Privacy Policy

InboxGuard ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email security service.

We are a company registered in the United Kingdom. For the purposes of data protection legislation, we are the data controller responsible for your personal data.

By using our Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2.1 Account Information

When you create an account, we collect:

• Email address (used for login and communication)
• Name (if provided)
• Password (stored in encrypted form)
• Subscription and billing information (processed by Stripe)

2.2 Email Data

To provide our email security services, we process:

• Email content (subject lines, body text, attachments metadata)
• Email metadata (sender addresses, recipient addresses, timestamps, headers)
• Email authentication data (SPF, DKIM, DMARC records)

Important: We access your emails solely to analyse them for security threats. We do not read, store, or share the content of your emails for any other purpose. Email content is processed in real-time and is not permanently stored after analysis.

2.3 Technical Data

• IP address and approximate location
• Browser type and version
• Device information and operating system
• Usage data (features used, analysis results, timestamps)
• Cookies and similar tracking technologies

2.4 Information from Third Parties

When you connect your email account via OAuth (Google, Microsoft, etc.), we receive authentication tokens that allow us to access your emails. We do not receive or store your email provider password.

Under the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

• Contract Performance: Processing your email data is necessary to provide our email security services as agreed in our Terms of Service.
• Legitimate Interests: We have a legitimate interest in improving our services, preventing fraud, and ensuring security. This includes analysing anonymised data to improve threat detection.
• Consent: For marketing communications and optional analytics, we rely on your explicit consent, which you may withdraw at any time.
• Legal Obligation: We may process data to comply with legal requirements, such as responding to lawful requests from authorities.

We use your information to:

• Provide, maintain, and improve our email security services
• Analyse emails for scams, phishing, fraud, and other security threats
• Verify sender authenticity and email legitimacy
• Generate security reports and alerts
• Process payments and manage subscriptions
• Send service-related communications (security alerts, account updates)
• Provide customer support
• Improve our AI and machine learning models using anonymised threat patterns
• Comply with legal obligations
• Protect against fraudulent, unauthorised, or illegal activity

Our service uses artificial intelligence and machine learning to analyse emails. This automated processing helps us detect threats quickly and at scale. Key points about our AI processing:

• AI analysis is used to score emails for potential threats
• We may use third-party AI providers (such as OpenAI) to process email content
• No automated decision has legal or similarly significant effects on you
• You can request human review of any automated decision
• Anonymised patterns from threat detection may be used to improve our models

We do not sell your personal data.

We may share your information with:

• Service Providers: Third parties who help us operate our service, including:
  • Cloud hosting providers (for secure data storage)
  • AI/ML providers (for email analysis processing)
  • Payment processors (Stripe, for subscription billing)
  • Email delivery services (for transactional emails)
• Legal Requirements: When required by law, court order, or governmental authority
• Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or the public
• Business Transfers: In connection with a merger, acquisition, or sale of assets

All service providers are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.

Your information may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including the United States. These countries may have different data protection laws than your country of residence.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• UK International Data Transfer Agreement (UK IDTA)
• Adequacy decisions where applicable
• Data processing agreements with all third-party processors

We retain your data only as long as necessary:

• Email content: Processed in real-time and not stored after analysis. Only analysis results and metadata are retained.
• Analysis results: 90 days for active accounts (accessible in your dashboard)
• Account information: Duration of your subscription plus 2 years (for legal/tax purposes)
• Anonymised threat intelligence: Indefinitely (cannot be linked to individuals)
• Technical logs: 30 days

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain it.

We implement appropriate technical and organisational measures to protect your data:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication using OAuth 2.0 for email provider connections
• Access controls limiting employee access to personal data
• Regular security assessments and monitoring
• Secure cloud infrastructure with industry-standard certifications

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10.1 Rights Under UK/EU GDPR

If you are in the UK or EEA, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a portable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority

10.2 Rights Under California Consumer Privacy Act (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us via our contact form. We will respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA).

We use cookies and similar technologies for:

• Essential cookies: Required for authentication and security
• Functional cookies: Remember your preferences
• Analytics cookies: Understand how you use our service (with your consent)

You can control cookies through your browser settings. Note that disabling essential cookies may affect service functionality.

Our Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

For Family Plan accounts, parents/guardians are responsible for managing children's accounts and consent to our processing of their children's email data.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a notice on our website prior to the change becoming effective.

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

For privacy-related questions, to exercise your rights, or to make a complaint:

Contact Form

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk