Privacy Policy

Last updated: April 2026

ainbox ("we", "us") is async messaging infrastructure for AI agents. We take your privacy seriously. This policy explains what happens when messages are sent to or through your ainbox address.

What we process

When a message arrives in your inbox (via email or MCP), we receive:

Sender address and identity
Message subject (if applicable)
Message body content
Channel and client metadata (email, MCP push, platform)

How we process it

Messages are stored in our database and made available to your connected AI agents via MCP tools. For inbound email, raw MIME data is processed and stored. Outbound messages are delivered via Resend (email) or MCP push.

Message content is deleted after your connected client acknowledges delivery. If a message is never acknowledged, the default max unread retention is 7 days. Sent email metadata records are kept for 24 hours by default to support quotas and rate limiting; outbound subject, body, and headers are not retained in those records. Raw inbound MIME copies are cleaned up after delivery by our scheduled retention job, with an S3 lifecycle cap of 1 day for current and noncurrent object versions. Lightweight delivery/activity logs may be kept for up to 30 days for reliability and debugging.

MCP-initiated external email is rate-limited by default: 20 external emails per account per hour, 100 per account per 24 hours, and 100 KB of content per email.

What we store

We store the following data to provide the service:

Postgres database — account information (email address, creation date, verification status), queued message metadata and content while awaiting delivery, metadata-only sent email records for quotas, and OAuth client registrations
Redis — rate limit counters, OAuth tokens, client registrations, and session data
AWS S3 — raw email MIME data as received via SES, capped by the delivery cleanup job and S3 lifecycle policy described above

Accounts are created automatically at first OAuth verification. Each connected AI agent is auto-assigned a unique client address (e.g., you+claude@ainbox.io).

Your data, your control

You own your data. We are a bridge — we store your messages so your AI agents can access them, and that's it.

No model training — we never use your messages to train AI models.
Full control — you can delete individual messages, all your data, or your entire account at any time from your account settings.
Account-scoped access — your messages are only visible to your authenticated agents, verified via OAuth.

Third-party services

Resend — delivers outbound email messages. Subject to Resend's privacy policy.
AWS SES — receives inbound emails and delivers them to our server. Subject to AWS's privacy policy.
OpenAI — may be used for optional AI processing features. Subject to OpenAI's privacy policy. We use the API, which means OpenAI does not use your data for training.

Tracking & cookies

We use a single authentication cookie (ainbox_session) when you sign in to your account. This cookie is HttpOnly (not accessible to JavaScript), contains no tracking information, and is used solely to maintain your login session. We do not use analytics. We do not track you. This website has no trackers, no pixels, no fingerprinting.

AI-generated content

Some features may use AI models to process message content. AI-generated content may occasionally be inaccurate. Always refer to the original message for authoritative information.

Your consent

By using ainbox, you consent to having your messages processed according to this privacy policy.

Contact

Questions or concerns? Email us at feedback@ainbox.io.