Privacy Policy

Email Cheat Code is a product operated by Cuff Technology Solutions, LLC ("us", "we", or "our"). This Privacy Policy covers all interactions with the Email Cheat Code service across the EmailCheatCode.com and WatchMyInbox.com domains.

Last Updated: December 31, 2025

1. The Guiding Principles

• You Control Your Data: You retain full control over your account and data.
• Data Minimization: We only request and access the data strictly necessary for the service (read-only access only).
• Security is Built-In: We encrypt sensitive data at rest and actively redact sensitive PII.

2. Information We Collect

We collect only the data required to provide accurate alerts, ensure they arrive at the right time, and allow you to manage your account.

From the Payer (The Subscription Holder):

We recognize the payer may be a family member, colleague, or the account holder themselves.

• Account Credentials: We store your login email and a secure hash of your password (we never store your actual password) to allow you to access your billing portal.
• Billing Details: We collect your name and email to send billing receipts and account status updates.
• Payment Information: We do not store your full credit card or bank account details. Payments are processed securely by Stripe, our payment processor. We only retain a reference to your subscription and the last 4 digits of your card for identification.
• Student's Contact Info: If gifting a subscription, we collect the student's phone number and email address from you to facilitate their onboarding.

From You (The User):

• Account Credentials: We store your login email and a secure hash of your password (we never store your actual password) to allow you to access your student dashboard.
• Primary & Alternate Emails: We collect your institutional, personal, or work email to connect the service. We may also collect an alternate email address (e.g., Gmail, iCloud) to serve as a reliable backup delivery channel for weekly digests or urgent alerts.
• Phone Number: We use this to deliver the primary SMS alerts.
• Timezone & Notification Preferences: We collect your local timezone and preferred "Quiet Hours" to ensure compliance with local SMS regulations and to avoid disturbing you during sleep or class times.
• Planned End Date: You may optionally provide a planned end date (e.g., graduation, contract end, role change) to automatically schedule service termination.

3. Data From Your Email Account (Metadata & Redaction)

To function without writing to your inbox (we use Read-Only permissions), we must store specific metadata to help you locate messages.

What We Store (Encrypted):

• Email Metadata (Only for Alerts): We store the Sender Address (display name and email), Recipient Email (To field), Email Subject,Date/Time, Read/Unread Status, Labels, Importance Flags, and the unique Gmail Message ID ONLY for the specific messages that match our filters and trigger a notification. We do not store metadata for the rest of your inbox. We use this data to:
  • Display a "History" on your dashboard so you can find the email later.
  • Generate direct links to the specific message (functional on desktop browsers).
  • Help you manually disambiguate messages in your mobile inbox (e.g., "Look for the email from 'Bursar' sent at 4:02 PM").
• AI-Generated Alert Summaries: We do not store the full, raw body of your emails. However, to provide you with actionable context, our system processes email content through an AI service (Claude by Anthropic) to generate short summaries that explain why the email requires your attention.
  • What we store: We store the AI-generated summary text (typically 1-2 sentences) for emails that trigger alerts. Our system may generate and store multiple summary candidates to help refine alert quality over time.
  • Why we store it: To display alert history in your dashboard and provide you with enough context to understand why action is needed - without replacing your inbox or archiving your full emails.
  • Example: For an email with subject "Important Notice" and a long body about parking violations, our AI might generate: "Parking ticket payment due by Friday or late fees apply." We store this summary, not the full email text.
• PII Redaction: Sensitive PII (SSNs, credit card numbers) is automatically detected and redacted from the alert content before it is stored or sent via SMS (e.g., "SSN ***-**-****").
• OAuth Tokens: The secure keys that allow us to scan your inbox are strictly encrypted at rest.

What We NEVER Store:

• We NEVER store the full raw body/content of your emails in our database.
• We NEVER sell your data to third parties.

4. How We Use Data

• Service Delivery (Scanning & Filtering): To execute the core logic, including running the filter classification engine.
• Security and Redaction: To run the PII detection and redaction service and to protect user data (logging failed logins, token management).
• Alert Delivery: To send time-critical SMS alerts via Twilio and the weekly digest via Resend.
• Value Proof & Engagement: To generate and send the weekly digest email and to analyze user engagement metrics (SMS replies, dashboard feedback) to tune and improve filter accuracy.
• Compliance: To manage your account and ensure compliance with legal obligations (e.g., respecting SMS Quiet Hours).

