Privacy Policy

Last updated: January 24, 2026

At Xero Inbox ("we", "our", or "us"), operated by AI Escape, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Information We Collect

Account Information

We use WorkOS for authentication. When you create an account:

  • We store only a reference ID linking to your WorkOS account
  • We do not store your password — authentication is handled entirely by WorkOS
  • Your name and email are managed by WorkOS, not stored in our database

Connected Email Accounts

To provide our service, we connect to your email accounts through secure OAuth authentication:

  • We never see or store your email password
  • We store encrypted OAuth access and refresh tokens
  • Tokens are encrypted at rest using AES-256 encryption
  • We store your email address (display name) for identification
  • You can revoke access at any time through your email provider's security settings (Google/Microsoft)

Email Processing

When we process your emails:

  • We do not permanently store email content — emails are processed in real-time and content is not retained
  • We store only the email provider's message ID for reference
  • We store a summary of actions taken (e.g., "archived", "labeled") without email content
  • We track processing status and timestamps for your activity history

What We Do NOT Store

To be explicit, we do not store:

  • Your password (authentication is via WorkOS)
  • Email content, subjects, or body text
  • Sender or recipient information from your emails
  • Attachments or attachment content

Usage Data

We automatically collect certain information about how you use our service:

  • Features used and actions taken (e.g., emails processed, actions approved)
  • Device and browser information
  • IP address and approximate location
  • Subscription and usage metrics

How We Use Your Information

We use the information we collect to:

  • Provide and maintain our email management service
  • Process your emails using AI in real-time
  • Generate summaries and suggested actions
  • Track your usage against subscription limits
  • Send you service-related communications
  • Process payments and manage subscriptions
  • Respond to customer support requests
  • Detect and prevent fraud or abuse

Data Storage and Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • OAuth tokens are encrypted before storage
  • Email content is processed in secure, isolated environments and not retained
  • Access to user data is strictly limited and logged
  • We use WorkOS for secure authentication
  • Regular security audits and monitoring

Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active and for 30 days after deletion
  • OAuth tokens: Retained while your email account is connected; deleted when you disconnect
  • Event history: Processing records retained for your reference; can be deleted on request
  • Email content: Not retained — processed in real-time only
  • Usage data: Retained for up to 2 years for analytics and billing

Third-Party Services

We use the following third-party services:

  • WorkOS: Authentication and user management
  • Google Gmail API: Gmail integration via OAuth
  • Microsoft Graph API: Outlook integration via OAuth
  • OpenAI, Anthropic: AI processing of email content (processed in real-time, not stored)
  • Stripe: Payment processing
  • Fly.io: Cloud infrastructure hosting

Each third-party service has their own privacy policy governing their use of your information.

Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data and account
  • Disconnect: Remove connected email accounts at any time
  • Revoke access: Revoke OAuth permissions through your email provider
  • Opt-out: Opt out of marketing communications

To exercise these rights, contact us at contact@aiescape.io.

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

International Data Transfers

Your information may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: