UpInbox by UpGPT

Privacy Policy

Effective date: March 20, 2026  ·  Version 1.0

This Privacy Policy describes how GALAXZ HOLDINGS INC, doing business as UpGPT (“we”, “us”, or “our”), handles your information when you install and use the UpInbox Chrome Extension (“UpInbox” or the “Extension”).

We built UpInbox on a local-first, minimal-data principle: the vast majority of processing happens on your device, and we only touch our servers when strictly necessary to deliver the service.

1. What UpInbox Does

UpInbox is a free Gmail productivity extension. It reads your email metadata (sender, subject, date) to classify messages into categories such as newsletters, promotions, and receipts. It then lets you bulk-archive, apply Gmail labels, or set up auto-filter rules — all from a sidebar panel inside Gmail.

2. Data We Collect

2a. What UpInbox accesses from Gmail

UpInbox uses the Gmail API under your explicit OAuth 2.0 authorization to:

  • Read email metadata — sender address, subject line, date, and a short snippet — for classification purposes
  • Apply Gmail labels to emails you choose to categorize
  • Archive or trash emails when you explicitly trigger a bulk-action
  • Create Gmail filters when you save an auto-rule
  • Read and send email only for the Auto-Draft and Send Later features (Plus/Pro tier, opt-in)
  • Read Gmail settings to understand your current label and filter configuration

2b. What is NOT collected

The following data is never transmitted to UpGPT servers under any circumstances:

  • Email body content — classification is performed on metadata only. Full message bodies are never read or uploaded by the Extension except when you explicitly compose or review a draft in the Auto-Draft panel.
  • Passwords or authentication credentials
  • Financial data or payment card information
  • BYOK API keys — your Bring-Your-Own-Key API keys (Google AI, OpenAI, Anthropic) are stored exclusively in your browser’s chrome.storage.local and IndexedDB. They are never transmitted to UpGPT servers. When you use BYOK mode, classification requests go from your browser directly to the AI provider you chose — UpGPT servers are not involved.

2c. What we store server-side

We only store the following on our servers (Supabase, hosted in the US):

  • Account record: Your email address and subscription tier, required to manage your account and enforce credit limits.
  • Credit balance: How many AI classification tokens remain in your funded or purchased allocation.
  • Anonymous usage events: Non-identifiable analytics events (e.g., “scan_started”, “bulk_action_performed”, “label_applied”). These contain no email content, no sender data, and no personally identifiable information.
  • Weekly Digest content (opt-in only): If you subscribe to the weekly email digest, we store the digest summary text generated from your Gmail data to send you the email. You can disable this at any time in Settings → Digest.

3. What Stays Local on Your Device

The following data is stored exclusively in your browser’s IndexedDB and chrome.storage. It never leaves your device:

  • Email classification results (category, sender, subject)
  • Your sender whitelist and blacklist
  • Scan history and local usage counters
  • Smart Rules configurations and auto-filter templates
  • Undo Vault — 30-day action history for reversing bulk operations
  • Inbox Health Score history
  • Email analytics data (volume by category, trends)
  • BYOK API keys — stored locally, encrypted, never transmitted to us
  • Project Labels and private notes (UpInbox Plus/Pro features)

4. AI Processing

4a. How email classification works

UpInbox uses a three-tier AI processing model:

  • Funded tier (new users, first 30 days): Email metadata (sender, subject, snippet) is sent to an UpGPT AI proxy endpoint, which routes the request to Gemini 2.5 Flash. Email bodies are never included. Headers are processed and immediately discarded — we do not store them.
  • BYOK (Bring Your Own Key): Your classification requests travel from your browser directly to the AI provider you configured (Google AI, OpenAI, or Anthropic). UpGPT servers never see this traffic. You pay the provider directly. We make no margin on BYOK usage.
  • Premium subscribers (Plus/Pro): Email metadata is sent to the UpGPT AI proxy for classification. Same as the funded tier — no email bodies, headers discarded after processing.
  • Heuristic mode (free forever): Classification happens entirely on your device using pattern-matching rules. No API calls, no server involvement.

4b. Auto-Draft feature

If you use the Auto-Draft feature (Plus/Pro), draft generation requires reading the email thread to generate a contextual reply. Thread content is sent to the UpGPT AI proxy for this purpose only and is immediately discarded after generating the draft. Drafts are stored in your Gmail only — not on our servers.

5. Third-Party Services

  • Google Gmail API: Required to read metadata, apply labels, archive emails, and manage filters. Subject to Google’s Privacy Policy.
  • Supabase: Our backend database, hosted in the US. Stores account records, credits, and anonymous events. Supabase is SOC 2 Type II certified.
  • Stripe: Processes all subscription payments for Plus and Pro tiers. We never store your payment card details — Stripe handles all payment data. See Stripe’s Privacy Policy.
  • AI Providers (BYOK only): Google AI, OpenAI, and Anthropic — only when you supply your own API key. UpGPT has no visibility into these requests.

6. Google API Limited Use Disclosure

UpInbox’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request the minimum Gmail OAuth scopes necessary to deliver the features you use
  • We do not use Google user data to serve advertisements or for any purpose unrelated to inbox organization
  • We do not allow humans to read your email data except as required for security, legal compliance, or with your explicit written consent
  • We do not transfer Google user data to third parties except as necessary to provide the UpInbox service (e.g., AI classification proxy)
  • UpInbox does not use Google Workspace APIs to develop, improve, or train generalized AI/ML models

7. Data Retention and Deletion

  • Local data: Cleared when you uninstall the Extension or manually via Settings → Privacy → Clear All Data.
  • Export: Download all your local data as JSON via Settings → Privacy → Export My Data.
  • Undo Vault entries: Auto-expire after 30 days.
  • Server-side account data: Deleted within 72 hours of a verified deletion request. Email us at privacy@upgpt.ai.
  • Anonymous analytics events: Retained for 12 months, then purged.
  • Revoke Gmail access: At any time via Google Account Permissions. Revoking access does not delete your local data.

8. Your Rights Under GDPR and CCPA

8a. GDPR (European Economic Area and UK residents)

If you are in the EEA or UK, you have the following rights under the General Data Protection Regulation:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure (“Right to Be Forgotten”): Request deletion of your personal data.
  • Right to Restriction: Request that we limit how we process your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.

Our legal basis for processing your data is performance of a contract (to provide the Extension service) and legitimate interests (anonymous usage analytics to improve the product). We do not rely on consent as the basis for processing required to operate the service.

To exercise any GDPR right, email privacy@upgpt.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

8b. CCPA (California residents)

Under the California Consumer Privacy Act, California residents have the right to:

  • Know what personal information we collect, use, disclose, or sell
  • Delete personal information we have collected
  • Opt-out of the sale of personal information — we do not sell personal information
  • Non-discrimination for exercising your privacy rights

To make a CCPA request, email privacy@upgpt.ai. We will verify your identity and respond within 45 days.

9. Security

UpInbox uses Chrome’s built-in identity system (chrome.identity) for OAuth. Your Gmail access token is managed by Chrome — UpInbox never stores it. All connections to UpGPT servers use HTTPS/TLS 1.2+. BYOK API keys are stored inchrome.storage.local which is sandboxed to the Extension and inaccessible to other extensions or websites.

10. Children’s Privacy

UpInbox is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us at privacy@upgpt.ai and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date above and, where possible, via the Extension’s update release notes. Continued use after the effective date constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or to exercise your rights:

UpInbox is a product of GALAXZ HOLDINGS INC, doing business as UpGPT.
See also: UpInbox Terms of Service   ·  UpGPT Platform Privacy Policy