Privacy Policy

Last updated: May 17, 2026

Convobox is architecturally incapable of reading your email. This page explains exactly how that works — with diagrams and links to the relevant technical specifications.

How we keep your email private, safe, and secure

Your data travels directly between Google's servers and your browser, encrypted. Convobox infrastructure is never in that path.

For users on the free version of Convobox, there are no Convobox server interactions of any kind.

Reading and sending mail

Your Browser

▶ HTTPS encrypted

Gmail API · Your email data

◀ HTTPS encrypted

Google

Your email data travels directly between your browser and Google.

How we authenticate you without sending any data to our servers

Authentication takes place directly between your browser and Google. Convobox servers are not involved.

When you grant permission during authentication, you are granting permission to your own browser. No keys, codes, tokens, name, email address, or identifiers of any kind are sent to our servers when you authenticate. We have no record of you whatsoever.

Adding a Gmail account (OAuth)

Your Browser

▶ HTTPS encrypted

Sign-in consent · Auth code · Access & refresh tokens

◀ HTTPS encrypted

Google

The OAuth sign-in flow is entirely between your browser and Google. Convobox's servers are not involved. Your Google password never leaves Google.

How we send push notifications without knowing who you are

In the paid version of Convobox (explicit opt-in), you get immediate notifications when a new message arrives. These notifications are anonymised by design. Here is exactly how it works:

Your browser receives an ID token from Google. When Convobox refreshes your access token, Google also issues an OpenID Connect ID token — a cryptographically signed certificate containing your email address and nothing else. It is signed by Google using RS256 and can be verified by anyone with Google's public keys. Crucially, an ID token carries no API permissions — it cannot be used to call any Google API, read email, or do anything other than prove you own an email address.
Your browser sends the ID token to Convobox to register for push notifications. Convobox verifies the token with Google's public key endpoint, confirms it is genuine and unmodified, and extracts your email address. The ID token is then discarded immediately.
Convobox hashes your email address and discards it. The email address is put through SHA-256, a one-way cryptographic hash. The result — a fixed-length string of characters with no mathematical path back to the original email — is stored as a routing key. The plaintext email address is never stored.
Convobox registers with Google for Pub/Sub notifications. Your browser calls Gmail's watch API directly, asking Google to send a signal to Convobox's server whenever a new message arrives. This call is made by your browser using your access token — Convobox's server is not involved in this step.
When a new message arrives, Google notifies Convobox. Google sends a Pub/Sub message containing two fields:
- emailAddress — immediately hashed using SHA-256 and discarded. The hash is used to look up which browser to notify. The plaintext is never stored.
- historyId — an opaque sequence number with no content. Discarded immediately.
Convobox sends a wake signal to your browser. The signal contains only {"type":"NEW_MAIL"} — no email content, no subject line, no sender, no address.
Your browser fetches the new messages directly from Google. The wake signal triggers your browser to call Gmail's API using your own access token — the same direct path described in the first section. Convobox's server is not involved. Your access token never leaves your device.

Push notification when you receive new mail

Google Gmail

▶

Pub/Sub payload

{
  "emailAddress": "you@gmail.com",
  "historyId": "1234567890"
}

Convobox Server

✗ emailAddress → hashed, stored as lookup key ✗ historyId → discarded

▶

Push notification {"type": "NEW_MAIL"} No email content, subject,
sender, or address

Your Browser

◀

Fetch email — Gmail API direct (Convobox not involved)

The only data Convobox's server ever receives is the Pub/Sub payload above. The email address is hashed and stored as a lookup key to route the wake signal. The historyId is discarded immediately. No email content passes through our servers at any point.

Registering for push notifications — why we can't impersonate you

Your Browser

▶

ID token + push endpoint ID token is a read-only signed
certificate — not an API key

Convobox Server

✓ Verifies ID token with Google ✓ Hashes email → stores as key ✗ ID token discarded immediately

▶

Verify ID token Is this token genuine?
What email does it belong to?

Google

What an ID token is

An ID token is a cryptographically signed certificate issued by Google. It says: "Google confirms this person owns this email address." That is all it does. It carries no API permissions and cannot be used to read, send, or modify email — not by us, not by anyone.

Why this is unusual

Most apps that connect to Gmail — Slack, Notion, Calendly, and thousands of others — receive a full OAuth access token during setup, giving them the technical ability to read your inbox whether they intend to or not. Convobox deliberately uses the most restricted token type available. We went out of our way to make it technically impossible for our server to access your email.

We go the extra mile to protect your privacy

Convobox's privacy architecture is not an accident — it is the result of deliberate decisions made at every step, designed to protect you even in the worst case. Here are the specific choices we made that go beyond what is standard or required:

ID tokens instead of access tokens for push registration

When registering for push notifications, we use an OpenID Connect ID token — a read-only signed certificate — instead of a Gmail access token. Most OAuth apps that connect to Gmail receive a full access token during setup, giving them the technical ability to read your inbox. We deliberately chose the most restrictive token type available. Our server receives something that can prove your identity but cannot access a single byte of your email, even if we wanted it to.

