Privacy Policy

Last updated 2026-04-27 · Effective v1.10.1+ · Cloud AI BYOK v1.11.0+ · Connected Services v1.12.0+

Plain-language summary

CueInbox is built around a single commitment: your notifications never leave your phone. The on-device AI reads them, prioritises them, drafts replies — all locally, without sending message content to us or any third party.

We collect only the minimum required to keep the app running: anonymous crash reports and aggregated app-performance signals via Firebase. You can turn those off.

We do not sell, rent, or license any data to anyone.

1. What CueInbox processes, and where

1.1 Notifications — on-device only

When you enable Notification Access, Android delivers every notification posted on your phone to CueInbox. The app extracts the title, body, sender, timestamp, and Person URIs, runs them through an on-device AI model (Gemma-4 E2B, running entirely inside your device with litert-lm) to infer priority and draft replies, and stores a compact version in the app's local Room database, protected by Android app-sandbox permissions.

None of this content is transmitted off your device. No servers, no cloud inference, no logs of your message text leave the phone.

1.2 Voice recordings — on-device only

When you tap the microphone to dictate a reply, the recording is captured into memory, passed to the same on-device model for transcription, and discarded. No audio file is written to disk or uploaded anywhere.

1.3 Model file — downloaded from HuggingFace

On first launch, CueInbox downloads the Gemma-4 E2B model (≈ 2.5 GB) from huggingface.co/litert-community/…. This is a one-time download of a public open-weight model — no personal data leaves your device during that download.

1.4 Optional cloud reasoning (BYOK, off by default, v1.11.0+)

Starting in v1.11.0 you can optionally enable a "Cloud AI" path that sends selected message text to a third-party cloud LLM (e.g. via OpenRouter, which fronts Gemini, Claude, GPT, Kimi, and others). This path is:

Off by default. You must explicitly enable it in Settings → Cloud AI, then accept a first-use disclosure dialog.
Bring your own API key. You provide your own key from the cloud provider. CueInbox does not relay traffic through our servers — your provider is the third-party processor under their terms.
PII redacted before send. Email addresses, phone numbers, IBAN, SSN, and credit-card-shaped digits are replaced with opaque tokens (<email_1>, <phone_1>, …) before any byte leaves your phone. The reverse mapping is held in process memory only and discarded after the model's response is rendered.
Daily cost cap. You set a USD-per-day cap. Above the cap the app falls back to local Gemma or refuses the request — never burns through silently.
API key stored in Android Keystore. Your key is encrypted with AES/GCM/NoPadding under a hardware-backed key (where available) that never leaves the secure element.
Off-switch is one tap. Disabling cloud is immediate and doesn't ask for confirmation.

When cloud is off, none of this applies — the app is functionally identical to v1.10 and below: fully on-device.

1.5 Connected services (Phase 3, v1.12.0+)

Starting in v1.12.0 you can connect third-party services so CueInbox can surface a synthesized "what needs your attention" digest pulled across systems your team uses (e.g. GitHub, Linear, Jira, Slack, Gmail, Google Calendar, Stripe, HubSpot, Sentry, Grafana Cloud, PagerDuty, Vercel). The privacy posture is unchanged from v1.10:

OAuth tokens never leave your device. Stored in Android Keystore using the same hardware-backed encryption that protects your Cloud AI BYOK key.
Provider data is read directly to the device. The app polls each service's API from your phone every 15 minutes (battery- and Doze-aware) and processes the response on-device. Nothing is forwarded to a server we operate.
Stateless webhook relay for real-time alerts. For paging-grade signals (e.g. Sentry / Grafana incidents) the provider's webhook is delivered to a thin Cloudflare Worker we operate. The relay receives the webhook, does not parse its body, and sends a content-free {"type":"poll-now"} push notification to your device. Your phone then polls the originating provider directly. The relay's only state is (tenant token → FCM device token) — it has no access to provider tokens or webhook contents. Source code is published.
On-device extraction only. When we detect signals (e.g. escalation keywords in a Slack channel, a critical PR merged, a Stripe chargeback spike), the extraction runs in the app process. Email and message bodies are scanned and discarded; only the resulting signal (channel/sender/timestamp/keyword_count) is persisted in the on-device database.
Read-only, narrowest-scope OAuth. Each provider is asked for the minimum scope sufficient for the signal type. We never request modify, send, or write scopes.

