Privacy Policy

Last updated: January 24, 2026

At Xero Inbox, operated by AI Escape ("we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Information We Collect

Account Information

When you create an account, we collect and store the following information:

  • Your name and email address to create and manage your account
  • A secure account identifier
  • We do not store your password — authentication is handled by our secure authentication provider

Connected Email Accounts

To provide our service, we connect to your email accounts through secure OAuth authentication:

  • We never see or store your email password
  • We store encrypted OAuth access and refresh tokens
  • Tokens are encrypted at rest using AES-256 encryption
  • We store your email address (display name) for identification
  • You can revoke access at any time through your email provider's security settings (Google/Microsoft)

Email Processing

When we process your emails:

  • We do not permanently store email content — emails are processed in real-time and content is not retained
  • Email content is encrypted while being processed and transmitted
  • We store only the email provider's message ID for reference
  • We store a summary of actions taken (e.g., "archived", "labeled") and a brief AI-generated summary to display in your activity history
  • We track processing status and timestamps for your activity history

AI Processing and Data Training

We use third-party AI providers to process your emails. Importantly:

  • We do not train AI models on your data — your email content is never used to train our systems
  • Third-party AI providers do not train on your data — we use zero data retention API agreements with our AI providers
  • Email content sent to AI providers is processed in real-time and immediately discarded
  • No email content is stored or retained by AI providers after processing

What We Do NOT Store

To be explicit, we do not store:

  • Your password (authentication is handled by our secure provider)
  • Email content, subjects, or body text
  • Sender or recipient information from your emails
  • Attachments or attachment content

Usage Data

We automatically collect certain information about how you use our service:

  • Features used and actions taken (e.g., emails processed, emails archived)
  • Device and browser information
  • IP address and approximate location
  • Subscription and usage metrics

How We Use Your Information

We use the information we collect to:

  • Provide and maintain our email management service
  • Process your emails using AI in real-time
  • Generate summaries and take actions based on your instructions
  • Track your usage against subscription limits
  • Send you service-related communications
  • Process payments and manage subscriptions
  • Respond to customer support requests
  • Detect and prevent fraud or abuse

Data Storage and Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • OAuth tokens are encrypted before storage
  • Email content is processed in secure, isolated environments and not retained
  • Access to user data is strictly limited and logged
  • Secure authentication with enterprise-grade providers
  • Regular security audits and monitoring

Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active and for 30 days after deletion
  • OAuth tokens: Retained while your email account is connected; deleted when you disconnect
  • Event history: Processing records retained for your reference; can be deleted on request
  • Email content: Not retained — processed in real-time only
  • Usage data: Retained for up to 2 years for analytics and billing

Third-Party Services

We use trusted third-party services to provide our service:

  • Authentication: We use a secure authentication provider to manage user accounts and login
  • Email Integration: We connect to Gmail and Outlook through their official APIs via OAuth
  • AI Processing: We use AI services to process your email content in real-time (content is not stored)
  • Payment Processing: We use a PCI-compliant payment processor to handle subscriptions
  • Cloud Infrastructure: Our service is hosted on secure cloud infrastructure

Each third-party service has their own privacy policy governing their use of your information.

Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data and account
  • Disconnect: Remove connected email accounts at any time
  • Revoke access: Revoke OAuth permissions through your email provider
  • Opt-out: Opt out of marketing communications

To exercise these rights, contact us at [email protected].

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

International Data Transfers

Your information may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: