← Back to Captchainbox

Privacy Policy

Effective date: April 14, 2026 · Last updated: May 11, 2026

Google API Services User Data Policy — Limited Use

Captchainbox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we only use Google user data to provide or improve user-facing features of Captchainbox; we do not use it for advertising, do not sell it, do not transfer it to third parties (except as necessary to provide the service, comply with applicable law, or with your consent), do not allow humans to read it (except with your explicit consent, for security or legal compliance, or when needed to resolve user-reported support requests), and do not use it to develop, improve, or train generalized AI/ML models.

Captchainbox ("we", "us", or "our") is operated by Felix Doerp (sole proprietor, based in Germany) and provides the website captchainbox.com and the Captchainbox service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account Information

When you sign up, we collect your email address and basic profile information provided by Google during the OAuth authentication flow.

1.2 Gmail Data

With your explicit consent, we access your Gmail account through the Gmail API to:

  • Read email metadata (sender addresses, subject lines, dates) to build your trusted sender whitelist and classify incoming messages.
  • Modify email labels to archive messages from unknown senders and unarchive them after verification.
  • Send emails on your behalf to deliver verification challenge messages to unknown senders.

We do not read the body content of your emails. We only process metadata (sender, recipient, subject, date) necessary for the service to function.

1.3 Data from Email Senders

When an unknown sender receives a verification email and visits our verification page, we collect:

  • Their IP address (for Cloudflare Turnstile CAPTCHA verification)
  • The verification token used
  • The result of the CAPTCHA challenge

1.4 Usage Data

We collect anonymized analytics data (page views, feature usage) to improve the service. We use Umami, a privacy-focused analytics tool that does not use cookies and does not collect personally identifiable information.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Captchainbox service
  • Build and maintain your trusted sender whitelist based on your email history
  • Archive emails from unknown senders and send them verification challenges
  • Unarchive emails and whitelist senders who complete verification
  • Manage grace periods for recently verified senders
  • Send you service-related notifications
  • Improve and optimize our service

3. Data Storage and Security

Your data is stored securely using Supabase (hosted on AWS infrastructure) with row-level security policies enforced at the database level. OAuth tokens are stored encrypted. We use HTTPS for all data transmission.

We retain your data for as long as your account is active. If you delete your account, we will delete all associated data, including your whitelist, email analysis records, and stored OAuth tokens.

4. Third-Party Services

We use the following third-party services:

  • Google Gmail API – to access and manage your email on your behalf. Subject to Google API Services User Data Policy, including the Limited Use requirements.
  • Supabase – for authentication, database, and serverless functions.
  • Cloudflare Turnstile – for CAPTCHA verification of unknown senders.
  • Vercel – for hosting and serving the web application.
  • Umami – for privacy-friendly, cookie-free analytics.

5. Google API Services User Data Policy

Captchainbox's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request access to the Gmail scopes necessary for the service to function (reading metadata, modifying labels, sending verification emails).
  • We do not use Gmail data for advertising or to serve ads.
  • We do not allow humans to read your email data unless required for security purposes, to comply with applicable law, or with your explicit consent.
  • We do not transfer Gmail data to third parties except as necessary to provide the service, as required by law, or with your consent.
  • We do not use Gmail data to develop, improve, or train generalized artificial intelligence or machine learning models. Any AI features (such as our optional agent-to-agent reply assistant) operate only on data for the requesting user and do not feed training pipelines.

6. Data Sharing

We do not sell, rent, or trade your personal information. We only share data with the third-party service providers listed above, solely to operate the service. We may disclose information if required by law or to protect our rights.

7. Your Rights

You have the right to:

  • Access your data through the Captchainbox dashboard
  • Revoke access to your Gmail account at any time through your Google Account permissions
  • Delete your account and all associated data by contacting us
  • Export your whitelist data from the dashboard

8. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

9. Children's Privacy

Captchainbox is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at felixdoerp@gmail.com.