Security & Privacy

What SBX does not store

"We never store the content of your emails."

SBX reads message metadata (who, when, status) through Microsoft Graph, but does not copy the message body, attachments, or subject line into our database.

What SBX does store (and why)

SBX writes a small set of fields to its own database to power assignment, status, and history. Everything below is retrieved from Microsoft Outlook via Microsoft Graph.

About your account

• Name, user ID, user name, email address — identifies you across the SBX product and your team
• Message IDs, Conversation IDs, Folder IDs — lets SBX attach assignment and status to specific emails without copying the email
• Mail folder IDs — lets SBX move emails between folders
• Subscriptions created by SBX — so SBX can receive change notifications from Microsoft Graph for the mailboxes you connect

About your emails (metadata only)

• IDs — so SBX can recognise the same email next time without storing its content
• Time when email was received — establishes the order in which emails arrived

None of the above includes the body, subject, or attachments of your emails. Those stay in your Microsoft 365 tenant.

About your Microsoft 365 Groups

• Group name, Group ID, email address — identifies the Microsoft 365 Group SBX is operating on
• Member IDs, names, email addresses — lets you assign emails to specific teammates and see who is on the team
• Group conversation IDs — keeps emails synchronized between a member's inbox and the Group inbox

Read from Microsoft when needed — not stored

SBX queries the following fields from Microsoft Graph in real time, as features need them. None of them is written to SBX's database.

About your account

• Timezone — used to display timeline times in your local zone
• Message rules — used with Microsoft 365 Groups to route incoming emails into the right folders

About your emails

• Sender's and receivers' email addresses — tells SBX whether an email was sent to a Microsoft 365 Group, a shared mailbox, or a specific user
• Categories — shared Outlook categories synced across the team, plus SBX's own meta-categories
• ID of a parent folder — tracks where an email currently lives in your mailbox structure
• Whether message is read — used with Microsoft 365 Groups to auto-mark copies of sent emails as read
• Whether message is draft — used to skip drafts so SBX doesn't act on emails still being composed
• Message headers — used to identify the sender and link related emails into conversations

How SBX talks to Microsoft

"We only communicate with Microsoft servers through their API Services (OAuth, Graph API). You can revoke access at any time."

SBX requests permissions through the standard Microsoft OAuth consent flow when you first install the add-in. Your Microsoft 365 administrator can review and revoke these permissions at any time from the Microsoft Entra admin center — no need to email us.

For organizations whose policies prevent granting SBX direct Graph access, we also publish the SBX Adapter — an open-source proxy you can host yourself. You grant Graph permissions to the adapter, and the adapter exposes only the subset of permissions SBX actually uses. Source is on GitHub.

Where your data is hosted

SBX runs on Microsoft Azure, West Europe region (Netherlands), within the European Economic Area (EEA).

Payments

Credit card transactions are processed by Stripe (certified PCI Level 1). SBX does not store credit card details on our servers.

AI

SBX has no AI features today. We don't pass email content, metadata, or any other customer data to large language models or third-party AI services.

Analytics

We use Plausible, self-hosted. No Google Analytics, no cross-site tracking, no third-party cookies on our marketing pages.

Account deletion

You can delete your account at any time by emailing support@sbx.tools. Your account is cancelled and the associated data is removed from our active systems. Some content may remain in our backups for a period not exceeding 90 days, after which it is purged.