Specifically, by service (v1.12.0+)

Gmail (gmail.readonly): we poll the Gmail History API delta to detect escalation keywords ("blocked", "urgent", "rolling back", "customer-facing") in threads from senders you mark as executive-relevant. Detection runs on-device. Email bodies are scanned and immediately discarded; only the resulting signal (threadId, sender, keyword_count, timestamp) is persisted on your device.

Google Calendar (calendar.readonly, calendar.events.readonly): we poll the Calendar incremental sync API to detect meeting-density anomalies, declined critical meetings, and no-shows on owner-of-blocking-issue meetings. Calendar event metadata is processed on-device.

GitHub, Linear, Jira, Vercel (Execution layer — read-only): pull requests, issues, deployment events, CI runs. Used to surface release-blocking work and unhealthy deploys.

Slack (channels:history, channels:read, users:read, team:read): channels you choose to watch, escalation-keyword detection, decision-maker-engagement signal. Message bodies are scanned on-device only.

Sentry, Grafana Cloud, PagerDuty (Risk layer — read-only): incidents, monitor states, error spikes. Used for paging-grade alerts.

Stripe, HubSpot (Revenue layer — read-only): events, deal pipeline, conversion deltas. Used for impact-estimated revenue signals.

You can disconnect any service at any time in Settings → Connected Sources → Disconnect. Disconnecting calls the provider's revoke endpoint and wipes the local OAuth tokens. Settings → Privacy & data → Wipe everything revokes every connected service in one tap and deletes all on-device data.

2. What we collect (and why)

2.1 Anonymous crash reports

We use Firebase Crashlytics to receive stack traces when the app crashes. A crash report contains:

The Kotlin / native stack trace at the time of crash.
Device model, Android version, app version.
A Firebase-assigned Installation ID — a pseudonymous identifier that cannot be traced back to you without cooperation from Google.

A crash report does NOT contain your notifications, messages, contacts, voice recordings, or draft replies.

You can disable crash reporting in Settings → Privacy → Crash reporting.

2.2 App-performance telemetry (optional)

We emit a small number of event names (e.g. voice_reply_transcribed, triage_moved_bucket) with no user content attached — just the event name plus build version — so we can see which features are actually used. Disabled by the same Settings toggle as crash reporting.

2.3 What we explicitly do NOT collect

Notification content, titles, bodies, sender names.
Contact book.
Message transcripts (voice or text).
Location.
Advertising identifiers.
Email / phone / account.

CueInbox has no user accounts and does not ask you to sign in.

3. Permissions and what we use them for

Permission	Why
`BIND_NOTIFICATION_LISTENER_SERVICE`	Core functionality: read notifications to triage them.
`RECORD_AUDIO`	Voice dictation of reply drafts. Only active while you are actively recording.
`POST_NOTIFICATIONS`	Show reminders you set yourself and model-download progress.
`INTERNET`	Download the Gemma model on first run and check for app updates. No personal data transmitted.
`FOREGROUND_SERVICE`	Keep the model-download process alive on first-run.
`RECEIVE_BOOT_COMPLETED`	Restore pending reminders after a phone reboot.
`WAKE_LOCK`	Fire scheduled reminders on time.

4. Data retention and deletion

Everything CueInbox processes locally is stored in the app's private Room database.
Uninstalling the app deletes all local data, including drafts, triage history, and cached model.
Crash reports in Firebase are retained for 90 days by default, then deleted by Google.
You can request earlier deletion of your Firebase Installation ID's reports by emailing us.

5. Third-party services

Service	Purpose	Data seen
Google Firebase (Crashlytics, App Distribution)	Crash reports, beta distribution	Crash stack, pseudonymous install ID, device info
HuggingFace	One-time model download	Public-asset HTTPS GET, user IP

CueInbox does not use any advertising SDKs, analytics SDKs beyond Firebase, or social-tracking SDKs.

6. Children

CueInbox is not directed at children under 13 and we do not knowingly collect any information from them. If you believe a child has installed CueInbox, uninstalling the app removes all local data.

7. Contact

Questions, concerns, deletion requests:

Email: privacy@cueinbox.com
GitHub: cueinbox-android/issues

We respond within 7 working days.

8. Changes to this policy

If we change this policy we will update the "Last updated" date at the top and, for any material change, show a one-time in-app notice in the next app update.