Privacy Policy

Effective date: March 19, 2026

This Privacy Policy describes how Cheddar Inbox, Inc. ("Cheddar Inbox," "we," "us," or "our") collects, uses, and protects your information when you use the Cheddar Inbox service. By using Cheddar Inbox, you agree to the practices described in this policy.

Questions? Contact us at our support chat.

1. Information We Collect

When you connect your Google account, we collect:

• Google account information — your email address, display name, and locale, as provided by Google's OAuth flow.
• Gmail access — message metadata (sender, recipient, subject, timestamps, labels), your inbox label structure, the ability to send emails on your behalf, and the ability to read, label, and archive messages.
• OAuth tokens — we store your Google OAuth refresh token in our database so the service can operate while you are offline. Access tokens are short-lived and held only in memory during active operations.
• Usage data — actions performed through your connected account (emails sent, replies made, labels applied, messages archived), timestamps, and earnings attributed to your account.

We do not collect your Gmail message body content for any purpose other than operating the inbox optimization service. We do not read email content for advertising.

2. How We Use Your Information

We use the information we collect exclusively to operate the Cheddar Inbox service:

• Facilitating email engagement with verified senders — we send natural, AI-generated email conversations on your behalf through your connected Gmail account to establish positive sending patterns and maintain deliverability.
• Reading and archiving engagement threads — we identify optimization threads in your inbox and move them to a hidden "Cheddar Inbox" label to keep your primary inbox clean.
• Deliverability scoring — we analyze metadata (account age, message volume, geographic location, provider reputation, recent activity) to assign a tier and earning rate to your account.
• Managing labels — we create and manage a hidden Gmail folder called "Cheddar Inbox" where all engagement threads are organized. This label is not visible in your primary inbox view.
• Tracking earnings — we record each optimization activity to calculate your USDC earnings.
• Account management — we use your email address to identify your account and communicate important service updates.

3. OAuth Token Storage

Your Google OAuth refresh token is stored in our database and encrypted at rest. This token allows Cheddar Inbox to access your Gmail account without requiring you to re-authenticate every time. We use industry-standard encryption for all stored credentials.

You can revoke this token at any time by disconnecting your inbox from the Cheddar Inbox dashboard, or by visiting your Google Account Permissions page and removing Cheddar Inbox access.

4. What We Do NOT Do

• We do not read your email content for advertising or marketing profiling.
• We do not sell your personal data to third parties.
• We do not share your data with third parties except as strictly necessary to operate the service (see Section 8).
• We do not access emails outside of Cheddar Inbox engagement threads.
• We do not send emails to your personal contacts or anyone outside the Cheddar Inbox network.

5. User Controls

• Disconnect your inbox — you can disconnect your Gmail account from the Cheddar Inbox dashboard at any time. This immediately revokes all access to your Gmail account and stops all optimization activity.
• Request data deletion — email our support chat to request deletion of your account and all associated data.
• Google Account Permissions — you can revoke access directly from your Google Account at any time, independent of your Cheddar Inbox account status.

6. Data Retention

Your account data is retained while your account is active. Upon account closure or deletion request, all personal data is deleted within 30 days. Aggregated, anonymized analytics data may be retained indefinitely for service improvement purposes.

7. GDPR and CCPA Rights

If you are located in the European Union or California, you have the following rights with respect to your personal data:

• Right to access — request a copy of the personal data we hold about you.
• Right to deletion — request that we delete your personal data.
• Right to portability — request your data in a machine-readable format.
• Right to opt out — California residents may opt out of the sale of personal data. We do not sell personal data.

To exercise any of these rights, contact our support chat. We will respond within 30 days.

8. Third-Party Services

We use the following third-party services to operate Cheddar Inbox:

• Google Gmail API — used to send, receive, label, and archive emails on your behalf. Subject to Google's Privacy Policy.
• Railway — our backend infrastructure and database hosting provider. Data is stored on Railway's servers.
• Cloudflare — our CDN and DNS provider. Cloudflare may process your IP address and request metadata.

We share data with these services only to the extent necessary to operate Cheddar Inbox.

9. Cookies

Cheddar Inbox uses session cookies only, managed via iron-session. These cookies are strictly necessary to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Data Security

We implement industry-standard security measures including encryption at rest for sensitive credentials, HTTPS for all data transmission, and access controls limiting who can access your data. However, no system is perfectly secure — if you believe your account has been compromised, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email to the address associated with your account. Continued use of Cheddar Inbox after changes become effective constitutes acceptance of the updated policy.

12. Contact

Cheddar Inbox, Inc.
our support chat