5. The Payer-Privacy Model

If someone other than the account user pays for the service (e.g., family member, employer, sponsor), we protect the user's privacy while ensuring the payer knows the service is valuable.

What the Payer CAN See:

• Setup Status: (e.g., "Connected to user@example.com").
• Service Status: (e.g., "Active" or "Disabled by student").
• Aggregated Usage Metrics: To verify the service is working, payers can see high-level, anonymized statistics, such as "Emails Scanned: 1,200" or "Alerts Sent Last Month: 5". This data is strictly numerical and does not reveal the content, subject, or timing of any specific alert.
• Billing status.

What the Payer can NEVER See:

• The content of any email or alert.
• The user's dashboard or specific alert history.
• Which specific alerts were engaged with or ignored.

6. Sub-processors

We use trusted third-party infrastructure to provide this service:

• Stripe: Payment processing.
• Twilio: SMS delivery.
• Resend: Email delivery (for digests/receipts).
• Supabase: Encrypted database hosting and authentication.
• AWS Lambda: Email scanning and processing infrastructure.
• Anthropic: AI-powered email classification and alert generation (Claude).
• Vercel: Web application hosting.

All sub-processors are bound by strict data protection agreements and are used solely to deliver the service.

7. SMS/Text Messaging Terms

By providing your mobile phone number and opting into our service, you expressly consent to receive SMS text message alerts from us regarding time-critical emails identified by our monitoring system.

Message Frequency & Fees:

• Frequency: Message frequency varies based on your email activity and alert triggers. You may receive multiple messages per day during high-activity periods, or no messages for extended periods.
• Carrier Fees: Message and data rates may apply. Check with your mobile carrier for details on your messaging plan.
• Supported Carriers: Service is available on all major U.S. carriers.

Opt-Out & Help:

• To Stop Messages: Reply STOP to any message to unsubscribe from SMS alerts. You will receive a confirmation message. You may also disable alerts from your student dashboard.
• For Help: Reply HELP for assistance, or contact us at contact@watchmyinbox.com or +1 978 267 0411.

Privacy & Data Sharing:

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Carrier Disclaimer:

Carriers are not liable for delayed or undelivered messages. Message delivery is subject to carrier network availability and other factors outside our control.

8. Children's Privacy (Users Under 18)

Our Service is not intended for use by anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from Children. If we become aware that we have collected Personal Data from a Child without verification of parental consent, we will take steps to remove that information from our servers.

9. Data Deletion

Disconnecting Your Email Account

You can disconnect your Gmail account at any time from your Settings page. When you disconnect:

• We immediately revoke your OAuth token with your email provider (Google), which prevents us from accessing your email.
• We stop all future scans and alerts.
• We preserve your connection record in our database for security audit purposes. Your encrypted OAuth tokens remain stored but are revoked and cannot be used to access your email.
• You can choose to keep or delete your alert history:
  • Keep alert history: Your past alerts and other metadata related to inbox scans (such as mailbox statistics) remain visible in your dashboard for reference. When you reconnect, monitoring continues from where it left off (incremental scanning).
  • Delete alert history: All past alerts and metadata related to inbox scans are permanently deleted. This includes alert notifications and mailbox statistics captured during scans. When you reconnect, you get a fresh start with a new mailbox scan (same as connecting for the first time).

  Note: Some data must be retained for legal compliance and audit purposes. We retain consent and opt-out records, and operational messaging logs, only as long as reasonably necessary to operate the service, comply with applicable law and carrier requirements, resolve disputes, and enforce agreements.

Deleting Your Account

You may delete your account at any time from your dashboard, which permanently wipes your data and tokens from our servers within 30 days.

Additionally, if you provide a planned end date during registration, your account is automatically scheduled for deletion 3 months after that date, unless you extend your service or opt out of automatic deletion. You will receive email notification 30 days before automatic deletion occurs.

Complete Data Deletion Requests

To request complete deletion of all your data, including connection records and audit logs, please contact us at contact@watchmyinbox.com. We will process your request within 30 days.

10. Contact and Data Controller Information