Legal

Privacy Policy

Last updated: January 2025

Inbora ("we", "our", "us") is committed to protecting your privacy. This policy explains how we handle information when you use the Inbora API service at inbora.dev.

1. Information We Collect

We collect information you provide directly to us when you create an account, including your email address and display name. We also collect:


  • Usage data: API request logs including extraction type, latency, success/failure status, and timestamps. We do not log the content of emails you process.
  • Billing data: Processed via Stripe. We store your Stripe customer ID and subscription status. We never store raw payment card data.
  • Technical data: IP addresses for audit log purposes, browser/device type for the dashboard.

    • 2. How We Use Your Information

    We use the information we collect to:


  • Provide, operate, and improve the Inbora service
  • Process transactions and send related information (receipts, billing alerts)
  • Send usage alerts when you approach your monthly request limit
  • Respond to your comments and questions
  • Monitor and analyze usage patterns to improve the service
  • Enforce our Terms of Service

    • 3. Data Storage and Security

    Your account data is stored in Supabase (PostgreSQL) hosted on AWS. API key hashes are stored using SHA-256 — we never store the raw key after it is generated. All data is encrypted at rest and in transit (TLS 1.2+).


    Audit logs are retained according to your plan:

  • Free: No audit log retention
  • Starter: 7 days
  • Pro: 30 days
  • Scale: 90 days

    • Email content processed via the API is never stored. Only metadata (type, latency, result count) is logged.

    4. Data Sharing

    We do not sell your personal information. We share data only with:


  • Stripe: For payment processing. Subject to Stripe's privacy policy.
  • Supabase: For authentication and database hosting. Subject to Supabase's privacy policy.
  • Fly.io: For API infrastructure hosting. Only metadata traverses their network.
  • Legal authorities: If required by law or to protect our rights.

    • 5. Self-Hosting

    If you self-host Inbora using the open-source code, you are the data controller for all data processed by your instance. This privacy policy applies only to the cloud service at inbora.dev.

    6. Your Rights

    Depending on your jurisdiction, you may have the right to:


  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (GDPR Article 17)
  • Export your data in a portable format
  • Withdraw consent for optional data processing

    • To exercise any of these rights, email us at privacy@inbora.dev. We will respond within 30 days.

    7. Cookies

    We use only essential cookies required for authentication (Supabase session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics.

    8. Children's Privacy

    The Inbora service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

    9. Changes to This Policy

    We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice on the dashboard. Your continued use of the service after changes constitutes acceptance.

    10. Contact

    Questions about this privacy policy? Contact us at privacy@inbora.dev or open an issue on our GitHub repository.

    Terms of ServiceSecurityDocumentation