Privacy Policy
Last updated: May 15, 2026
TwInbox is built on a simple principle: your email is yours. We never read it, store it, or send it to a server. This page explains exactly what does leave your device and what doesn't.
The short version
- ✓ Your email content never leaves your device.
- ✓ Your Gmail credentials (tokens) are stored only in your browser's local extension storage.
- ✓ Our push notification server stores only a hashed, non-reversible identifier — never your email address.
- ✓ We collect no analytics, no usage data, and no personal information.
- ✓ Uninstalling the extension permanently deletes all local data.
What TwInbox does
TwInbox is a Chrome extension that connects to your Gmail accounts via Google's official OAuth and Gmail REST API. It fetches your message list and displays it directly in your browser. All Gmail API calls are made from your browser using your own credentials — the data goes directly from Google's servers to your device, never through ours.
What stays on your device
All of the following is stored exclusively in Chrome's local extension storage (chrome.storage.local) and never transmitted to TwInbox's servers:
- Your Gmail OAuth refresh tokens (stored encrypted using AES-256-GCM)
- Cached message metadata (sender, subject, date, snippet — no message body)
- Your settings and preferences
- Account color assignments
Access tokens (short-lived, expire in ~1 hour) are stored only in session memory and are never written to disk.
What leaves your device — and when
Gmail API calls
When TwInbox fetches your inbox, searches your mail, or performs an action (archive, star, etc.), it calls Google's Gmail API directly from your browser. Your OAuth tokens are sent to Google's servers only — not to TwInbox. TwInbox never sees or intercepts this communication.
Push notifications (paid feature)
When new mail arrives, Gmail notifies our relay server so it can wake your extension in real time. Here is exactly what our relay handles:
- Gmail sends a Pub/Sub message containing your email address and a history ID (an opaque integer — no email content) to our Cloudflare Worker.
- The Worker immediately hashes your email address using SHA-256 (truncated to 32 hex characters). The plaintext email address is never stored.
- The hash is used to look up your browser's Web Push subscription endpoint and deliver a push message containing only
{"type":"NEW_MAIL"}— no email content, no subject, no sender. - Your extension receives the push, then calls Gmail's API directly from your browser to fetch the new messages.
Our Cloudflare Worker stores only:
- A SHA-256 hash of your email address (not reversible to the original email)
- Your browser's Web Push subscription endpoint (a URL assigned by Chrome — contains no personal information)
This data is deleted when you remove your account from TwInbox or uninstall the extension.
Google OAuth
When you add a Gmail account, TwInbox opens a Google OAuth consent screen. The authorization code exchange happens between your browser and Google's token endpoint. TwInbox's servers are not involved in this flow.
What we never collect
- Email content, attachments, or message bodies
- Email addresses in plaintext on our servers
- Sender names, subject lines, or any email metadata
- Browsing history or page content
- Usage analytics or behavioral data
- Crash reports (there is no crash reporting infrastructure)
- IP addresses (Cloudflare handles routing; we do not log IPs)
Third-party services
- Google Gmail API — used to read, search, and modify your Gmail messages. Subject to Google's Privacy Policy.
- Cloudflare Workers — hosts our push notification relay. Cloudflare may log request metadata per their Privacy Policy. We do not receive or store these logs.
- Google Cloud Pub/Sub — used by Gmail to deliver new-mail signals to our relay. Only a history ID and email address are included in these signals; we hash and discard the email address immediately.
Data retention
Local data (tokens, cached messages, settings) is retained until you remove your account from TwInbox or uninstall the extension, at which point Chrome permanently deletes all extension storage.
Our server stores the hashed email / push subscription pair until you remove that account from TwInbox. We do not retain this data beyond that point.
Children's privacy
TwInbox is not directed at children under 13 and we do not knowingly collect information from children.
Changes to this policy
If we make material changes to this policy, we will update the date above. Continued use of TwInbox after a change constitutes acceptance of the new policy.
Contact
Questions about this policy? Email privacy@twinbox.email.