Privacy Policy
Last updated: July 13, 2026
This policy describes how ScrubInbox handles your data when you use the hosted app at app.scrubinbox.com. The self-hosted, open source version of ScrubInbox is not covered by this policy — self-hosters are their own data controller.
What data ScrubInbox accesses from Google
When you sign in with Google and grant access, ScrubInbox uses the Gmail API to access:
- Your email address (to display who is signed in and to link your entitlement to your account)
- Thread metadata: sender name, sender email address, subject line, and label IDs
- Label names (to power the label exclusion filter)
- Inbox thread count (to display scan progress)
ScrubInbox does not access the body or content of your emails. It only requests thread metadata (headers and labels).
What we store on our servers
To operate the hosted service we store the following, and only the following, in our Postgres database at Neon (see sub-processors below):
- Your Google user ID (the stable identifier Google returns) and your email address
- An encrypted Google refresh token — used to mint short-lived access tokens for Gmail API calls without prompting you for consent every hour. Encrypted with AES-256-GCM using a key held only by our Cloudflare Worker; the ciphertext in the database is useless without that key. Never leaves the Worker in plaintext, never sent to your browser.
- Your entitlement record: purchase type (currently only lifetime), whether you were an early adopter, and the Stripe checkout session ID and Stripe customer ID that produced it
- Scan logs: for each cleanup session, only the number of threads scanned and the number of threads trashed — no sender addresses, no subject lines, no thread IDs
We do not store: email content, subject lines, sender names or addresses, thread IDs, label names, or any Gmail metadata beyond the aggregate counts above.
What stays in your browser
Everything about the emails themselves — sender addresses, subject lines, thread IDs, the domain-grouped scan results, the trashing operation — happens in your browser's memory. To make the paywall round-trip feel less jarring, scan results are temporarily saved to your browser's sessionStorage so they survive the redirect to Stripe and back. sessionStorage is scoped to the browser tab and clears when the tab closes. It is not transmitted anywhere.
The short-lived Google access token used to call the Gmail API from your browser is held in memory only — never written to disk. When it expires (about once an hour), the browser asks our Worker for a fresh one; the Worker decrypts your refresh token, mints a new access token via Google, and returns it. Gmail API calls themselves go directly from your browser to Google — they do not pass through our servers.
To identify your session on subsequent requests, our Worker sets an HttpOnly cookie named sb_session containing a signed JSON Web Token that references your user record. HttpOnly means the cookie cannot be read by JavaScript running in your browser, which meaningfully limits the blast radius of any cross-site-scripting bug.
Sub-processors
To operate the hosted service we rely on the following third-party sub-processors. Each is contractually obligated to handle your data only for the purposes described here.
- Neon, Inc. (United States) — hosts our Postgres database. Stores: your Google user ID, your email address, your AES-256-GCM-encrypted Google refresh token, your entitlement row, your scan-log counts. Neon Privacy Policy.
- Stripe, Inc. (United States) — processes payments as our Merchant of Record via Stripe Managed Payments. Stripe collects and stores your payment method, billing address, and any information you enter during checkout. ScrubInbox never sees your card number. Stripe Privacy Policy.
- Cloudflare, Inc. (United States) — hosts the app and runs the Worker that handles sign-in, API requests, and refresh-token decryption. Cloudflare may log request metadata (IP address, user agent, request path) for DDoS mitigation and performance monitoring. Cloudflare Privacy Policy.
- Google LLC (United States) — provides Gmail access via OAuth. Handles the sign-in consent flow and every Gmail API call. Google Privacy Policy.
We do not use a third-party authentication broker — the Google OAuth flow is handled directly by our own Cloudflare Worker.
Google API Services Limited Use Disclosure
ScrubInbox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
- ScrubInbox only uses Google user data to provide the user-facing features described above
- ScrubInbox does not transfer Google user data to any third party, except as necessary to provide the app's functionality, comply with applicable law, or as part of a merger or acquisition with prior user consent
- ScrubInbox does not use Google user data to serve advertisements
- No human reads your Google user data, unless you have given affirmative consent, it is necessary for security or legal compliance, or the data is aggregated and anonymized for internal operations
Cookies and browser storage
ScrubInbox uses:
sb_sessioncookie — Set by our Worker after you sign in. Contains a signed JSON Web Token that identifies your account to our backend.HttpOnly(unreadable from JavaScript),Secure(HTTPS-only),SameSite=Lax(not sent on cross-site sub-requests). Expires 30 days after the last sign-in, or immediately on sign-out.sessionStorage— Scan results are cached here so they survive the redirect to Stripe checkout and back. Cleared when the tab closes.
ScrubInbox does not set analytics or advertising cookies.
Data retention
We retain your account, entitlement record, and scan-log counts for as long as your account exists. If you request deletion (see below), we will delete these records within 30 days of the request. Stripe retains payment records independently under its own retention policies; see the Stripe Privacy Policy linked above.
Your rights
Regardless of where you live, you can email support@scrubinbox.com to request:
- A copy of the data we hold about you
- Correction of any inaccurate account data
- Deletion of your account and all associated data (entitlement + scan logs)
We will respond to verifiable requests within 30 days. If you are in the EU, EEA, UK, or California, applicable regulations (GDPR, UK GDPR, CCPA) give you the same rights and we honor them for all users regardless of location.
International data transfers
Our sub-processors are US-based and process data in the United States. If you are outside the US, using ScrubInbox involves transferring your data to the US. The sub-processors listed above rely on Standard Contractual Clauses or equivalent mechanisms for these transfers where required.
Security
Communications between your browser and our Worker, and between our Worker and Neon, are encrypted with TLS. Every API endpoint verifies the session cookie's HMAC signature before touching any data, and every database query is scoped to the authenticated user's ID — one user cannot access another user's entitlement or scan logs. Google refresh tokens in our database are additionally encrypted at rest with AES-256-GCM using a key held only by our Worker; the encrypted rows on their own cannot be turned back into working tokens. Payment card data is handled by Stripe and never reaches our servers.
Children's privacy
ScrubInbox is not directed at children under 13, and we do not knowingly collect data from children. If you believe a child has provided data to ScrubInbox, please email support@scrubinbox.com and we will delete it.
Open source
ScrubInbox is fully open source under the MIT license. You can inspect every line of code at github.com/scrubinbox/scrubinbox. The self-hosted version does not require any of the sub-processors listed above.
Changes to this policy
If this policy changes materially, we will update the "Last updated" date above and, where we hold your email address, notify you at that address before the changes take effect.
Contact
For any question or request related to this policy, email support@scrubinbox.com.