Privacy Policy
SweepBox ("we", "our", "us") is a Chrome browser extension that helps you find, unsubscribe from, and clean up mailing-list email in your Gmail inbox. This Privacy Policy explains what data we handle, how, and your rights.
In plain English: everything happens on your own computer. We do not run servers that hold your inbox data. The only third parties that receive any data are Google (so the extension can read your inbox via the official Gmail API) and Stripe (only if you purchase Pro).
Contents
1. Who we are
SweepBox is independently built and operated. For privacy questions: [email protected]
2. What SweepBox does
The extension scans the headers of email in your Gmail inbox to identify mailing-list senders, ranks them by volume, and provides one-click unsubscribe + bulk-delete actions. All scan results and settings are stored on your device, never transmitted to us.
3. Data we handle
| Data | Where it comes from | Where it's stored | Why |
|---|---|---|---|
| Google OAuth token | You, by signing in to Google | Chrome's encrypted local identity store | Required to call the Gmail API on your behalf |
| Email headers (From, Subject, List-Unsubscribe) | Gmail API | In-memory during scan; aggregated results stored locally in chrome.storage.local |
Used to identify senders and unsubscribe links |
| Email message IDs | Gmail API | chrome.storage.local |
Used to bulk-delete messages from selected senders |
| Favicon URLs | Public favicon endpoints (Google s2, brand websites) | chrome.storage.local cache |
Used to display sender logos in the UI |
| Usage counters | Your actions in the extension | chrome.storage.local |
Used to enforce free-tier limits |
| License key (Pro only) | Issued at purchase | chrome.storage.local |
Used to verify your Pro subscription |
| Stripe customer record (Pro only) | Stripe at checkout | Stripe's systems | Used to process payment and issue your license |
We do not store, transmit, or process:
- The full text of your emails (we only request specific headers)
- Your Gmail password (Google handles authentication)
- Any payment card data (Stripe handles all payment information)
- Any data on our servers (the extension has no backend for user data)
4. Google API services — Limited Use disclosure
SweepBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
SweepBox requests the following restricted Google OAuth scopes:
https://www.googleapis.com/auth/gmail.modify— to read email headers (From, Subject, List-Unsubscribe) and move emails to Trash on your behalfhttps://www.googleapis.com/auth/gmail.send— to send unsubscribe emails to senders that only accept email-based unsubscribes (RFC 8058mailto:method)
Data accessed via these scopes is used solely to provide the user-facing inbox-cleanup features described above. It is not transferred to any third party except as necessary to provide those features (i.e., to Google itself), and is not used for advertising, sold, or used to train AI/ML models.
5. Third parties
- Google LLC — Gmail API. Subject to Google's Privacy Policy.
- Stripe, Inc. — Payment processing, used only when you choose to purchase Pro. Subject to Stripe's Privacy Policy. We do not see or store your card details.
- Cloudflare — May process traffic to our domain (sweepbox.app) as our CDN/registrar. Subject to Cloudflare's Privacy Policy.
6. Cookies and tracking
The extension itself does not use cookies, web beacons, analytics SDKs, or any tracking technology. It does not phone home. The extension's account page is a local extension page; it does not embed any third-party scripts.
7. Data retention
All your data stays in your browser until you take one of the following actions:
- Uninstall the extension → all locally stored data is deleted by Chrome
- Click "Wipe local data" in the account page → all scan results, favicon cache, usage counters, and unsubscribe history are cleared (Pro license is preserved)
- Click "Sign out" in the account page → your OAuth token is revoked
We do not retain server-side data because we do not have servers that hold user data. Stripe retains payment records as required by tax/finance law (typically 7 years).
8. Your rights (GDPR / UK GDPR / CCPA)
If you are in the EU/UK/California, you have rights including:
- Access: To see what data SweepBox holds (mostly: nothing — it's all on your device)
- Erasure: To delete your data (click "Wipe local data" or uninstall)
- Portability: To receive your data in machine-readable form
- Objection / restriction: To stop processing
- Complaint: To file a complaint with your local data protection authority (e.g., the ICO in the UK)
To exercise any of these, contact: [email protected]. We will respond within 30 days.
9. Children
SweepBox is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children.
10. International data transfers
Because the extension stores data locally, there are no cross-border transfers initiated by us. Google may process your Gmail data in any country where Google operates, governed by Google's own policies.
11. Security
OAuth tokens are stored in Chrome's encrypted identity store. Other data is held in chrome.storage.local, which is sandboxed to the extension and accessible only to SweepBox. As a free Chrome extension, we cannot guarantee absolute security; we recommend keeping Chrome up to date.
12. Changes to this Policy
We may update this Policy. Material changes will be announced through the extension and a new "Last updated" date. Continued use of SweepBox after such changes constitutes acceptance.
13. Contact
- Privacy questions: [email protected]
- Support: [email protected]
SweepBox is independently built and is not endorsed by, affiliated with, or sponsored by Google LLC. "Gmail" is a trademark of Google LLC.