Privacy Policy
Last updated: 7 July 2026
ClearMyInbox is operated by Clear My Inbox LTD, registered in England and Wales. We take your privacy seriously. This policy explains what data we collect, how we use it, and what rights you have over it - in plain English, not impenetrable legalese.
What personal data we collect
- Account information - your email address and a hashed password when you register.
- OAuth tokens - encrypted access and refresh tokens from Google, Microsoft, or Yahoo when you connect an email account.
- IMAP credentials - if you connect via IMAP, your email address and app password are encrypted at rest using AES-256 and are never logged or shared.
- Payment information - Stripe handles all payment processing. We store your Stripe customer ID and subscription status but never store card numbers, CVVs, or bank details.
- Scan results - sender addresses, subject lines, and unsubscribe link URLs found during scans. We do not store email body content.
How we use your email data
When you run a scan, ClearMyInbox looks at the List-Unsubscribe header, the sender address, the subject line, and the date of each email. Because many senders only include their unsubscribe link inside the email itself, the scan also parses the email's HTML body in memory, during the scan only, to locate that link. The body is discarded as soon as the scan moves on - we keep the unsubscribe URL it contained, never the content.
What we do NOT do:
- We do not store or index email body content - bodies are parsed transiently during a scan and immediately discarded.
- We do not share, sell, or transfer your email data to third parties for advertising.
- We do not use your email data for profiling or targeted advertising.
- We do not retain raw email content after a scan completes.
Google API Services User Data Policy
ClearMyInbox's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- We only request the minimum OAuth scopes needed:
gmail.readonlyto scan for unsubscribe links, andgmail.modify(optional) to trash emails on your behalf. - We do not sell, share, or use your Google data for advertising purposes.
- We do not store email content - only metadata (sender, subject, date, unsubscribe URLs). Message bodies are parsed in memory during a scan to locate unsubscribe links and are never retained. When a sender provides no
List-Unsubscribeheader, our optional AI fallback sends a short body excerpt to our AI provider solely to find the unsubscribe URL - see "Third-party services" below. - You can revoke ClearMyInbox's access to your Google account at any time from your Google Account permissions page.
Microsoft and Yahoo data handling
The same principles apply to Microsoft (Outlook/Hotmail) and Yahoo accounts:
- We request only the minimum permissions needed to read email headers and metadata.
- We do not sell, share, or use your email data for advertising.
- We do not store email body content.
- OAuth tokens are encrypted at rest and you can revoke access at any time from your Microsoft or Yahoo account settings.
IMAP credential security
If you connect an email account via IMAP (such as iCloud, Fastmail, or ProtonMail Bridge), your app password is encrypted at rest using industry-standard encryption. IMAP credentials are:
- Encrypted using AES-256 before being stored in our database.
- Never logged in application logs or error reports.
- Never shared with any third party.
- Deleted immediately when you disconnect the account.
Payment processing
All payment processing is handled by Stripe. When you subscribe to a paid plan, your card details are sent directly to Stripe's PCI-compliant servers. We never see, process, or store your card number, CVV, or full billing details. We only store your Stripe customer ID and subscription status to manage your plan.
Analytics
We use PostHog in cookieless mode for product analytics. PostHog's autocapture feature is enabled, which means:
- Page views are recorded automatically as you navigate the app.
- Click events on buttons and links are recorded automatically, along with the visible text and CSS selector of the element clicked - never the contents of any input field, password, or email body.
- We do not set any tracking cookies on your browser.
- We do not track you across other websites.
- Analytics data is aggregated and used only to improve the product.
Data retention and account deletion
We keep your data only as long as your account is active. When you delete your account:
- Your account details (email, hashed password) are permanently deleted.
- All stored OAuth tokens and IMAP credentials are permanently deleted.
- All scan results and subscription data are permanently deleted.
- Your Stripe subscription is cancelled (Stripe retains its own records per their privacy policy).
Scan results are retained while your account is active so you can review past scans. If you disconnect an email account without deleting your overall account, the tokens for that account are deleted immediately but your scan history is preserved.
Inactivity-based deletion. Accounts that have not signed in for 24 months are flagged for removal. We send a reminder email 30 days before deletion at the address on file; if you do not sign in or reply, the account and all associated data are deleted on the 24-month anniversary. Stripe records continue to live at Stripe under their own retention policy. Active subscribers (Pro / Lifetime) are exempt from this sweep regardless of last sign-in.
Third-party services
ClearMyInbox uses the following third-party services:
- Stripe - payment processing and subscription management.
- Microsoft Azure - application hosting and database storage.
- AI provider (currently OpenRouter, routing to Google Gemini and DeepSeek) - powers two Pro features: spam scoring (we send sender address, subject line, and email count - no email body) and unsubscribe-link extraction fallback (when a sender doesn't include a List-Unsubscribe header, we send up to the first 2,000 characters of the email's HTML body so the provider can identify the unsubscribe URL). The provider processes these requests under their data-processing terms and does not retain prompts beyond the API call.
- PostHog - cookieless product analytics.
Your rights under GDPR
If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of access - you can request a copy of all personal data we hold about you.
- Right to rectification - you can ask us to correct any inaccurate data.
- Right to erasure - you can ask us to delete your account and all associated data.
- Right to data portability - you can request your data in a machine-readable format.
- Right to object - you can object to processing of your data in certain circumstances.
- Right to restrict processing - you can ask us to limit how we use your data.
To exercise any of these rights, email us at privacy@clearmyinbox.ai. We will respond within 30 days.
Contact us
If you have any questions about this Privacy Policy or how we handle your data, contact us at: