Privacy Policy

Last updated: January 31, 2026

Visual Inbox is a privacy-first tool for visualizing communication patterns. This Privacy Policy explains what data Visual Inbox may access, where it is processed, what is stored, and what (if anything) is transmitted to our servers.

1) Who we are

Visual Inbox is an independent project created by César A. Hidalgo.

Contact: hello@visualinbox.net

2) What data Visual Inbox accesses

Visual Inbox only accesses data that you explicitly choose to connect or provide.

Gmail (Google OAuth + Gmail API — metadata only)

If you choose to connect Gmail, Visual Inbox requests the restricted Gmail scope:

https://www.googleapis.com/auth/gmail.metadata

This scope allows access to email message metadata (such as headers and labels), but not the email body. Visual Inbox uses this metadata to compute visualizations and metrics (for example, sender/recipient fields and timestamps).

Visual Inbox does not fetch or store email message bodies.

Google Calendar (Google OAuth + Google Calendar API — read-only)

If you choose to connect Google Calendar, Visual Inbox requests the scope:

https://www.googleapis.com/auth/calendar.readonly

This scope allows the app to see and download any calendar you can access (read-only). Visual Inbox uses this data to build visualizations and metrics (for example, event times, organizers, and attendee lists).

Slack (manual ZIP export)

Visual Inbox can analyze Slack workspace data only if you upload a Slack export ZIP file.

• Slack exports are typically created and downloaded by a workspace admin or owner.
• The contents of a Slack export depend on Slack’s export settings and what your workspace is permitted to export.
• You are responsible for ensuring you have the authorization to export and upload workspace data and that doing so complies with your organization’s policies and applicable laws.

Important: Visual Inbox only accesses Google data after you explicitly grant permission through Google’s consent screen. You can revoke access at any time from your Google Account settings.

Limited Use Compliance

Visual Inbox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3) Where your data is processed and stored

Local processing

Visual Inbox is designed so that processing happens locally in your browser. When you use the app:

• your browser loads the Visual Inbox application code,
• your browser requests authorized Gmail/Calendar data directly from Google (when connected),
• if you upload a Slack export ZIP, your browser reads and parses that file locally,
• the app computes visualizations locally on your device.

Local storage (IndexedDB)

To improve performance and allow the tool to function smoothly, Visual Inbox stores data locally in your browser using IndexedDB. This means:

• your Gmail metadata, calendar data, and any Slack export data you upload remains on your device, inside your browser storage,
• Visual Inbox does not require uploading that content to our servers to generate visualizations.

4) Cookies and local storage (“trackers”)

European rules on “cookies and other trackers” apply broadly to technologies that store or access information on your device, including cookies and local storage such as IndexedDB.

What Visual Inbox uses

Visual Inbox uses local browser storage (including IndexedDB) for one purpose: to provide the service you explicitly request—i.e., to store and render your visualizations locally without sending content to a server.

Depending on your usage, Visual Inbox may store locally:

• Gmail metadata retrieved from the Gmail API (metadata only),
• Google Calendar data retrieved from the Google Calendar API (read-only access),
• Slack export data you upload,
• application settings and preferences needed for the app to function.

What Visual Inbox does not use

As of the date above, Visual Inbox does not use:

• third-party advertising cookies/pixels,
• third-party analytics cookies (e.g., Google Analytics),
• third-party tracking scripts,
• a CDN such as Cloudflare.

5) What Visual Inbox does not do

Visual Inbox does not:

• send your Gmail metadata, calendar data, or Slack export contents to our servers,
• sell personal data,
• run ads based on your data,
• share your data with third parties for marketing,
• use your data to train machine learning models.

6) Website hosting and standard server logs

Visual Inbox is hosted on Hetzner (infrastructure that Hetzner states is GDPR-compliant). Like most websites, the server may process limited technical information when you load pages, such as:

• IP address
• date/time of request
• requested URL
• basic device/browser information (user agent)

This information is typically generated as part of standard hosting, security, and abuse prevention. It does not include your Gmail metadata, calendar data, or Slack export contents.

7) OAuth tokens and authentication

Visual Inbox uses Google OAuth to request permission to access Gmail and/or Google Calendar. OAuth tokens are stored locally in your browser and are transmitted securely via HTTPS. Visual Inbox is designed so that Gmail and Calendar data are processed locally and are not uploaded to our servers.

8) Your choices and controls

You control your data:

• Disconnect / revoke Google access: You can revoke Visual Inbox’s access to Gmail/Calendar from your Google Account permissions page.
• Delete data from within the app: Visual Inbox includes an in-app control labeled “Logout & Delete” that logs you out and deletes Visual Inbox’s locally stored data from your browser.
• Clear local data via browser settings: You can also delete Visual Inbox’s locally stored data by clearing site data in your browser settings (this removes IndexedDB storage for Visual Inbox).

9) Data retention

Because Visual Inbox processes and stores data locally in your browser (IndexedDB), you remain in full control of retention.

• By default, locally stored data remains on your device so the app can load quickly and preserve your settings and visualizations.
• You can delete your data at any time using the in-app “Logout & Delete” control.
• Visual Inbox does not maintain a server-side database of your Gmail metadata, calendar data, or Slack export contents.

10) Data Protection Mechanisms and Security

We are committed to ensuring that your information is secure. To prevent unauthorized access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we access.

Encryption in Transit All communication between your browser and Google’s servers (Gmail and Calendar APIs) is transmitted over a secure, encrypted connection using standard Transport Layer Security (TLS/SSL) technology. This ensures that data remains confidential while in transit.

Local Data Protection Because Visual Inbox stores data locally in your browser (IndexedDB), your data is protected by your browser's built-in security sandbox (Same-Origin Policy). This prevents other websites from accessing data stored by Visual Inbox. The security of this data at rest relies on your device’s underlying security measures (e.g., disk encryption and OS-level access controls).

Access Controls Since Visual Inbox does not store your Gmail or Calendar data on our servers, our personnel have no technical means to access your sensitive user data. Access is strictly limited to your local client instance.

11) Children’s privacy

Visual Inbox is not designed for children under 13, and we do not knowingly collect personal information from children.

12) Changes to this policy

If we update this Privacy Policy, we will revise the “Last updated” date at the top of the page. Material changes will be posted clearly on this page.

13) Contact

Questions or concerns? Contact: hello@visualinbox.net