Privacy Policy

The data controller responsible for your personal data within the meaning of Art. 4(7) GDPR is:

For all questions regarding the processing of your personal data, please contact us at the address above.

We process your personal data on the following legal bases under Art. 6 GDPR:

• Art. 6(1)(b) GDPR — Performance of a contract: Processing your account data, email archives, and billing information is necessary to provide the Service you have contracted for.
• Art. 6(1)(c) GDPR — Legal obligation: We may process your data where required to comply with applicable legal obligations, including tax and accounting law.
• Art. 6(1)(f) GDPR — Legitimate interests: We process technical usage data to operate, secure, and improve the Service. Our legitimate interest is to ensure the functionality and security of the platform. You may object to this processing — see Section 10.
• Art. 6(1)(a) GDPR — Consent: Where we use non-essential cookies or similar tracking technologies, we will obtain your prior consent. You may withdraw consent at any time.

We use the data we collect to:

• Provide, operate, and maintain the Service
• Process and index your email archive files so they are searchable and accessible to you
• Process payments and manage your subscription
• Send transactional communications (account confirmations, billing receipts, security alerts)
• Respond to your support requests
• Monitor and analyze usage to improve the Service
• Comply with legal obligations including tax, accounting, and regulatory requirements

We do not use your email archive content for advertising, profiling, model training, or any purpose other than delivering the Service to you.

Your data is stored on secure cloud infrastructure. We implement industry-standard security measures including encryption in transit (TLS) and at rest (AES-256), strict access controls, and regular security assessments.

Access to your email archive data is limited to your account. Inboxyl staff do not access your archive content except when required to resolve a technical issue you have reported and only with your explicit consent, in accordance with Art. 29 GDPR.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and, where required, notify you directly (Art. 34 GDPR).

We retain your personal data only as long as necessary for the purposes described in this Policy and to comply with our legal obligations:

• Account and archive data: Retained for the duration of your active account. Upon account deletion, your data is removed within 30 days, except where legal retention obligations apply.
• Billing and invoicing records: Retained for 10 years in accordance with § 147 AO (German Fiscal Code) and § 257 HGB (German Commercial Code).
• Usage and log data: Retained for up to 90 days for security and operational purposes, then deleted or anonymized.
• Support communications: Retained for up to 3 years from the date of last contact.

Aggregated, anonymized data that cannot be linked to any individual may be retained indefinitely.

Some of our third-party service providers operate infrastructure outside the European Economic Area (EEA). Where personal data is transferred to countries that do not provide an equivalent level of data protection, we ensure appropriate safeguards are in place as required by Chapter V GDPR:

A copy of the applicable Standard Contractual Clauses can be provided upon request by contacting info@inboxyl.com.

We have entered into Data Processing Agreements (DPAs) under Art. 28 GDPR with all third-party providers who process personal data on our behalf. These providers are authorized to process your data only in accordance with our documented instructions and this Privacy Policy.

We do not sell personal data to third parties. We do not share your email archive content with any third party for any purpose other than storing and serving it back to you.

You can configure your browser to refuse or delete cookies at any time. Note that disabling strictly necessary cookies will prevent you from using the Service.

As a data subject under the GDPR, you have the following rights, which you may exercise free of charge by contacting us at info@inboxyl.com:

• Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances (e.g., while a rectification request is assessed).
• Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): You may object at any time to the processing of your personal data carried out on the basis of our legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

We will respond to your request within one month of receipt. In complex or numerous cases, we may extend this period by a further two months, informing you accordingly (Art. 12(3) GDPR).

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority (Datenschutzbehörde) if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

You may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The competent supervisory authority in Germany is the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI):

You may also contact the supervisory authority of the German federal state in which you reside. A list of German state data protection authorities is available at bfdi.bund.de.

We encourage you to contact us first at info@inboxyl.com so that we can address your concern directly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect.

The date at the top of this page indicates when the policy was last revised.

For any questions about this Privacy Policy or to exercise your data subject rights, contact us at: