SpaceBoxSpaceBox← Back to home

Legal

Privacy Policy

Last updated: April 16, 2025

1. Introduction

SpaceBox ("we", "our", or "us") operates the website https://spacebox.website(the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use SpaceBox. Please read it carefully. If you disagree with its terms, please stop using the Service immediately.

SpaceBox is a Gmail storage management tool. It connects to your Google account via official OAuth 2.0, identifies emails that waste storage space, and — with your explicit approval — deletes or moves them to Trash. At no point does SpaceBox read, store, or transmit the content of your emails.

2. Google User Data & Gmail API

SpaceBox's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.1 What Gmail data we access

SpaceBox requests the following Google OAuth scopes:

  • gmail.readonly (initial scan) — read email metadata only: sender address, subject line, email size, date, and the category label Gmail assigns (e.g. Promotions, Social). Body content and attachment data are never downloaded.
  • gmail.modify (Smart & Auto plans, requested only when you approve deletion) — used solely to move identified emails to Gmail Trash or permanently delete them. We never compose, send, or read the body of any email.
  • drive.metadata.readonly — read storage quota figures (used / total GB) so we can display accurate before/after storage estimates.

2.2 How we use Gmail data

  • To identify emails eligible for deletion (promotions, newsletters, large attachments older than specified thresholds).
  • To display a summary of what will be removed before any action is taken.
  • To execute the deletion or Trash operation you explicitly authorize.
  • To calculate total storage freed and update your SpaceBox dashboard.

2.3 What we do NOT do with Gmail data

  • We do not read, store, index, or analyze email body content.
  • We do not share any Gmail data with third parties, advertisers, or data brokers.
  • We do not use Gmail data to train machine learning models.
  • We do not retain any Gmail data beyond what is needed to display your scan result within the current session.

2.4 Token storage & scan cache

Your Google OAuth access and refresh tokens are stored encrypted in our database using AES-256-GCM encryption (96-bit random IV, 128-bit auth tag). They are used exclusively to authenticate API calls on your behalf and are never exposed to third parties.

Scan results (email counts per category and up to 5 sample subject lines from your Promotions folder) are temporarily cached in Redis for up to 10 minutes to avoid redundant API calls. This cache is automatically deleted when a cleanup starts, when you sign out, or after the TTL expires. Sample subjects are never written to our permanent database.

2.5 Revoking access

You can revoke SpaceBox's access to your Google account at any time by visiting myaccount.google.com/permissions and removing SpaceBox. You may also delete your SpaceBox account and all associated data by contacting us at privacy@spacebox.website.

3. Data We Collect

3.1 Account data

When you sign in with Google, we receive and store:

  • Your Google account email address
  • Your Google profile display name
  • Your Google profile photo URL (for display purposes only)
  • Encrypted OAuth tokens (access token & refresh token)

3.2 Usage data

  • Total storage reclaimed (MB, aggregated only)
  • Number of cleanup jobs completed
  • Plan purchased (Basic, Smart, or Auto)
  • Timestamps of cleanup actions (for your own audit history)

3.3 Payment data

Payments are processed by Stripe. SpaceBox never sees or stores your card number, CVV, or full payment details. We only store your Stripe customer ID and subscription status.

3.4 Logs & analytics

We collect standard server logs (IP address, browser user-agent, request path, timestamp) for security auditing and error diagnosis. Logs are retained for 30 days and never used for advertising.

4. How We Use Your Data

  • To provide and operate the SpaceBox Service
  • To authenticate you via Google OAuth
  • To process payments via Stripe
  • To send transactional emails (e.g. monthly storage reports for Auto plan)
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

We do not sell your personal data. We do not use your data for advertising. We do not share it with third parties except as required to operate the service (Stripe for payments, hosting providers).

5. Data Sharing & Third Parties

ProviderPurposeData shared
Google LLCAuthentication & Gmail APIOAuth tokens (encrypted)
Stripe Inc.Payment processingEmail address, plan info
Vercel / RailwayHosting & infrastructureEncrypted in transit (TLS); OAuth tokens AES-256 encrypted before storage
ResendTransactional emailsEmail address only

6. Data Retention

  • Account data and cleanup job records are retained until you delete your account.
  • Audit logs (IP address, action timestamps) are retained for compliance purposes and anonymized upon account deletion.
  • Scan result cache (Redis) expires automatically after 10 minutes and is purged on cleanup.
  • Server logs (Vercel/Railway infrastructure) are retained for 30 days by the hosting provider.
  • If you revoke Google OAuth access, we delete your encrypted tokens within 7 days of being notified.

7. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of all your personal data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Restriction — request that we restrict how we process your data
  • Withdraw consent — revoke Google OAuth access at any time

To exercise any of these rights, email privacy@spacebox.website. We respond within 30 days.

8. Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption (with random 96-bit IV and 128-bit auth tag) for all OAuth tokens stored in our database
  • TLS 1.2+ for all data in transit
  • PostgreSQL database with encrypted TLS connections
  • Rate limiting on all sensitive API endpoints (scan: 3/hour, delete: 2/min, checkout: 3/min) via Redis sliding window
  • CSRF protection via Origin header validation on all mutation routes
  • Security headers on every response: HSTS (2-year max-age), CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy
  • Audit log for every cleanup action (IP, user agent, timestamp, job metadata)

Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@spacebox.website.

9. Children's Privacy

SpaceBox is not directed at individuals under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of SpaceBox after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions, requests, or concerns:

SpaceBox

Email: privacy@spacebox.website

Website: https://spacebox.website