Legal
Privacy policy
Effective July 1, 2026
This policy explains what Inboxes ("we") collects, why, and what we do with it. The short version: we collect what the product needs to work, we do not sell data, and you can ask for deletion at any time.
What we collect
- Account and signup data. Your email address, signup confirmation status, the page you signed up from, and standard request metadata (IP address, user agent). We use this to create and secure your account and to contact you about the service.
- Test data. Emails you send to the seed panel, including their headers and content, and the placement results we read. We use this to produce your reports.
- Monitoring data. Domains and IPs you ask us to watch, blacklist check results, and DMARC aggregate reports you route to us. DMARC aggregate reports contain sending-source statistics, not message content.
- Contact messages. If you write to us, we keep the message to answer it.
What we do not do
- We do not sell or rent personal data. Ever.
- We do not send email on your behalf; sending stays in your ESP.
- We do not use your test content to train models or to market to your recipients.
- We do not run third-party advertising trackers on this site.
Legal basis and retention
We process account data to perform our contract with you, and product analytics in our legitimate interest to keep the service working. Test results and monitoring history are kept while your account is active so trends work; you can delete individual tests or your whole account, and deletion removes the underlying data within 30 days from live systems and within 90 days from backups.
Sharing
We use a small set of processors to run the service: cloud hosting, transactional email delivery for codes and alerts, and error monitoring. Processors act under contract and only on our instructions. We disclose data if the law genuinely requires it, and we tell you when we are allowed to.
Your rights
You can request access, correction, export, or deletion of your personal data by writing to [email protected] from the address on the account. Depending on where you live (GDPR, UK GDPR, CCPA), you may have additional statutory rights; we honor requests from anywhere the same way.
Security
Data in transit is encrypted with TLS; data at rest is encrypted on managed infrastructure with access limited to people who operate the service. No system is perfectly secure, and we will notify affected users of any breach as the law requires.
Contact
Privacy questions: [email protected], or the contact form. If we change this policy materially, we will note it here with a new effective date.