Privacy Policy

Last Updated: October 14, 2025

1. Introduction

Welcome to InboxIQ ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered customer support application ("Service"). Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

2. Information We Collect

2.1 Information You Provide to Us

• Account Information: When you create an account, we collect your email address, business name, and authentication credentials.
• Business Information: Your Shopify store domain, business settings, and preferences.
• Email Configuration: IMAP/SMTP server details, email addresses, and encrypted email passwords for accessing your customer support inbox.
• Customer Support Content: Customer emails, messages from Facebook Messenger and Instagram, and AI-generated responses.

2.2 Information from Third-Party Services

• Shopify: Store information, merchant details, and authentication tokens when you install our app on your Shopify store.
• Facebook/Instagram: Page information, Instagram account details, messages sent to your business pages, and user IDs (PSIDs/IGSIDs) when you connect your Facebook or Instagram accounts.
• Email Providers: Email content, sender information, and metadata from emails received in your configured support inbox.

2.3 Automatically Collected Information

• Usage Data: Information about how you use our Service, including features accessed and actions taken.
• Log Data: Server logs, error reports, and system diagnostics.
• Device Information: Browser type, IP address, and operating system.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process customer support emails and messages, generate AI responses, and manage your customer support workflow.
• AI Processing: Send customer messages to OpenAI's API (using your API key) to generate intelligent responses based on your guidelines and knowledge base.
• Platform Integration: Connect with Shopify, Facebook, Instagram, and email providers to receive and send messages on your behalf.
• Improve Our Service: Analyze usage patterns to enhance features and user experience.
• Security: Detect and prevent fraud, abuse, and security incidents.
• Communication: Send you service-related notifications and updates.
• Compliance: Comply with legal obligations and enforce our terms of service.

4. Data Storage and Security

4.1 Data Storage

• Database: We store your data in a secure database.
• Tenant Isolation: Each business account has completely isolated data storage. Your data is never mixed with other customers' data.
• Encryption: Sensitive data is encrypted.

4.2 Security Measures

• Industry-standard encryption for data in transit (HTTPS/TLS)
• Encrypted storage for sensitive credentials
• Regular security updates and monitoring
• Access controls and authentication requirements
• Secure webhook signature verification for third-party integrations

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with the following third-party services to provide our Service:

• OpenAI: Customer messages are sent to OpenAI's API (using your API key) to generate AI responses. OpenAI's use of this data is governed by their privacy policy and API terms.
• Railway: Our hosting provider that stores application data and databases.
• Shopify: To authenticate your store and access necessary store information.
• Facebook/Meta: To receive and send messages via Facebook Messenger and Instagram.
• Email Providers: To access and send emails through your configured email accounts.

5.2 We Do Not

• Sell your personal information to third parties
• Use your customer data for our own marketing purposes
• Share your data with advertisers
• Train our own AI models on your customer conversations

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

6. Your Data Rights

You have the following rights regarding your data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data.
• Export: Request a machine-readable export of your data.
• Opt-Out: Disconnect third-party integrations at any time through your account settings.

To exercise these rights, please contact us using the information provided below.

7. Data Retention

• Active Accounts: We retain your data for as long as your account is active and you continue to use our Service.
• Account Deletion: When you delete your account, we permanently delete all associated data within 30 days, except where we are required to retain it for legal or regulatory purposes.
• Backups: Deleted data may persist in backups for up to 90 days before being permanently removed.

8. Facebook and Instagram Data

Specific to our Facebook and Instagram integration:

• We only access messages sent to your business pages/accounts
• We store message content, sender IDs (PSIDs/IGSIDs), and conversation metadata
• We use this data solely to generate and send responses on your behalf
• You can disconnect Facebook/Instagram integration at any time
• We comply with Meta's Platform Terms and Developer Policies
• User data from Facebook/Instagram is not shared with other services except as necessary to provide the Service (e.g., sending to OpenAI for response generation)

9. Shopify Data

Specific to our Shopify integration:

• We access your store domain, merchant information, and authentication tokens
• We may access customer order information to provide context for AI responses (if you enable this feature)
• We comply with Shopify's API Terms of Service and App Store Requirements
• You can uninstall our app from Shopify at any time

10. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

14. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to access, rectification, erasure, and data portability
• Right to restrict or object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Our legal basis for processing your data includes:

• Contract: Processing necessary to provide the Service you requested
• Consent: You have given explicit consent for specific processing activities
• Legitimate Interests: Processing necessary for our legitimate business interests

16. Consent

By using our Service, you consent to our Privacy Policy and agree to its terms. If you do not agree with this policy, please do not use our Service.