IB
Inboxr
Log in

Privacy Policy

Last updated: 29 April 2026

This policy explains what personal data Inboxr collects, why, and what rights you have. It applies to app.getinboxr.app, api.getinboxr.app, and our marketing site.

1. Data we collect

  • Account data: name, email, hashed password, OAuth provider IDs (Google, GitHub).
  • Workspace data: workspace name, plan, members, API keys (hashed), webhook URLs.
  • Mail data: messages received at your disposable addresses, including sender, subject, body, and headers. We retain mail only for the retention window your plan permits (default 7 days, up to 90 days).
  • Usage data: API request counts, message volumes, and audit-log entries (which member did what, when).
  • Technical data: IP address, user-agent, and request timing for fraud and abuse prevention.
  • Billing data: handled by Stripe; we never see your card number. We store only the customer/subscription IDs.

2. Why we collect it

  • To provide the Service (deliver mail, authenticate you, enforce caps).
  • To bill you and meet tax obligations.
  • To detect and prevent abuse.
  • To send transactional notifications (verification, receipts, security alerts).
  • To send product updates if you opt in (you can unsubscribe at any time).

3. Legal bases (GDPR)

  • Performance of our contract with you (account & billing data).
  • Legitimate interests (abuse prevention, product analytics).
  • Consent (optional product updates, non-essential cookies).
  • Legal obligation (tax records).

4. Sharing

We share data only with the sub-processors needed to run the Service:

  • AWS — hosting (Sydney + us-east-2) and SES for outbound mail.
  • Stripe — payment processing.
  • Google & GitHub — OAuth identity (if you choose those providers).
  • Anthropic — AI assistant requests (only when you use the in-product chatbot).

A current sub-processor list is in our DPA.

5. Retention

  • Mail is deleted after your plan's retention window.
  • Account data is kept until you delete your account.
  • Audit logs are kept for 13 months.
  • Billing records are kept for 7 years to satisfy tax law.

6. Your rights

  • Access & portability: download a JSON dump from Settings → Danger zone → Export.
  • Deletion: delete your account from the same screen. Sole-owner workspaces are deleted with you.
  • Correction: update your name or email from Settings.
  • Objection / restriction: contact privacy@getinboxr.app.
  • Complaint: you may complain to your local supervisory authority (e.g. OAIC in Australia, your data protection authority in the EU/UK).

7. Security

  • TLS 1.2+ in transit; AES-256 encryption at rest.
  • Passwords stored using bcrypt with per-account salts.
  • API keys are hashed with SHA-256; the plaintext is shown once and never stored.
  • Production access is limited to a small set of engineers and is audit-logged.

8. International transfers

Your data may be processed in Australia and the United States. Where applicable, we rely on the EU Standard Contractual Clauses and the UK's International Data Transfer Addendum.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

10. Contact

For privacy questions: privacy@getinboxr.app.

Questions? Email legal@getinboxr.app.