Privacy Policy
How ToInbox collects, uses, and protects your information.
1. Who we are
ToInbox is operated by TopFounder, a sole proprietorship of Devansh Karnani (the "Company", "we", "our", "us"). Our registered address is 134 Salkia School Road, Howrah, West Bengal 711106, India. If you have any questions about this Privacy Policy or how we handle your data, contact support@topfounder.io.
ToInbox is a Chrome extension and web application that helps job-seekers send personalized cold emails to founders behind LinkedIn job listings, sent through the user's own Gmail account. This policy applies to the ToInbox extension, the website at toinbox.app, and the application at app.toinbox.app (together, the "Service").
2. Information we collect
2.1 Information you give us through LinkedIn Sign-In
When you sign in with LinkedIn we receive, with your consent, your LinkedIn identifier, name, primary email address, and profile photo URL through LinkedIn's standard OpenID Connect profile. We do not request access to your LinkedIn connections, messages, posts, or activity.
2.2 Information you give us directly
- The resume PDF you upload (we extract its text and store both the text and the file).
- Optional profile details: phone, location, additional LinkedIn URL.
- Daily sending limit and sending schedule preferences.
2.3 Information we receive from Google (Gmail)
When you connect Gmail, we request OAuth access to the following Google APIs scopes:
| Scope | What it allows | Why we need it |
|---|---|---|
gmail.send |
Send email on your behalf from your Gmail address. | So the application emails we generate are sent from you, not from us. |
userinfo.email / userinfo.profile |
Your Google email address, name, and profile picture. | To confirm which Gmail account is connected. |
ToInbox's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Gmail data only to send application emails from your Gmail on your behalf.
- We do not use Gmail data to train, develop, or improve any generalised or third-party AI/ML models.
- We do not sell or transfer Gmail data to any third party for advertising, marketing, or any unrelated purpose.
- We do not allow humans to read your Gmail data, except (a) with your explicit consent, (b) when required by law, (c) for security investigations, or (d) in aggregated, anonymized form for internal operations.
2.4 Information generated through your use of the Service
- LinkedIn job listings you enroll (job ID, role title, company name, company domain, job URL, job description text scraped from the public listing).
- Emails we generate and send (subject, body, recipient, Gmail message and thread IDs).
- Basic event logs (timestamps of sends, errors, schedule decisions).
2.5 Information collected automatically
Like most web services, our hosting and analytics infrastructure may log IP address, user-agent string, and request timestamps for security and reliability. The Service does not currently use advertising cookies or third-party trackers.
3. How we use your information
We use the information we collect to:
- Generate personalized application emails from your resume using an AI service.
- Identify the right founder for each company you enroll (via Apollo.io's database).
- Send those emails from your Gmail and attach your resume as a PDF.
- Enforce your daily sending limit and sending schedule.
- Operate, secure, and improve the Service (e.g. error monitoring, performance).
- Communicate with you about your account and service updates.
- Process payments for paid plans (when applicable).
4. Third parties we share information with
We do not sell your personal information. We share specific pieces of data with the following third-party processors, only as needed to provide the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Google (Gmail API) | Sending email from your account | OAuth tokens, the email body/subject/recipient we send |
| OpenAI | Generating personalized email content from your resume + job description | Your resume text, the job description, the company name, and the founder's first name (no Gmail content, no recipient address) |
| Apollo.io | Finding the founder's contact details by company domain | Company name and domain (no personal data about you) |
| Hunter.io | Backup email-finding service | Company name and domain (no personal data about you) |
| Vercel | Hosting the website and application | Request metadata (IP, user-agent) per Vercel's standard logging |
| Railway | Hosting the application backend | Request metadata per Railway's standard logging |
| Turso (libSQL) | Application database (hosted in Mumbai region) | All structured user data described in Section 2 |
Each of these providers has its own privacy practices; we recommend reviewing their policies. We do not share information with any party for advertising or marketing purposes.
5. Where we store data
The application database is hosted with Turso in the AWS Asia Pacific (Mumbai) region. Resume files and email content are stored within this database. OAuth tokens are stored encrypted at the database level. Our hosting providers may process request metadata in other regions.
6. How long we keep data
- Account data (profile, resume, sent email records, replies) is retained for as long as your account is active.
- OAuth tokens are retained while your account is active so the Service can continue to function. Revoking access in your Google Account permissions or LinkedIn permitted services invalidates them.
- Event logs are retained for up to 90 days for debugging and security purposes.
- On account deletion, all personal data is removed from our active database within 30 days. Backup copies may persist for a further 60 days before being purged.
7. Your rights and choices
- Access & correction: view and edit your profile and resume in the app at any time.
- Deletion: request account and data deletion by emailing support@topfounder.io. We respond within 30 days.
- Revoke Gmail access: at Google Account permissions. This stops all sending immediately.
- Revoke LinkedIn access: at LinkedIn permitted services.
- Export: request a copy of your data by emailing the address above.
- Depending on your jurisdiction (e.g. GDPR, India's DPDP Act, CCPA) you may have additional rights such as objection, restriction, and portability. You may exercise these by emailing us.
8. Security
We protect data in transit with HTTPS/TLS and at rest through our database provider's encryption. Access to production systems is restricted. OAuth tokens are stored and used only by the Service. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you as required by applicable law.
9. Children
ToInbox is not directed to anyone under 16. We do not knowingly collect data from children under 16. If you believe a child has provided information to us, contact us and we will delete it.
10. International users
The Service is offered globally. If you are located outside India, your data will be transferred to and processed in India and in the regions where our subprocessors operate. By using the Service you consent to that transfer.
11. Cookies and similar technologies
The application uses essential cookies and local-storage entries to keep you signed in and to
cache application data for performance. We do not use advertising or cross-site tracking
cookies. The marketing site at toinbox.app may use minimal first-party analytics
in the future; if added, this policy will be updated.
12. Third-party links and platforms
ToInbox interacts with LinkedIn (a Microsoft service) and Gmail (a Google service). It is not affiliated with, endorsed by, or sponsored by either company. We are not responsible for the privacy practices of LinkedIn, Google, or any other third party.
13. Changes to this policy
We may update this Privacy Policy as the Service evolves. The "Last updated" date at the top of this page reflects the latest version. Material changes will be highlighted in-app or by email where appropriate. Continued use of the Service after a change constitutes acceptance.
14. Contact
TopFounder (Devansh Karnani)
134 Salkia School Road, Howrah, West Bengal 711106, India
support@topfounder.io