Back

Privacy Policy

Last updated April 17, 2026

This Privacy Policy describes how Mailbox (the “Service”) handles information when you sign in and use the Service to administer email accounts hosted on MXroute. We take a minimalist approach: we only handle the data strictly necessary to authenticate you and carry out the administrative actions you request.

1. Information we collect

  • Google account basics. When you sign in with Google, we receive your email address, name, and profile picture from Google’s OAuth (scopes: openid, email, profile). We do not request access to your Gmail, Drive, Calendar, or any other Google service data.
  • Mailbox assignments. An internal JSON store on our server records which mailbox(es) each authorized user is assigned to, so the app can show you only your own mailbox(es).
  • Operational logs. Standard web-server logs (IP, user agent, timestamps, request paths) are retained short-term for security and debugging.

2. How we use information

  • To authenticate you and authorize access.
  • To display your profile (name, avatar) inside the app and determine whether you have admin privileges.
  • To relay your requested administrative actions to MXroute’s API (e.g., changing a mailbox password, creating a forwarder).
  • To keep the Service secure and operational.

3. What we do NOT do

  • We do not read, send, or store the contents of email messages.
  • We do not sell or rent your personal information to anyone.
  • We do not use your data to train machine-learning models.
  • We do not request, store, or use any Google API data beyond the basic sign-in scopes listed above.

4. Where your data lives

Sign-in sessions are held in encrypted cookies issued by NextAuth. The mailbox-assignment JSON store lives on the server that hosts this Service. Administrative operations are sent to the MXroute API and subject to MXroute’s own policies.

5. Sharing

The only third parties that receive data from the Service are Google (for sign-in) and MXroute (for the administrative actions you initiate). We may also disclose information if required by law or to protect the rights, property, or safety of our users or others.

6. Retention

Mailbox-assignment records are kept as long as the assignment is active. If your access is revoked, associated records are removed on request. Operational logs are rotated on a short schedule.

7. Your choices

  • You can revoke the app’s Google OAuth access at any time via your Google Account permissions page.
  • You can request deletion of your mailbox-assignment record by contacting us (below).

8. Children

The Service is not directed at, or intended for use by, children under 13 (or the equivalent minimum age in your jurisdiction).

9. Changes

We may update this Policy. Changes take effect when posted on this page. The “Last updated” date above will reflect the most recent revision.

10. Contact

Privacy questions or deletion requests can be directed to keenjerry66@gmail.com.