OppBox reads your email and your CRM, so this document matters more than most privacy policies. The short version: your mail and CRM content stays in the source systems, AI runs only when you ask, and we store as little as the product allows.
Last updated: 11 June 2026OppBox is provided by OppBox Limited (Companies House no. 001950), a company incorporated in England and Wales ("OppBox", "we", "us"). UK data protection law (the UK GDPR and the Data Protection Act 2018) applies to our processing.
We wear two hats:
Contact for anything in this policy: [email protected].
Your mailbox and your CRM are never copied into our database. When you open a thread or a deal, OppBox fetches it live from Google or Salesforce, shows it to you, and keeps only the small derived facts it needs.
OppBox is architected around data minimisation. We do not replicate mailbox, calendar or CRM content into our own database. Source data stays in the source systems (your email provider, Salesforce, and any call tools you connect) and is queried live, over your own authorised connections, at the moment it is needed.
OppBox persists exactly three categories of workspace data:
Less stored data means less to breach and less to argue about. The security page describes the controls around what we do store.
We store who you are, what you did in OppBox, and the signals we computed. We access · live, without storing · whatever your connected mailbox, calendar and CRM return when you use the product. When you explicitly ask, OppBox can also write your own edits back to your CRM · never in the background.
"Do not store" means content is processed in memory to serve your request (and excerpts may be sent to subprocessors named in this policy to fulfil it · for example to Anthropic when you request an AI draft) but is not written to OppBox's database.
We process data to run the product you signed up for, to keep it secure, and · only if your workspace turns it on · to enrich business contacts. We don't sell personal data and we don't run ads.
Where we act as controller, we rely on the following lawful bases under the UK GDPR:
Where we act as processor for workspace content, we process on the customer's documented instructions. We do not sell personal data, we do not use your data for advertising, and we do not use mailbox or CRM content to train AI models.
AI runs only when you click the button. The prompt may carry the email and CRM excerpts needed for that request. Anthropic processes it and, under the API terms we use, does not train on it. A human reviews and sends everything.
AI features in OppBox · deal briefs, draft replies, follow-up nudges · run only when a user explicitly invokes them. Nothing is generated automatically in the background, and nothing is ever sent automatically: AI output is presented for human review, editing and an explicit send decision.
When you invoke an AI feature, OppBox sends a prompt to Anthropic via its commercial API. The prompt may include relevant excerpts of email and CRM data needed to fulfil that specific request. Under Anthropic's commercial API terms, this data is not used to train Anthropic's models. AI requests are metered per user for billing and abuse-prevention purposes; the metering records usage volumes, not content.
Google data is used for one thing: showing you your own mail and calendar inside OppBox and the features you invoke on them. Never ads, never sold, never used to train models.
OppBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
The Google user data OppBox accesses:
We do not use Google user data for advertising, do not sell it, and do not use it to train generalised AI or machine-learning models. Humans do not read this data except with your explicit consent (for example, a support request), where necessary for security purposes such as investigating abuse, or where required by law. You can revoke OppBox's access at any time from your Google account permissions or by disconnecting the mailbox in OppBox; either way, our stored tokens are deleted.
If enrichment is enabled for your workspace, we look up business details (title, employer, work email) about the external contacts on your deals via People Data Labs or Clay. Switch it off and the lookups stop.
Where enrichment is enabled for a workspace, OppBox queries People Data Labs and/or Clay to enrich the business contacts that appear on the workspace's deals · for example work email addresses, job titles and employers. This is business-contact data used to give sales teams context on the people in their pipeline; it is not consumer profiling, and no mailbox content is shared with enrichment providers beyond the contact identifiers needed to perform the lookup.
Enrichment runs only where it is enabled for the workspace and can be disabled at any time, which stops further lookups. Clay enrichment additionally requires the workspace to connect its own Clay account; disconnecting it has the same effect.
These are the companies that touch data on our behalf, what they do, and where they are. We're in the UK; most of them are in the US, so UK-approved transfer safeguards apply.
We use the following subprocessors and service providers:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting | US |
| Neon | Postgres database (signals, actions, indices, tokens) | US |
| Nylas | Email and calendar API connectivity | US |
| WorkOS | Authentication and sign-in | US |
| Anthropic | AI processing of user-invoked requests | US |
| Sign-in identity provider | US | |
| Cloudflare | DNS and CDN | US (global network) |
| Resend | Transactional email (account and product notices) | US |
| People Data Labs | Contact enrichment · only if the workspace enables it | US |
| Clay | Contact enrichment · only if the workspace enables it | US |
| Gong | Call intelligence · only if the customer connects it | US |
| Granola | Meeting notes · only if the customer connects it | US |
We are established in the UK and most of our subprocessors are in the United States, so personal data is transferred from the UK to the US. Where we transfer personal data outside the UK, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with each provider's own safeguards.
We will update this table when subprocessors change; workspace administrators can ask to be notified of changes via [email protected].
We keep the little we store for as long as your account is active. Disconnect an integration and its tokens are deleted immediately. Delete your account and everything we hold is gone within 30 days.
Mailbox, calendar and CRM content needs no retention schedule from us: it was never stored in our systems.
Tokens are encrypted, tenants are isolated by the database itself, traffic is TLS, and every sensitive action is logged append-only. SOC 2 work is underway · we don't claim the badge yet.
Security measures that actually exist, described in more depth on the security page:
No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify affected customers and regulators as required by law. Report suspected vulnerabilities to [email protected].
You can get your data, correct it, export it or delete it · mostly self-serve, inside the product. Anything else, email us.
Under the UK GDPR you have the right to access your personal data, to have it rectified, to have it erased, to receive it in a portable format, to restrict or object to certain processing, and to withdraw consent where processing is based on consent. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
The product implements the core rights directly:
For anything not covered in-product, email [email protected] and we will respond within the statutory timescale. Where your data sits in a customer's workspace and we act as processor, we may refer your request to that customer, as the controller, and will assist them in fulfilling it.
For customers and users in California: we do not sell or share personal information as those terms are defined in the CCPA/CPRA, and we have not done so. We act as a service provider with respect to personal information processed in customer workspaces, processing it only to provide the Service. California residents may exercise their rights to know, delete and correct through the channels in section 11.
OppBox is a business tool for working adults. It is not directed at anyone under 18, and we do not knowingly process children's personal data. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.
We may update this policy as the product and the law evolve. The "Last updated" date at the top reflects the current version. For material changes · a new category of stored data, a new subprocessor handling content, a change to the AI posture · we will notify workspace administrators by email or in-product notice before the change takes effect.
Privacy questions, rights requests, DPA requests: [email protected].
Postal address: OppBox Limited · registered office as shown at Companies House (no. 001950).