IncohoIncoho
PricingSign inStart Free Trial

Privacy Policy

Last updated: April 11, 2026

1. Information We Collect

When you use Incoho, we collect the following information:

  • Account information: Your email address, business name, and password when you create an account.
  • Email credentials: IMAP and SMTP credentials for your connected email accounts. These are encrypted at rest using Supabase Vault (pgsodium Transparent Column Encryption). If you connect via Google OAuth, we store an encrypted OAuth refresh token instead of a password.
  • Google user data: If you connect a Gmail or Google Workspace account via Google OAuth, we request the minimum-necessary gmail.readonly and gmail.send scopes. This allows Incoho to read incoming customer emails and send approved replies on your behalf via the Gmail API. We do not access any other Google services (Drive, Calendar, Contacts, etc.), and we cannot modify, delete, or permanently remove any email in your mailbox.
  • Email content: Incoming customer emails are processed by our AI to classify and draft replies. We store email metadata and content temporarily for processing.
  • Knowledge base data: Store policies, FAQs, and other information you provide to help the AI draft accurate replies.
  • Billing information: Payment details are processed and stored by Stripe. We do not store your credit card information directly.

2. How We Use Your Information

  • To classify incoming emails using AI (Anthropic Claude) and generate draft replies based on your knowledge base.
  • To send approved replies on your behalf (via the Gmail API for Gmail/Google Workspace accounts, or SMTP for other providers).
  • To manage your account, process payments, and provide customer support.
  • To improve our service and develop new features.

3. Google API Services Usage Disclosure

Incoho's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

When you connect a Gmail or Google Workspace account, we request only the narrow https://www.googleapis.com/auth/gmail.readonly and https://www.googleapis.com/auth/gmail.send OAuth scopes. These are the minimum scopes required to classify incoming customer emails and send approved replies on your behalf via the Gmail API. We cannot modify, delete, or permanently remove any email in your mailbox, and we do not request access to any other Google services.

How we use it

  • Reading emails: We read incoming emails from your connected inbox to classify them by category (e.g., returns, shipping, order status) and generate draft replies using AI.
  • Sending emails: When you approve a draft reply (or enable auto-send for high-confidence responses), we send the reply via the Gmail API through your connected Gmail account.

How we store it

OAuth refresh tokens are encrypted at rest using Supabase Vault (pgsodium Transparent Column Encryption). Email content is stored temporarily for processing and retained for up to 90 days for your workflow and analytics. We do not store raw email content beyond what is necessary to provide the service.

How we share it

Email content is shared with Anthropic (Claude API) solely for the purpose of AI classification and draft generation. Anthropic does not use this data to train their models. We do not sell, rent, or share your Google user data with any other third parties, except as required by law.

Revoking access

You can disconnect your Google account at any time from the Settings > Accounts page in your dashboard. You can also revoke Incoho's access directly from your Google Account permissions. Upon disconnection, your stored OAuth tokens are permanently deleted.

4. Data Retention

Email task data (classifications, drafts, and metadata) is retained for 90 days to support your workflow and analytics. You can request deletion of your data at any time. When you delete your account, all associated data is permanently removed within 30 days.

5. Third-Party Services

We use the following third-party services to operate Incoho:

  • Supabase: Database hosting, authentication, and encrypted credential storage.
  • Anthropic: AI email classification and reply drafting (Claude API). Email content is sent to Anthropic for processing but is not used to train their models.
  • Stripe: Payment processing and subscription management.
  • Resend: Transactional emails (welcome emails, notifications).
  • Vercel: Application hosting and deployment.

6. Data Security

We take data security seriously. Email credentials are encrypted using Supabase Vault with pgsodium Transparent Column Encryption. All data is transmitted over HTTPS. We use Row Level Security (RLS) to ensure merchants can only access their own data.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data and account.
  • Export your data in a portable format.
  • Withdraw consent for data processing at any time by disconnecting your email accounts or deleting your account.

8. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at support@incoho.ai.