Privacy Policy
Last Updated: April 10, 2026 | Effective Date: April 10, 2026
1. Introduction and Who We Are
This Privacy Policy explains how DigiTrans Consultants W.L.L ("Company", "we", "us", or "our"), the operator of CORAIBOX, collects, uses, stores, shares, and protects your personal data when you use our Service. We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner, in compliance with the Kingdom of Bahrain's Personal Data Protection Law (PDPL) and, where applicable, the European Union's General Data Protection Regulation (GDPR).
Data Controller
For your account information, authentication data, and usage patterns — DigiTrans Consultants W.L.L acts as the data controller.
Data Processor
For personal data contained in your emails that you submit to CORAIBOX — we act as a data processor on your behalf.
2. Data We Collect
2.1 Account and Identity Data
When you register, we collect your email address, display name, and (if you use Google OAuth) your Google account profile information including your name and profile picture URL. We store a hashed version of your password — we never store your password in plain text. We also record your preferred interface language (e.g., English or Polish) at the time of registration to personalise your experience.
2.2 Email Account Credentials
To connect your email accounts, you provide IMAP credentials (email address, password or app-specific password, IMAP server hostname, and port). These credentials are stored in encrypted form and are used solely to access your email accounts on your behalf.
2.3 Email Content and Metadata
When you run the AI triage engine, the Service accesses your unread emails and processes: sender and recipient email addresses, email subject lines, email body text, timestamps, message IDs, folder/label names, and thread context (up to the last 3–5 messages in a thread). This data is processed to deliver AI classification, task extraction, and briefing features.
2.4 Triage and Activity Data
We store records of AI triage decisions (keep/archive), the reasons provided by the AI, tasks extracted from emails, prompt profiles and their version history, your feedback on triage decisions (restore-to-inbox reasons), and Training Mode data — including the training notes you write when correcting AI decisions and the timestamps of those corrections. Training notes are used solely to refine your personal triage prompt and are never shared with third parties or used to train AI models.
2.5 Subscription and Billing Data
We collect and store your subscription plan, billing history, and plan change records. Payment processing is handled by our third-party payment processor. We do not store full payment card numbers or bank account details.
2.6 Integration Data
If you connect Slack or Discord integrations, we store the webhook URLs you provide. These are used solely to send notifications to your designated channels.
2.7 Usage and Technical Data
We automatically collect certain technical data when you use the Service, including your IP address, browser type and version, operating system, device type, pages visited, features used, and timestamps of interactions.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract |
| AI email triage, task extraction, and briefings | Performance of contract / Legitimate interests |
| Account authentication and security | Performance of contract / Legitimate interests |
| Subscription management and billing | Performance of contract / Legal obligation |
| Sending service notifications and updates | Performance of contract / Legitimate interests |
| Slack/Discord integration notifications | Performance of contract |
| Improving and developing the Service | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Responding to support requests | Legitimate interests / Performance of contract |
We do not use your email content to train AI models, build advertising profiles, or sell your data to third parties.
4. AI Processing and Large Language Models
CORAIBOX uses third-party large language model (LLM) providers to power its AI triage, task extraction, and briefing features. When you run the AI triage engine, email content and metadata are transmitted to these providers' APIs.
Our AI data commitments:
- Our AI providers operate under zero-data-retention policies for customer data submitted via their APIs
- Your email content is not used to train the AI provider's models
- Email content is processed only to deliver the specific feature you requested
- You can customize AI behavior through prompt profiles stored in our database
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share your data only in the following circumstances:
AI Model Providers
Email content and metadata are shared with our LLM provider(s) to deliver AI features, under strict data processing agreements that prohibit model training on customer data.
Payment Processor
Billing and subscription data is shared with our payment processing platform (CORAI) to manage your subscription and invoices.
Google (OAuth)
If you sign in with Google, your authentication is handled by Google's OAuth 2.0 service. We receive only the profile information you authorize Google to share.
Slack and Discord
If you enable these integrations, notification messages are sent to the webhook URLs you provide. We do not share personal data beyond the content of the notification messages you have configured.
Legal Requirements
We may disclose your personal data if required by law, court order, or governmental authority, or to protect our rights, your safety, or the safety of others.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of account + 30 days after deletion |
| Email account credentials | Deleted immediately upon account or credential removal |
| Email content processed for AI triage | Not stored beyond the triage session; triage results retained for 90 days |
| Triage logs and activity records | 90 days |
| Tasks | Until you delete them or your account is deleted |
| Prompt profiles and version history | Duration of account |
| Billing and invoice records | 7 years (as required by Bahraini tax law) |
| Usage and technical data | 12 months |
| Support communications | 3 years |
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit using TLS, encryption of sensitive data at rest (including IMAP credentials), access controls limiting employee access on a need-to-know basis, regular security assessments and monitoring, and secure session management using signed JWT tokens.
No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.
8. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data (subject to legal exceptions). You can delete your account directly in Settings.
Right to Restriction
Request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, machine-readable format.
Right to Object
Object to our processing where we rely on legitimate interests as the legal basis.
Right to Withdraw Consent
Where processing is based on consent, withdraw that consent at any time.
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. If you are located in the EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.
9. International Data Transfers
CORAIBOX is operated from the Kingdom of Bahrain. If you are accessing the Service from outside Bahrain — including from the EEA, United Kingdom, or other jurisdictions with data protection laws — your personal data may be transferred to and processed in countries that may not have the same level of data protection as your home country. Where we transfer personal data from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.
10. Cookies and Tracking Technologies
CORAIBOX uses session cookies and local storage to maintain your authentication state and language preferences. We do not use third-party advertising cookies or tracking pixels. The cookies we use are strictly necessary for the operation of the Service. You can control cookie settings through your browser settings, but disabling cookies may affect the functionality of the Service.
11. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Policy on the Service and by sending a notification to your registered email address at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the changes.
13. Contact Us and Data Protection Inquiries
DigiTrans Consultants W.L.L
Manama, Kingdom of Bahrain
CR Number: 169649-1 · VAT ID: 220021946700002
We aim to respond to all privacy-related inquiries within 30 days.