Last updated: May 2026

Privacy Policy

1. Who we are

Inbase ("we", "us", "our") is a multi-tenant email inbox and team collaboration service, operated by Pichayut Pongpeaw, an individual based in Thailand. This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have over it.

Contact for privacy matters: hello@inbase.dev

2. Data we collect

2.1 Account data

When you register, we collect your email address and display name via Supabase Auth. We also store a profile record (avatar URL if provided via OAuth) and your billing relationship with us via Stripe.

2.2 Workspace data

When you create or join a workspace we store: workspace name, domain, your role assignment (owner / admin / moderator / agent / viewer), and the sender email addresses you configure.

2.3 Email content

Inbase stores inbound and outbound email messages — including subject, sender, recipient, HTML body, plain-text body, and email headers — in our database for the duration of your plan's retention window (see section 5). Attachments are stored in Supabase Storage and subject to the same retention window.

Inbound email arrives via Resend webhooks. This means email sent to your workspace's domain by third parties (people who are not Inbase users) is processed and stored by us. By configuring a domain webhook, you acknowledge that you are responsible for informing senders that their messages are processed by Inbase.

2.4 Audit logs

We maintain an audit log of significant actions taken by workspace members — for example, sending a reply, changing a member's role, or updating integrations. Audit logs are visible to workspace owners and admins. They are retained for the life of the workspace and deleted when the workspace is deleted.

2.5 Invited-user emails

When a workspace admin invites a new member, we store the invitee's email address to send the invitation and verify acceptance. If the invitation expires or is cancelled without being accepted, the invitation record (including the email) is deleted.

2.6 Usage and device data

We use Vercel Analytics to understand how the service is used. Vercel Analytics collects: pages visited, referrer URL, country (derived from IP, not stored), device type, and browser type. It does not use cookies, does not track users across sites, and does not collect personally identifiable information. Data is aggregated and anonymised before storage. Vercel's privacy policy governs their data handling.

We do not use advertising networks, social media tracking pixels, or behavioural profiling tools. We may also log server-side request metadata (IP address, timestamp, HTTP method) in infrastructure logs for security and debugging; these logs are retained for a maximum of 30 days.

2.7 Payment data

Billing is handled entirely by Stripe. We do not store payment card numbers or bank details. We store your Stripe customer ID and subscription status to manage your plan.

3. How we use your data

  • Providing the service — routing email, rendering your inbox, managing team access.
  • Authentication and security — verifying identity, detecting abuse, enforcing rate limits.
  • Billing — managing your subscription, enforcing plan limits (seats, storage, retention).
  • Service communications — transactional emails such as invitation links, billing receipts, and security alerts. We do not send marketing email unless you explicitly opt in.
  • Debugging and support — when you contact us, we may access your workspace data as needed to resolve your issue.

We do not use your email content to train machine learning models, sell data to third parties, or serve advertising.

4. Third-party service providers

We share data with the following processors to operate the service:

  • Supabase — database, authentication, and file storage. Data is hosted in the EU West (Ireland) region.
  • Resend — email delivery and inbound routing. Inbase connects via your Resend API key; Resend processes email on your behalf under their own terms and privacy policy.
  • Stripe — subscription billing. Stripe processes payment card data under their own PCI-DSS certified infrastructure.

We do not use advertising networks, data brokers, or social media tracking pixels.

5. Data retention

Data typeFree planPro plan
Email message content (body, headers)No automatic deletion*No automatic deletion*
Attachments7 days from receipt365 days from receipt
Account & workspace dataUntil deletion requested or account terminated
Audit logsLife of workspace
Infrastructure logs (IP, timestamps)30 days
Pending invitations (unaccepted)7 days (expires automatically)

*Message body content is retained until you delete the thread or delete your workspace. We may introduce per-plan message retention limits in a future update; we will provide 30 days' notice before any such change takes effect.

6. Cookies

We use a minimal set of cookies:

  • inbase:theme — stores your light/dark preference. First-party, session-persistent, not shared.
  • Supabase auth cookies — required for authentication. Session-bound, deleted on sign-out.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

7. Your rights

Depending on where you are located, you may have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion of your account and associated data. We will process deletion requests within 7 business days.
  • Restriction — request that we limit how we process your data while a dispute is pending.
  • Portability — request a machine-readable export of your data.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email hello@inbase.dev. We will respond within 30 days.

8. Security

We implement the following measures to protect your data:

  • All data in transit is encrypted via TLS.
  • Data at rest is encrypted by Supabase (AES-256).
  • Resend API keys and webhook secrets are stored AES-256-GCM encrypted; they are never exposed in plaintext after initial entry.
  • Row-Level Security (RLS) policies on all database tables ensure workspace data is isolated between tenants.
  • All significant user actions are logged in an immutable audit log.

No system is completely secure. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.

9. International data transfers

Your data is stored in Supabase's EU West (Ireland) region. If you access the service from outside the EU, your data may be transferred to and processed in the EU. If you are located in the EU, data is processed within the EU and is not transferred outside the EEA except to Stripe (USA) and Resend (USA) under appropriate safeguards.

10. Children's privacy

Inbase is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at hello@inbase.dev and we will delete the account promptly.

11. Changes to this policy

We will notify you by email at least 30 days before any material change to this policy takes effect. Non-material changes (e.g., clarifications, typo fixes) will be reflected in the "updated" date above without prior notice.

12. Contact

For any privacy questions or to exercise your rights: hello@inbase.dev