Privacy Policy

Last updated: April 7, 2025

This Privacy Policy describes how InboundKit ("we", "us", or "our") collects, uses, and protects information about you when you use our Service. By using InboundKit, you agree to the practices described here.

1. Information We Collect

Account Information

When you register, we collect your email address, name, and payment information (processed by our payment provider — we do not store full card numbers).

Email Content

Emails received at your InboundKit addresses are parsed and forwarded to your configured webhook endpoint as structured JSON. We do not permanently store the body or attachments of processed emails beyond the time needed to deliver the webhook event (typically seconds). Metadata such as sender, subject, and delivery timestamps may be retained for up to 30 days for debugging and audit purposes.

Usage Data

We collect usage metrics including email volume, webhook delivery status, latency, and error rates. This data is used to operate and improve the Service and is retained for up to 90 days.

Log Data

Our servers automatically record information such as your IP address, browser type, pages visited, and timestamps when you access our website or dashboard. Log data is retained for up to 30 days.

2. How We Use Your Information

  • To provide, operate, and maintain the Service.
  • To send you transactional emails (account confirmations, alerts, billing notices).
  • To respond to support requests.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

We do not sell your personal information to third parties. We do not use your email content for advertising or to train machine-learning models.

3. Third-Party Processors

We share information with service providers who help us deliver the Service, including:

  • Amazon Web Services (AWS) — cloud infrastructure, email receipt via Amazon SES, and storage. AWS processes data in accordance with their Privacy Notice.
  • Payment processor — billing and subscription management. Card data never touches our servers.

4. Data Retention

  • Email metadata: up to 30 days.
  • Usage metrics: up to 90 days.
  • Account data: retained while your account is active, deleted within 30 days of account closure upon request.
  • Billing records: retained for 7 years as required by tax law.

5. Security

All data in transit is encrypted using TLS. Data at rest is encrypted using AES-256. We restrict access to personal data to employees and contractors who need it to operate the Service. Despite these measures, no system is completely secure; you use the Service at your own risk.

6. Your Rights

Depending on your location, you may have rights including: access to your data, correction of inaccurate data, deletion of your data, and data portability. EU/EEA residents have rights under the General Data Protection Regulation (GDPR). California residents have rights under the California Consumer Privacy Act (CCPA).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Cookies

Our website uses essential cookies for session management and authentication. We do not use tracking or advertising cookies.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If we become aware we have done so, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the Service. The "last updated" date at the top of this page indicates when changes were last made.

10. Contact

For privacy-related questions or requests, contact us at [email protected].