Email address hashed immediately and never stored in plaintext

When Google's push notification arrives containing your email address, we hash it using SHA-256 within the same request handler and discard the original. The hash is mathematically irreversible — there is no algorithm that can recover the email address from it. It functions only as a routing key to find your push subscription.

Access tokens held only in session memory, never written to disk

Your Gmail access token — the short-lived credential that can call Gmail APIs — is stored only in browser session memory (chrome.storage.session). It is never written to disk. When your browser closes, it is gone. This means a breach of your device's storage — a stolen laptop, a compromised extension — cannot yield a usable access token.

Refresh tokens encrypted at rest on your device

Refresh tokens are long-lived and more sensitive. Before being written to your device's extension storage, they are encrypted using AES-256-GCM with a key generated on your device and never transmitted anywhere. Raw refresh tokens do not exist in your extension storage.

VAPID signing key stored separately from the subscription database

To send a push notification to your browser, two things are required: the push subscription endpoint (which is in our database) and a VAPID private key to sign the request (which is stored separately as a server-side secret, never in the database). Stealing the database gives an attacker neither the ability to send push notifications nor any personal information.

Free tier: zero server interactions

Free tier users have no interaction with Convobox's servers whatsoever. There is no telemetry, no analytics, no account registration. Your email is fetched directly from Google's API using your own credentials. If our servers were taken offline permanently, the free tier of Convobox would continue to work indefinitely.

Even in the event of a complete server breach

If our server were completely compromised, an attacker would find:

SHA-256 hashes of email addresses. One-way and irreversible. An attacker who already knows your email address could confirm it appears in our database — but could do nothing else with it.
Web Push subscription endpoints. Chrome-assigned URLs with no personal information, useless without the VAPID private key which is not in the database.

No passwords. No email addresses in plaintext. No message content. No access tokens. No credentials of any kind. Nothing that could access your email, impersonate you, or meaningfully identify you.

What we never collect

Email content, attachments, or message bodies
Email addresses in plaintext on our servers
Sender names, subject lines, or any email metadata
Browsing history or page content
Usage analytics or behavioral data
Crash reports (there is no crash reporting infrastructure)
IP addresses (we do not log IPs)

Reddit accounts

If you connect a Reddit account, Convobox interacts with Reddit's APIs directly from your browser — the same architecture as Gmail. Convobox servers are not in the path between your browser and Reddit.

Authentication. Reddit accounts authenticate via cookie session. Convobox does not see your Reddit password — you sign in at reddit.com directly, and the resulting browser cookie is what authorizes your inbox fetches.
Chat (Matrix). Reddit's chat is built on the Matrix protocol. To merge chat messages with your other inboxes, Convobox reads the Matrix access token that chat.reddit.com stores in its own browser localStorage. This token is used to call Reddit's Matrix homeserver directly from your browser — never sent to our servers.
What we receive. Nothing from Reddit ever touches a Convobox server. We have no record of your Reddit username, your messages, your subreddits, or any Reddit activity.
Free tier only. Reddit support is in the free tier and does not involve any server-side infrastructure on our end.

Third-party services

Google Gmail API — used to read, search, and modify your Gmail messages. Subject to Google's Privacy Policy.
Google People API — used to look up contact names and photos when displaying senders. Same direct-from-browser path as Gmail.
Google Cloud Pub/Sub — used by Gmail to deliver new-mail signals to our server. Only a history ID and email address are included in these signals; we hash the email address and store it as a routing key. The historyId is discarded immediately.
Reddit + Reddit Matrix homeserver — used to fetch your Reddit inbox and chat messages directly from your browser. Subject to Reddit's Privacy Policy.
Cloudflare Workers — hosts the push-notification relay described above. Cloudflare's standard logs may include IP addresses for abuse prevention; we do not access or retain them.
Stripe — used for paid-tier subscription billing. If you upgrade, Stripe receives your billing details directly; Convobox never sees your payment information. Subject to Stripe's Privacy Policy.
Resend — used to email license keys after a successful purchase. Resend receives only your email address and the license key, and processes it as a transactional email.

Data retention

Local data (tokens, cached messages, settings) is retained until you remove your account from Convobox or uninstall the extension, at which point Chrome permanently deletes all extension storage.

Our server stores the hashed email / push subscription pair until you remove that account from Convobox. We do not retain this data beyond that point.

Children's privacy

Convobox is not directed at children under 13 and we do not knowingly collect information from children.

Changes to this policy

If we make material changes to this policy, we will update the date above. Continued use of Convobox after a change constitutes acceptance of the new policy.

Contact

Questions about this policy? Email human@convobox.co.