Subprocessors
Last updated: 19 May 2026
ClearMyInbox (operated by Clear My Inbox LTD) uses the third-party processors listed below to deliver the service. We publish this list so you can see exactly who touches your data, what they do with it, and where they operate. Anything not on this list does not handle your data.
We will give 30 days' notice (by email to account holders and an update to this page) before adding a new subprocessor or materially changing the role of an existing one.
Current subprocessors
Microsoft Azure
- Purpose:
- Application hosting (Container Apps), database (Azure SQL), secrets (Key Vault), container registry (ACR), and observability (Log Analytics, App Insights).
- Region:
- UK South (primary), with geo-redundant backup storage.
Azure Communication Services (Microsoft)
- Purpose:
- Transactional email delivery (password reset, account verification, dormancy notices). Plain-text + HTML payloads only - no marketing or third-party content.
- Region:
- EU (Ireland / Netherlands).
Stripe Payments Europe
- Purpose:
- Subscription billing, checkout, customer portal, and webhooks. We never see card numbers, CVVs, or bank details - those flow directly from your browser to Stripe.
- Region:
- EEA + US (Stripe is a global processor; EEA traffic is processed under the SCCs in their DPA).
OpenRouter
- Purpose:
- AI inference proxy. Routes Pro-tier spam-scoring and unsubscribe-link-extraction prompts to upstream models (currently Google Gemini and DeepSeek). We never send email body content for spam scoring - only sender, subject, and count. The link-extraction fallback sends up to 2,000 chars of HTML body solely to identify an unsubscribe URL.
- Region:
- US (with upstream model providers in US/EU).
PostHog
- Purpose:
- Product analytics in cookieless mode. Pseudonymous events for page views and feature usage. No PII, no cross-site tracking.
- Region:
- EU (PostHog EU cloud).
Cloudflare
- Purpose:
- DNS, CDN, and inbound email routing (support@ / privacy@ aliases). No application data passes through Cloudflare; it sits in front of the static site and forwards email for our team aliases.
- Region:
- Global anycast network.
- Purpose:
- Gmail OAuth and Gmail API. Only invoked when you choose to connect a Gmail account. Google sees the OAuth consent, returns access + refresh tokens, and serves Gmail API requests for scans.
- Region:
- US (Google global infrastructure).
- Invoked when:
- You connect a Gmail account.
Microsoft (Entra ID + Microsoft Graph)
- Purpose:
- Outlook OAuth and Microsoft Graph Mail API. Only invoked when you choose to connect an Outlook / Hotmail / Live account. Same shape as the Gmail flow above.
- Region:
- EU + US (Microsoft global infrastructure).
- Invoked when:
- You connect an Outlook / Hotmail / Live account.
Yahoo
- Purpose:
- IMAP endpoint for Yahoo accounts. Connection is via your app password (Yahoo issued, stored encrypted by us). Yahoo processes the IMAP requests to serve your message headers during a scan.
- Region:
- US (Yahoo global infrastructure).
- Invoked when:
- You connect a Yahoo account via IMAP.
Where subprocessors are NOT invoked
- If you connect only a Yahoo IMAP account, your data never flows to Google or Microsoft for that account.
- If you stay on the Free tier and never trigger the AI-assisted features, no data is sent to OpenRouter.
- If you never subscribe, no data is sent to Stripe beyond what is needed to render the pricing page.
Related
- Privacy policy - the full data-handling policy this page supplements.
- Security - how we secure your data in transit and at rest.
- Contact - if you have questions about any processor on this list.