Privacy Policy

1. Personal and sensitive user data we collect

Download Inbox collects and processes the following categories of user data:

• Download metadata: File name, file size, MIME type, download status, timestamps, Chrome download ID — used to display downloads in the inbox, generate tags, and detect duplicates.
• Web browsing activity (limited): Page URL, referrer URL, and page title of the page that initiated a download — used for source tracking, AI rename suggestions, and linking files to their origin.
• Email interaction context: Gmail/Outlook thread URL and page title when a user clicks an attachment download link — used to connect downloaded email attachments to the source email thread.
• User-created content: Routing rules, custom tags, star/archive state, rename decisions, settings preferences — used to provide the user's configured workflow features.
• Payment and license state: Subscription status (active/inactive), plan tier (free/pro) — used to determine which features are available.

Data we do NOT collect: We do not collect passwords, financial information (credit card numbers are handled solely by Stripe via ExtensionPay), personal contacts, email message content, authentication tokens, health information, or the contents of downloaded files.

2. How data is collected

• Chrome Downloads API (downloads permission): Detects when files are downloaded, completed, or removed. Provides download metadata such as file name, size, URL, and status.
• Chrome Tabs API (tabs permission): Reads the URL and title of the active tab when a download starts, to identify the source page. Tab data is only read at the moment of a download event and is not continuously monitored.
• Content scripts on Gmail and Outlook (content_scripts on mail.google.com, outlook.live.com, outlook.office.com, outlook.office365.com): Detects when a user clicks an attachment download button. Captures the thread URL and page title so the extension can link a downloaded attachment to its source email. Does not read email content, contacts, or message bodies.
• Chrome Storage API (storage permission): Saves inbox items, user settings, routing rules, and extension state locally in the browser.
• Chrome Notifications API (notifications permission): Displays desktop notifications about new downloads, duplicate warnings, and daily inbox reminders.
• Chrome Alarms API (alarms permission): Schedules the daily inbox reminder notification.
• Chrome Side Panel API (sidePanel permission): Displays the extension UI as a browser side panel.
• ExtensionPay (content_scripts on extensionpay.com): Handles subscription checkout and license verification for Pro features.

3. How data is used

Collected data is used solely to provide the extension's features:

• Displaying downloads in the inbox feed with file name, size, time, and source.
• Generating automatic file category tags (e.g. invoice, design, legal, code).
• Detecting duplicate downloads by comparing file metadata.
• Generating AI-powered rename suggestions (see section 4 for details on remote processing).
• Linking downloaded files to their source website or email thread.
• Applying user-configured routing rules to tag or categorize files.
• Displaying notifications and daily reminders.
• Determining whether Pro features should be available based on subscription status.

4. Remote data processing

While most data stays local, certain features send limited data to a developer-operated backend service for processing:

• AI rename suggestions: The file name, download URL, page title, and referrer URL of a download may be sent to our backend service (hosted on Cloudflare Workers) to generate intelligent rename suggestions. File contents are never sent — only metadata.
• Source enrichment: The source URL of a download may be sent to our backend to retrieve additional context about the source (e.g. website name).
• Smart collections: Download metadata (file names, tags, timestamps) may be sent to our backend to generate grouped file collections.
• Weekly digest: Aggregated inbox statistics may be sent to our backend to generate a weekly summary.

All communication with our backend uses HTTPS encryption. Our backend does not store user data persistently — it processes requests and returns results. No data is logged, retained, or shared with third parties by our backend service.

5. Data storage and retention

• Local storage: Inbox items, user settings, routing rules, and extension state are stored locally in the browser using Chrome's chrome.storage API. This data does not leave the user's device except as described in section 4.
• Retention period: Data remains stored until the user deletes it manually, clears extension data, uninstalls the extension, or the extension automatically archives items based on the user's configured history limit (100, 250, 500, or 1000 items).
• Backend: Our backend service does not store any user data. Requests are processed in memory and discarded after the response is returned.

6. Data sharing and third parties

Download Inbox does not sell, rent, or trade user data. Data is shared only in these limited cases:

• Developer backend (Cloudflare Workers): As described in section 4, limited download metadata is sent to our backend for AI rename suggestions, source enrichment, collections, and digest features. This service is operated by the developer and hosted on Cloudflare's infrastructure. Cloudflare's privacy policy applies to infrastructure-level data handling.
• ExtensionPay: If the user purchases Pro or manages their subscription, billing and license data is processed by ExtensionPay. ExtensionPay's privacy policy applies.
• Stripe (via ExtensionPay): Payment card information is processed by Stripe. Download Inbox never receives or stores full card numbers. Stripe's privacy policy applies.
• Legal requirements: Data may be disclosed if required by applicable law, legal process, or to protect the rights and safety of users or third parties.

7. No sale of data and no use for advertising

Download Inbox does not:

• Sell or transfer user data to third parties
• Use user data for advertising, ad targeting, or ad personalization
• Use user data for creditworthiness assessment or lending
• Share user data with data brokers
• Use user data for purposes unrelated to the extension's core functionality

8. Data security

• All data stored locally uses Chrome's built-in extension storage, which is sandboxed per-extension.
• All network communication with our backend and third-party services uses HTTPS/TLS encryption.
• Our backend service does not persist user data to disk or databases.
• Content scripts are scoped to specific domains (Gmail, Outlook, ExtensionPay) and do not run on arbitrary websites.

No method of electronic storage or transmission is 100% secure. While we strive to protect user data, we cannot guarantee absolute security.

9. User choices and data deletion

• Delete individual items: Remove specific downloads from the inbox using the extension UI.
• Clear all data: Use the "Clear all data" button in extension settings to delete all inbox items, rules, and preferences.
• Uninstall: Removing the extension deletes all locally stored extension data from the browser.
• Manage subscription: Pro subscribers can manage or cancel their subscription through ExtensionPay.
• Disable content scripts: Users can revoke the extension's access to specific sites through Chrome's extension permissions settings.

10. Children's privacy

Download Inbox is not directed at children under the age of 13. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 13, we will take steps to delete it.

11. Changes to this policy

We may update this privacy policy from time to time. Changes will be reflected on this page with an updated "Last updated" date. Continued use of the extension after changes constitutes acceptance of the revised policy.

12. Contact

If you have questions about this privacy policy, your data, or Download Inbox, please contact us at [email protected].