LucidInbox
Sign in
Back to home

Privacy Policy

Your inbox stays yours. This policy explains exactly what we read, what we keep, for how long, and the rights you have over your data under the GDPR.

Last updated: 7 June 2026

1. Who is responsible for your data

LucidInbox is operated by Innovative Commerce B.V., the controller of the personal data described in this policy. You can reach us at:

Innovative Commerce B.V.
Westplein 12, 3016 BM Rotterdam, the Netherlands
hello@lucidinbox.com

For any privacy question or request, email hello@lucidinbox.com and we will respond.

2. Our core privacy promise

We built LucidInbox to read as little as possible, keep it as briefly as possible, and let you erase it whenever you choose. In short:

  • We never read your full message bodies, attachments, calendar or contacts.
  • We only use the sender, subject line and a short snippet (around the first 200 characters) of a message to classify it.
  • Your mail is neversold, shared for advertising, or used to train AI models — ours or anyone else’s.
  • You can delete everything we hold and revoke our access at any time, with one click.

3. What data we collect

Account data

When you sign up we collect your email address (used for passwordless sign-in and service communications) and basic account settings such as your presets and the rules you create.

Mailbox data we process to classify your mail

When you connect a mailbox, our system reads, for each incoming message, a limited set of metadata needed to sort it:

  • The sender’s name and email address;
  • The subject line;
  • A short snippet of the body (approximately the first 200 characters);
  • Message and folder identifiers needed to move the message and avoid reprocessing it.

We do not read or store full message bodies, attachments, your calendar or your contacts.

Billing data

If you subscribe, our payment processor Stripe collects and processes your payment details. We receive limited billing information (such as your subscription status, country, and the last digits and type of your card) but we never receive or store your full card number.

Technical and usage data

Like most online services, we collect limited technical data such as IP address, device and browser information, and log data, to operate, secure and debug the Service.

4. How we use your data and our legal bases

PurposeLegal basis (GDPR Art. 6)
Providing the Service: connecting your mailbox, classifying and organising mail, applying your rulesPerformance of our contract with you (Art. 6(1)(b))
Account creation and passwordless sign-inPerformance of our contract (Art. 6(1)(b))
Billing, invoicing and fraud preventionContract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Service emails (e.g. digests, important notices) and responding to support requestsContract (Art. 6(1)(b)) and our legitimate interest (Art. 6(1)(f))
Securing, monitoring, debugging and improving the ServiceOur legitimate interest in a safe, reliable service (Art. 6(1)(f))
Optional marketing emails, where applicableYour consent (Art. 6(1)(a)), which you can withdraw anytime

We do not use your mail content for advertising or profiling, and we do not make decisions that produce legal or similarly significant effects about you through solely automated means.

5. Who we share data with (sub-processors)

We share personal data only with carefully selected service providers who help us run LucidInbox, and only as needed. These include:

ProviderPurposeLocation
MicrosoftEmail provider you connect (mailbox access via OAuth)EU / global
OpenAIAI classification of message metadata and snippets. OpenAI does not use this data to train its models.United States (with safeguards, see §6)
StripePayment processing and subscription billingEU / United States (with safeguards)
Hosting & infrastructure providerRunning the Service and storing dataEuropean Union

We require all sub-processors to protect your data under a data processing agreement and to use it only on our instructions. We do not sell your personal data. We may disclose data where required by law, or to protect our rights, users or the public.

6. International transfers

Our data is hosted within the European Union. Where a provider processes data outside the European Economic Area (for example OpenAI or Stripe in the United States), we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, and on the EU–US Data Privacy Framework where the provider is certified, to ensure your data receives an equivalent level of protection.

7. How long we keep your data

  • Message snippets and classification metadata: automatically deleted after 30 days. We keep no backups or shadow copies beyond what is needed to provide the Service.
  • Account data and settings: kept while your account is active. If you do not subscribe after a free trial, or you delete your account, this data is deleted shortly afterwards.
  • Billing and invoice records: retained for up to 7 years to meet our legal and tax obligations under Dutch law.
  • Technical logs: kept only for a short period for security and debugging, then deleted or anonymised.

8. How we protect your data

We apply appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, EU-based hosting, strict access controls, and minimisation of the data we read and store. No system is completely secure, but we work hard to keep your data safe. You can read more on our Security page.

9. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have inaccurate data corrected;
  • Have your data erased (“right to be forgotten”);
  • Restrict or object to certain processing;
  • Receive your data in a portable format;
  • Withdraw consent at any time, where we rely on consent.

You can erase the data we hold and revoke our access directly from your account at any time. To exercise any of these rights, contact hello@lucidinbox.com. You also have the right to lodge a complaint with a supervisory authority — in the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

10. Cookies

We keep cookies to a minimum. We use only essential cookies and similar technologies needed to keep you signed in and to keep the Service secure. We do not use advertising or third-party tracking cookies. You can control cookies through your browser settings, though disabling essential cookies may stop you from signing in.

11. Children

The Service is not intended for anyone under 16, and we do not knowingly collect data from children. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or in the Service. The “Last updated” date at the top shows when this policy was last revised.

13. Contact

Questions about your privacy? Email hello@lucidinbox.com or write to Innovative Commerce B.V., Westplein 12, 3016 BM Rotterdam, the Netherlands.

Questions?

Email us at hello@lucidinbox.com and a human will reply.