Privacy Policy
View all our legal and compliance documentation
Learn about our security measures and compliance commitments
Bobook Limited ("we", "us", or "our") operates the Inbox2Sheet service. This Privacy Policy outlines how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
A. Who We Are & Scope
Bobook Limited (Ireland) is the controller for account/billing/site data. For customer email content and extracted data processed in Inbox2Sheet, we act as processor on your instructions (Art. 28 GDPR).
B. Categories of Data
Account & Billing
Name, email, company, payment details.
Service Data (Processor)
Emails you forward (headers, body, attachments), extracted fields/rows, parser configurations, confidence scores, error logs.
AI Chat Data
Messages and derived insights.
Technical
IP, device info, app telemetry.
Support
Tickets, call notes.
C. Purposes + Legal Bases
Provide the service: Contract
Billing, fraud prevention: Legitimate interests / Legal obligation
Product analytics, service improvement: Legitimate interests; offer opt-out where feasible
Support communications: Contract/legitimate interests
AI Processing Disclosure: We use third-party AI providers to assist with extraction and chat responses. See Subprocessors.
D. Roles & Responsibility
Controller for account/site data; processor for customer email and extracted data. Customers are controllers of their customer data. A DPA is available for signature.
E. Retention
Default Retention Periods
- Raw emails: ≤30 days
- Extracted rows: Until the user deletes
- System logs: ≤30 days
- Backups: ≤90 days (rolling)
Self-Serve Controls
Mailbox-level retention (e.g., 0/1/7/30/90 days) and one-click purge for mailbox, template, or account.
F. International Transfers
Mailgun
For email ingress (choose EU region so message data stays in-region). Mailgun
Google (Sheets/Workspace)
For data write-back (covered by Google DPA). Google Cloud
OpenAI (GPT-4o)
For parsing/chat: API data isn't used for training by default; 30-day retention typical; EU data residency now available for eligible endpoints/zero-retention projects—use EU where possible. OpenAI
Stripe
For payments (SCCs/DPF mechanisms). Stripe
Where providers are US-based, we rely on SCCs and/or DPF as applicable. Reference: activeMind.legal, Wikipedia
Complete Subprocessor List: For detailed information about all our subprocessors, visit our Subprocessors page.
G. Security (TOMs Summary)
Encryption in transit (TLS 1.2+) and at rest (AES-256); RBAC, MFA, least-privilege; audit logs; vulnerability management; incident response & 72-hour breach notification window; regular backups and restore testing.
Reference: OpenAI publishes SOC 2; Google/Stripe TOMs referenced.
Detailed Security Information: For comprehensive details about our technical and organizational measures, visit our Security page.
H. Data Subject Rights
Your Rights
Access, rectification, erasure, portability, restriction, objection.
Process
Link to Data Request Center (form or email), response within 30 days.
Supervisory Authority
Irish Data Protection Commission (www.dataprotection.ie)
I. Children
Service not directed to children under 16; do not knowingly process children's data.
J. Cookies & Analytics
We use cookies and similar technologies to provide and improve our service. For detailed information about our cookie usage, categories, retention periods, and consent management, please see our Cookie Policy.
Cookie Management: You can manage your cookie preferences at any time through our Cookie Preferences page or the consent banner that appears on first visit.
K. Contact
Email: privacy@inbox2sheet.com
Privacy Lead: privacy@inbox2sheet.com
Postal Address: See section A above