ZenBox

Legal

Security

ZenBox is built for people who care about their inbox. Here's how we keep it safe.

Effective June 26, 2026 · ZenBox (operated by Utkarsh Kumar) · Bengaluru, Karnataka, India

Encryption

  • OAuth tokens: Google access and refresh tokens are encrypted with AES-GCM (256-bit) before being stored. The encryption key lives in the runtime environment, never in code.
  • In transit: all traffic is TLS 1.2+ (terminated at Cloudflare).
  • At rest: the database is encrypted with AES-256 (Supabase-managed).

OAuth & scopes

We use Google OAuth 2.0 with the minimum scopes required:

  • https://www.googleapis.com/auth/gmail.readonly — read message headers
  • https://www.googleapis.com/auth/gmail.modify — mark messages read / archive on unsubscribe (only when you click)
  • openid, email, profile — sign-in identity

You can revoke access any time from your Google account permissions.

What we read

  • Headers only: From, Subject, Date, List-Unsubscribe, List-Unsubscribe-Post, label IDs.
  • Never: message bodies, attachments, or any inline content.

Data retention

  • Aggregated sender stats: retained while your account is active.
  • Disconnect a Gmail account: stats for that account are purged immediately.
  • Delete your ZenBox account: all rows purged within seconds; backups roll over within 30 days.
  • Local-only mode: aggregated stats are purged from our servers and kept in your browser only.

Authentication

  • Sign-in via Google OAuth (no passwords stored on our side).
  • Sessions use Supabase Auth with short-lived JWTs and rotating refresh tokens.
  • Row-Level Security policies on every table ensure users can only ever see their own data.

Account security extras

The in-app "Account security" dashboard scans every connected email across three independent free providers (HaveIBeenPwned, XposedOrNot, LeakCheck) and surfaces breaches with detailed metadata. We never store the breach lookups themselves, only your "marked as fixed" records.

Responsible disclosure

Found a vulnerability? Email security@utkarshkr.in with reproduction steps. We'll acknowledge within 72 hours and credit you in the fix notes if you'd like.

ZenBox is not yet SOC 2 / ISO 27001 certified. We follow the spirit of those frameworks but don't claim formal certification until an independent audit completes.