payment records independently under its own retention policies; see the Stripe Privacy Policy linked above.

Your rights

Regardless of where you live, you can email support@scrubinbox.com to request:

We will respond to verifiable requests within 30 days. If you are in the EU, EEA, UK, or California, applicable regulations (GDPR, UK GDPR, CCPA) give you the same rights and we honor them for all users regardless of location.

International data transfers

Our sub-processors are US-based and process data in the United States. If you are outside the US, using ScrubInbox involves transferring your data to the US. The sub-processors listed above rely on Standard Contractual Clauses or equivalent mechanisms for these transfers where required.

Security

Communications between your browser and our Worker, and between our Worker and Neon, are encrypted with TLS. Every API endpoint verifies the session cookie's HMAC signature before touching any data, and every database query is scoped to the authenticated user's ID — one user cannot access another user's entitlement or scan logs. Google refresh tokens in our database are additionally encrypted at rest with AES-256-GCM using a key held only by our Worker; the encrypted rows on their own cannot be turned back into working tokens. Payment card data is handled by Stripe and never reaches our servers.

Children's privacy

ScrubInbox is not directed at children under 13, and we do not knowingly collect data from children. If you believe a child has provided data to ScrubInbox, please email support@scrubinbox.com and we will delete it.

Open source

ScrubInbox is fully open source under the MIT license. You can inspect every line of code at github.com/scrubinbox/scrubinbox. The self-hosted version does not require any of the sub-processors listed above.

Changes to this policy

If this policy changes materially, we will update the "Last updated" date above and, where we hold your email address, notify you at that address before the changes take effect.

Contact

For any question or request related to this policy, email support@scrubinbox.com.