Data minimisation by design
The strongest protection is reading as little as possible. LucidInbox never opens your full message bodies, attachments, calendar or contacts. To classify a message we use only the sender, the subject line, and a short snippet of around the first 200 characters of the body — and even that is automatically deleted after 30 days.
Encryption
All data is encrypted in transit (TLS) and at rest. Connections between your browser, our servers and our providers are encrypted end to end at the transport layer.
EU-based hosting
Our infrastructure runs on servers within the European Union. The Service is operated in line with the EU General Data Protection Regulation (GDPR). Where a provider processes data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses — see our Privacy Policy for details.
Access you control
You connect your mailbox using your provider’s secure authorisation (OAuth) — we never see or store your email password. You can revoke our access at any time, either from within LucidInbox or through your email provider’s security settings. The moment you disconnect, we lose all ability to read your mail. With one click you can erase every snippet and setting we hold.
Internal controls
- Access to production systems is restricted to authorised personnel on a least-privilege basis and protected by strong authentication.
- We vet every sub-processor and bind them to a data processing agreement before any data is shared.
- Your mail is never used to train AI models, never sold, and never shared for advertising.
- We keep no backups or shadow copies of message snippets beyond what is needed to run the Service.
Payments
Payments are handled by Stripe, a PCI-DSS Level 1 certified payment provider. We never receive or store your full card number.
Reporting a vulnerability
No technology is perfect, and we believe that working with the security community is one of the best ways to keep LucidInbox safe. If you believe you have found a security issue, we would love to hear from you. Please email hello@lucidinbox.com with the details and steps to reproduce, and we will get back to you as soon as we can.
How we’d like to work together
- Let us know as soon as possible after you discover a potential issue, and we’ll do our best to resolve it quickly.
- Please give us a reasonable amount of time to investigate and fix the issue before sharing it publicly or with a third party.
- Make a good-faith effort to avoid privacy violations, data destruction, and any interruption or degradation of the Service. Only interact with accounts you own or have explicit permission to access.
- If you need a test account, one is plenty — please don’t create large numbers of accounts. If you need more, just ask us first.
In scope
This policy covers lucidinbox.com. Issues affecting third-party services we rely on (such as our hosting or payment providers) are best reported directly to those providers, though we’re always happy to help point you in the right direction.
Out of scope
To help us focus on issues that genuinely put people at risk, the following are generally not things we’re able to act on:
- Denial-of-service (DoS) attacks and spamming.
- Social engineering or phishing of our team, contractors, or users.
- Any physical attempts against our property or infrastructure.
- The presence, absence, or configuration of email records such as SPF, DKIM, or DMARC.
- Account enumeration — we accept this as a trade-off that keeps the sign-in experience clear and friendly.
- Reports generated by automated scanners without a demonstrated, real-world impact.
Safe harbour
Any activity carried out in a manner consistent with this policy will be considered authorised conduct, and we will not pursue legal action against you. If a third party initiates legal action against you in connection with research conducted under this policy, we will take steps to make it known that your actions were carried out in compliance with it. Thank you for helping keep LucidInbox and its users safe.