Privacy Policy

Email Cheat Code is a product operated by Cuff Technology Solutions, LLC ("us", "we", or "our"). This Privacy Policy covers all interactions with the Email Cheat Code service across the EmailCheatCode.com and WatchMyInbox.com domains.

Last Updated: November 19, 2025

1. The Guiding Principles

• Student is the User: The student retains full control over their account and data.
• Data Minimization: We only request and access the data strictly necessary for the service (read-only access only).
• Security is Built-In: We encrypt sensitive data at rest and actively redact sensitive PII.

2. Information We Collect

We collect only the data required to provide accurate alerts, ensure they arrive at the right time, and allow you to manage your account.

From the Payer (The Subscription Holder):

We recognize the payer may be a parent, guardian, relative, or the student themselves.

• Account Credentials: We store your login email and a secure hash of your password (we never store your actual password) to allow you to access your billing portal.
• Billing Details: We collect your name and email to send billing receipts and account status updates.
• Payment Information: We do not store your full credit card or bank account details. Payments are processed securely by Stripe, our payment processor. We only retain a reference to your subscription and the last 4 digits of your card for identification.
• Student's Contact Info: If gifting a subscription, we collect the student's phone number and email address from you to facilitate their onboarding.

From the Student (The User):

• Account Credentials: We store your login email and a secure hash of your password (we never store your actual password) to allow you to access your student dashboard.
• Primary & Alternate Emails: We collect your .edu email to connect the service. We may also collect a personal email address (e.g., Gmail, iCloud) to serve as a reliable backup delivery channel for weekly digests or urgent alerts.
• Phone Number: We use this to deliver the primary SMS alerts.
• Timezone & Notification Preferences: We collect your local timezone and preferred "Quiet Hours" to ensure compliance with local SMS regulations and to avoid disturbing you during sleep or class times.
• Graduation Date: We use this to automatically end your service 3 months after you graduate.

3. Data From Your Email Account (Metadata & Redaction)

To function without writing to your inbox (we use Read-Only permissions), we must store specific metadata to help you locate messages.

What We Store (Encrypted):

• Email Metadata (Only for Alerts): We store the Sender Address, Email Subject,Date/Time, Labels, Importance Flags, and the unique Gmail Message ID ONLY for the specific messages that match our filters and trigger a notification. We do not store metadata for the rest of your inbox. We use this data to:
  • Display a "History" on your dashboard so you can find the email later.
  • Generate direct links to the specific message (functional on desktop browsers).
  • Help you manually disambiguate messages in your mobile inbox (e.g., "Look for the email from 'Bursar' sent at 4:02 PM").
• AI-Generated Alert Summaries: We do not store the full, raw body of your emails. However, to provide you with actionable context, our system processes email content through an AI service (Claude by Anthropic) to generate short summaries that explain why the email requires your attention.
  • What we store: We store the AI-generated summary text (typically 1-2 sentences) for emails that trigger alerts. Our system may generate and store multiple summary candidates to help refine alert quality over time.
  • Why we store it: To display alert history in your dashboard and provide you with enough context to understand why action is needed - without replacing your inbox or archiving your full emails.
  • Example: For an email with subject "Important Notice" and a long body about parking violations, our AI might generate: "Parking ticket payment due by Friday or late fees apply." We store this summary, not the full email text.
• PII Redaction: Sensitive PII (SSNs, credit card numbers) is automatically detected andredacted from the alert content before it is stored or sent via SMS (e.g., "SSN ***-**-****").
• OAuth Tokens: The secure keys that allow us to scan your inbox are strictly encrypted at rest.

What We NEVER Store:

• We NEVER store the full raw body/content of your emails in our database.
• We NEVER sell your data to third parties.

4. How We Use Data

• Service Delivery (Scanning & Filtering): To execute the core logic, including running the filter classification engine.
• Security and Redaction: To run the PII detection and redaction service and to protect user data (logging failed logins, token management).
• Alert Delivery: To send time-critical SMS alerts via Twilio and the weekly digest via Resend.
• Value Proof & Engagement: To generate and send the weekly digest email and to analyze user engagement metrics (SMS replies, dashboard feedback) to tune and improve filter accuracy.
• Compliance: To manage your account and ensure compliance with legal obligations (e.g., respecting SMS Quiet Hours).

5. The Payer-Privacy Model

If a parent, guardian, or relative pays for the account, we protect the student's autonomy while ensuring the payer knows the service is valuable.

What the Payer CAN See:

• Setup Status: (e.g., "Connected to student@school.edu").
• Service Status: (e.g., "Active" or "Disabled by student").
• Aggregated Usage Metrics: To verify the service is working, payers can see high-level, anonymized statistics, such as "Emails Scanned: 1,200" or "Alerts Sent Last Month: 5". This data is strictly numerical and does not reveal the content, subject, or timing of any specific alert.
• Billing status.

What the Payer can NEVER See:

• The content of any email or alert.
• The student's dashboard or specific alert history.
• Which specific alerts were engaged with or ignored.

6. Sub-processors

We use trusted third-party infrastructure to provide this service:

• Stripe: Payment processing.
• Twilio: SMS delivery.
• Resend: Email delivery (for digests/receipts).
• Supabase: Encrypted database hosting and authentication.
• AWS Lambda: Email scanning and processing infrastructure.
• Anthropic: AI-powered email classification and alert generation (Claude).
• Vercel: Web application hosting.

All sub-processors are bound by strict data protection agreements and are used solely to deliver the service.

7. SMS/Text Messaging Terms

By providing your mobile phone number and opting into our service, you expressly consent to receive SMS text message alerts from us regarding time-critical emails identified by our monitoring system.

Message Frequency & Fees:

• Frequency: Message frequency varies based on your email activity and alert triggers. You may receive multiple messages per day during high-activity periods, or no messages for extended periods.
• Carrier Fees: Message and data rates may apply. Check with your mobile carrier for details on your messaging plan.
• Supported Carriers: Service is available on all major U.S. carriers.

Opt-Out & Help:

• To Stop Messages: Reply STOP to any message to unsubscribe from SMS alerts. You will receive a confirmation message. You may also disable alerts from your student dashboard.
• For Help: Reply HELP for assistance, or contact us at contact@watchmyinbox.com or +1 978 267 0411.

Privacy & Data Sharing:

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Carrier Disclaimer:

Carriers are not liable for delayed or undelivered messages. Message delivery is subject to carrier network availability and other factors outside our control.

8. Children's Privacy (Users Under 18)

Our Service is not intended for use by anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from Children. If we become aware that we have collected Personal Data from a Child without verification of parental consent, we will take steps to remove that information from our servers.

9. Data Deletion

You may delete your account at any time from your dashboard, which permanently wipes your data and tokens from our servers within 30 days.

Additionally, accounts are automatically scheduled for deletion 3 months after the graduation date provided during registration. You will receive email notification 30 days before automatic deletion occurs.

10. Contact and Data Controller Information