Privacy Policy

1. Introduction

GraceBox ("we," "our," "us") operates gracebox.app. This Privacy Policy explains how we collect, use, and protect your information when you use our AI-powered email civility firewall service.

By using GraceBox, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our service.

2. Google API Scopes & Data Access

GraceBox requests the following Google OAuth scopes when you connect your account:

• openid, email, profile — to authenticate your identity and display your name and profile picture within the app
• https://www.googleapis.com/auth/gmail.modify — to read incoming emails from your designated senders, insert rewritten versions into your inbox, modify message labels (e.g., moving originals to the "GraceBox Originals" folder), and set up real-time push notifications so new emails are processed promptly
• https://www.googleapis.com/auth/gmail.labels — to create and manage the "GraceBox Originals" label in your Gmail account, where original unmodified emails are preserved for your reference

We request only the scopes necessary to deliver GraceBox's core functionality. We do not request broader scopes such as https://mail.google.com/.

3. Information We Collect

Account Information

• Google account email address, display name, and profile picture (collected via Google OAuth during sign-in)

Email Data

• We access your Gmail through the Gmail API to screen emails from senders you designate
• We process email headers (sender, subject) and body content solely to perform tone analysis and rewriting

Usage Data

• Tone scores assigned to screened emails
• Rewrite logs and processing timestamps
• Your screened sender lists and preferences

4. How We Use Your Information

• To screen and rewrite emails from your designated senders
• To maintain your screened sender list and email processing logs
• To manage your subscription and billing through Stripe
• To provide customer support and respond to your inquiries

5. Email Processing & AI

When an email arrives from one of your designated senders, GraceBox sends the email subject and body to OpenAI's API (currently using GPT-4o-mini) for tone analysis and rewriting. The email content is transmitted via HTTPS and processed in real-time. OpenAI processes the data solely to return a response and does not use API inputs or outputs to train its models, per OpenAI's API data usage policy.

GraceBox does not store original email body content on our servers. Rewritten email text, tone scores, and processing metadata are stored in our database to populate your activity log.

Original emails remain in your Gmail account in the "GraceBox Originals" folder — we do not store original email content on our servers.

6. Data Retention

• Original email content: Not stored on GraceBox servers. Remains only in your Gmail account.
• Rewritten email text & tone scores: Retained for the duration of your active account.
• Email processing logs: Retained for the duration of your active account to populate your activity dashboard.
• Screened sender lists & preferences: Retained for the duration of your active account.
• OAuth tokens: Stored securely on our servers and deleted immediately upon account deletion or access revocation.
• Billing data: Managed by Stripe; retained per Stripe's privacy policy.

Upon account deletion, all user data stored on GraceBox servers — including rewritten text, tone scores, logs, sender lists, and OAuth tokens — is permanently deleted within 30 days.

7. Third-Party Services

GraceBox relies on the following third-party services to operate:

• Google Gmail API — for email access, reading, labeling, and real-time push notifications. See Google's Privacy Policy.
• OpenAI API (GPT-4o-mini) — for AI-powered tone analysis and email rewriting. Email subject and body are sent via HTTPS; OpenAI does not retain API data for training. See OpenAI's API Data Usage Policy.
• Stripe — for subscription billing and payment processing. See Stripe's Privacy Policy.
• Railway — for backend infrastructure hosting. See Railway's Privacy Policy.

We encourage you to review each third-party provider's privacy policy for details on how they handle data.

8. Data Security

We take the security of your data seriously. We use HTTPS encryption for all data transmission between your browser and our servers. OAuth tokens are stored securely and are never exposed to client-side code. Webhook payloads are verified using HMAC-SHA256 signature validation.

We do not sell, rent, or trade your personal information to any third party.

9. Google API Services — Limited Use Disclosure

GraceBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Google user data to provide and improve GraceBox's email screening and rewriting features, which are the app's primary user-facing functionality.
• We do not transfer Google user data to third parties except as necessary to provide the service (i.e., sending email content to OpenAI for rewriting), for security purposes, or to comply with applicable law.
• We do not use Google user data to serve advertisements.
• We do not sell Google user data to data brokers or any third party.
• Humans do not read Google user data unless: (a) the user has given affirmative consent to view specific data, (b) it is necessary for security purposes such as investigating abuse or bugs, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

10. Your Rights

• You can revoke Gmail access at any time through your Google Account permissions settings
• You can delete your account and all associated data by contacting support@gracebox.app. All data will be permanently removed within 30 days.
• You can request a copy of your stored data at any time by contacting support
• You can request correction of any inaccurate personal data we hold about you

11. International Data Transfers

GraceBox's servers are hosted in the United States via Railway. If you access GraceBox from outside the United States, your data will be transferred to and processed in the United States. By using GraceBox, you consent to the transfer of your data to the United States.

For users in the European Economic Area (EEA): We process your data based on your explicit consent when you connect your Google account. You have the right to withdraw consent at any time by revoking Gmail access or deleting your account. Under the GDPR, you also have the right to access, rectify, erase, restrict processing of, and port your personal data. To exercise these rights, contact support@gracebox.app.

For California residents: Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect and how it is used, to request deletion of your personal information, and to opt out of the sale of personal information. GraceBox does not sell personal information. To exercise your CCPA rights, contact support@gracebox.app.

12. Children's Privacy

GraceBox is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us so we can take appropriate action.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the revised policy on this page and update the "Last updated" date at the top. We encourage you to review this page periodically.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• General inquiries: info@gracebox.app
• Support & data requests: support@gracebox.app