Privacy Policy for Pebox
Last updated: June 23, 2026
Pebox ("the app", "we", "us") is an offline-first mobile application that lets you access your Google and Microsoft accounts — mail, contacts, calendar, tasks, files, and notes — behind a single, unified interface.
This Privacy Policy explains what data the app handles, how it is stored, and who it is shared with. The short version: Pebox has no servers of its own. Your data stays on your device and travels only between your device and the Google/Microsoft services you sign in to.
1. Who operates Pebox
Pebox is a client application that runs entirely on your device. We do not operate any backend server, database, or analytics service that receives your account data. We never see, collect, or store your email, contacts, files, or any other content.
If you have questions about this policy, contact the developer at: contact@matrix.works
2. Data the app accesses
When you add a Google or Microsoft account, you grant Pebox permission (via the provider's standard OAuth consent screen) to access the following, depending on which feature modules you use:
| Category | What it includes | Provider permissions requested |
|---|---|---|
| Account identity | Your name, email address, and profile photo | Google profile/email · Microsoft User.Read |
| Messages, threads, folders/labels, attachments; sending mail; sender allow/block rules | Gmail gmail.modify, gmail.labels, gmail.settings.basic · Microsoft Mail.ReadWrite, Mail.Send | |
| Contacts | Your contacts and their details | Google contacts · Microsoft Contacts.ReadWrite |
| Calendar | Calendar events | Google calendar.events · Microsoft Calendars.ReadWrite |
| Tasks | Task lists and items | Google tasks · Microsoft Tasks.ReadWrite |
| Files | Drive / OneDrive files and their contents | Google drive · Microsoft Files.ReadWrite |
| Notes | Google Keep (Workspace accounts only) / OneNote | Google keep · Microsoft Notes.ReadWrite |
The app only requests the scopes needed for the modules available to your account. The Google Keep scope, for example, is requested only for Google Workspace accounts that support it.
The app's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. How your data is stored
Pebox is offline-first. To work without a connection and to load quickly, the app keeps a local copy of your data on your device:
- Local cache — Your mail, contacts, calendar, tasks, files metadata, notes, and cached file/attachment bytes are stored in a local SQLite database (
cache.db) and an on-disk blob cache within the app's private storage. Each signed-in account's data is isolated by account. - Authentication tokens — OAuth access and refresh tokens are stored using the platform's secure storage (
flutter_secure_storage, backed by the Android Keystore / iOS Keychain). They are used only to authenticate your requests to Google and Microsoft.
All of this data lives only on your device. It is not uploaded to us or to any third party other than the Google/Microsoft services you connect to.
4. How your data is transmitted
The app communicates directly with the official Google and Microsoft APIs over encrypted HTTPS connections:
- Google:
googleapis.comservices (Gmail, People, Calendar, Tasks, Drive, Keep) and Google's OAuth endpoints. - Microsoft:
graph.microsoft.comandlogin.microsoftonline.com.
There is no intermediary server operated by Pebox. Data sent to these providers is subject to their respective privacy policies:
5. Device permissions
Depending on the features you use, the app may ask for the following device permissions:
- Camera — to scan QR codes (e.g., for sharing) and to attach photos.
- Photos / Files — to pick images and files to attach or upload.
- Notifications — to alert you about new incoming mail. The app checks your signed-in inboxes in the background and shows OS notifications locally; notification content is not sent anywhere.
- Network / connectivity — to sync with Google and Microsoft and to detect when you are back online.
You can grant or revoke these permissions at any time in your device settings.
6. Data sharing
We do not sell, rent, or share your data with any third party. Pebox contains no advertising SDKs, no analytics or tracking SDKs, and no third-party data collectors. The only external parties your data reaches are Google and Microsoft, and only because you explicitly signed in to those accounts.
7. Data retention and deletion
Because your data is stored locally, you control it directly:
- Remove an account — Removing an account from Pebox deletes that account's cached data and stored tokens from your device.
- Uninstall the app — Uninstalling Pebox removes all local caches, blob storage, and stored tokens from your device.
- Revoke access — You can revoke Pebox's access to your account at any time from your Google Account permissions or Microsoft account apps page.
Data held by Google and Microsoft is retained and deleted according to their own policies.
8. Children's privacy
Pebox is not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction) and we do not knowingly collect data from them.
9. Security
Authentication tokens are kept in the platform's secure storage, and all network traffic uses HTTPS. However, no method of electronic storage or transmission is completely secure. The security of your data also depends on keeping your device and its operating system secure (e.g., screen lock, OS updates).
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, within the app.
11. Contact
For questions or requests regarding this Privacy Policy, contact:
contact@matrix.works
Pebox