Privacy Policy

Effective date: March 20, 2026  ·  Last updated: March 20, 2026

1. Introduction

This Privacy Policy describes how Nimbus.io, LLC (“Nimbus,” “we,” “us,” or “our”) collects, uses, shares, and protects your information when you use Cheddar Inbox (the “Service”), including our website, dashboard, and related tools. By using Cheddar Inbox, you agree to the practices described in this policy.

If you have questions about this Privacy Policy, please contact us at cheddarinbox@gmail.com or through our in-app support chat, accessible from your dashboard.

2. Information We Collect

2.1 Account Information

When you sign up via Google OAuth, we collect your email address, display name, and locale as provided by Google's authentication flow. We do not collect or store your Google password.

2.2 Gmail Data

When you connect your Gmail account, we access message metadata (sender, recipient, subject lines, timestamps, labels), your inbox label structure, and the ability to send, reply, label, archive, and read messages on your behalf. We access message content only to the extent necessary to operate the inbox optimization service.

2.3 OAuth Tokens

We store your Google OAuth refresh token in our database, encrypted at rest using AES-256 encryption. This token allows the Service to operate on your behalf while you are offline. Access tokens expire after one hour, are never persisted to disk, and are held only in server memory during active operations. Refresh tokens are rotated automatically when Google issues a new one.

2.4 Usage Data

We record actions performed through your connected account, including emails sent, replies generated, labels applied, messages archived, timestamps of all activities, and rewards attributed to your account.

2.5 Device and Browser Information

We collect your IP address, user agent string, browser type, and device identifiers for security purposes, fraud prevention, and to protect the integrity of the network. This information is not used for advertising or profiling.

3. How We Use Your Information

We use the information we collect exclusively to operate and improve the Service:

• Operating the inbox health service — monitoring email engagement patterns and inbox health metrics for verified network participants.
• Managing labels and archiving — creating and maintaining a “Cheddar Inbox” label in your Gmail where service-related threads are organized, keeping your primary inbox clean.
• Scoring inbox quality — analyzing metadata across six dimensions (account age, message volume, geographic signal, provider reputation, activity patterns, network participation) to assign your tier and reward rate.
• Tracking and calculating rewards — recording each qualifying activity to calculate your rewards accurately.
• Fraud prevention and security — monitoring for abusive behavior, unauthorized access, and manipulation of quality scores to protect the network and all participants.

4. Google User Data Disclosure

4.1 How We Access Google User Data

We access Google user data exclusively through Google's OAuth 2.0 authorization flow. Upon your explicit consent, we request access to your Gmail account using the gmail.modify and userinfo.email scopes. We access message metadata (sender, recipient, subject, timestamps, labels) and message content only as necessary to operate the inbox optimization service described in Section 3.

4.2 How We Use Google User Data

Google user data is used solely to provide the core features of Cheddar Inbox: sending and replying to emails within the engagement network, creating and managing labels, archiving messages, reading message metadata for scoring purposes, and marking messages as read.

4.3 How We Store Google User Data

OAuth refresh tokens are stored in our PostgreSQL database, encrypted at rest using AES-256. Access tokens expire after one hour and are never persisted to disk — they are held only in server memory during active operations. Message metadata used for scoring is stored in our database. We do not store the full content of your emails.

4.4 How We Share Google User Data

We do NOT share Google user data with any third party, except our infrastructure providers (Railway for hosting, Cloudflare for CDN/DNS) who process data solely on our behalf to operate the Service. Google user data is never sold, rented, or provided to third parties for their own purposes.

4.5 Limited Use Compliance

• We access Gmail data only for the stated inbox optimization purposes described in this policy.
• We do NOT read email content for advertising, marketing profiling, or any purpose unrelated to the Service.
• We do NOT sell, rent, or share Gmail data with third parties for their own purposes.
• We do NOT use Gmail data for purposes unrelated to providing and improving the Service.
• We do NOT allow humans to read your email content, except where required by law, necessary for security investigations, or with your explicit consent.
• We do NOT send emails to your personal contacts or anyone outside the Cheddar Inbox verification network.

5. Data Sharing

We do not sell your personal data. We may share information in the following limited circumstances:

• Service providers — we use Railway for backend infrastructure and database hosting, and Cloudflare for CDN and DNS services. These providers process data only as necessary to operate the Service on our behalf.
• Legal requirements — we may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers — in the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Data Security

We implement industry-standard security measures to protect your data:

• AES-256 encryption for all stored OAuth tokens and sensitive credentials.
• HTTPS/TLS encryption for all data in transit between your browser, our servers, and third-party APIs.
• Access controls limiting who within our organization can access user data, with audit logging of all access events.
• Regular security assessments to identify and remediate vulnerabilities in our infrastructure.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately through the in-app support chat.

7. Data Retention

• Active accounts — your data is retained for as long as your account remains active and your inbox is connected to the Service.
• Deleted accounts — upon account deletion or disconnection request, all personal data (including stored OAuth tokens) is permanently removed within 30 days.
• Aggregated analytics — anonymized, aggregated data that cannot be used to identify you may be retained indefinitely for service improvement and network analysis purposes.

8. Your Rights

8.1 General Rights (All Users)

• Right to access — request a copy of the personal data we hold about you.
• Right to correction — request that we correct inaccurate personal data.
• Right to deletion — request that we delete your personal data.
• Right to data portability — request your data in a structured, machine-readable format.
• Right to withdraw consent — disconnect your Gmail account at any time from the dashboard or from your Google Account Permissions page.
• Right to object — object to certain types of data processing.

8.2 European Union Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is your consent (provided when you connect your Gmail account) and legitimate interest (operating and securing the Service).

8.3 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us through the in-app support chat. We will respond within 30 days.

9. Children's Privacy

Cheddar Inbox is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us through the in-app support chat.

10. International Data Transfers

Cheddar Inbox is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your country of residence.

11. Cookies and Tracking

Cheddar Inbox uses session cookies only, managed via iron-session. These cookies are strictly necessary to maintain your authenticated session and do not track you across websites.

• We do NOT use advertising cookies.
• We do NOT use third-party tracking cookies.
• We do NOT use third-party analytics services (e.g., Google Analytics).
• We do NOT participate in ad networks or retargeting programs.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email to the address associated with your account. The “Last updated” date at the top of this page indicates when the policy was most recently revised. Continued use of Cheddar Inbox after changes become effective constitutes acceptance of the updated policy.

13. Contact

For all privacy-related inquiries, please contact us at cheddarinbox@gmail.com or through the in-app support chat accessible from your Cheddar Inbox dashboard.