Skip to main content
101110
mailb0xAgentic Platform
Your privacy

Privacy Policy

Effective date: March 1, 2024

mailb0x is built privacy-first: every customer runs on their own VPS (provided by us), we have zero access to your content, and end-to-end encryption is the default. We're a software vendor, not an ESP—you control your data, we only process billing information.

Single-Tenant VPS
Your own isolated server
Zero Access
We revoke our keys after setup
E2E Encrypted
We can't see your content

What We Are / Aren't

We ARE
A software vendor shipping an automation tool you deploy to your own VPS (provided by us).
We AREN'T
Your ESP, list host, wallet custodian, data broker, or mail relay.

Information We Collect (Minimal)

We collect only what's necessary for billing and license enforcement—nothing else.

  • Billing only: Company name, billing email, plan, invoice/transaction IDs.
  • Minimal metrics: Instance-hours, version number, success/fail counts (no message content).
  • No content access: We cannot see your contacts, templates, emails, or campaign data.

Data & Privacy Architecture

Your data lives on your own VPS under your domain. We never centralize or access your content.

  • Data residency: All customer data lives on your VPS under your domain.
  • No content access: We can't see your contacts, templates, or emails.
  • No central logs: We don't centralize message logs.
  • Suppression local-only: Unsubscribes/bounces/complaints stored on your VPS only.
  • Customer-held keys: Encryption keys are yours. Lose them = we cannot recover data.

Security (How It's Built)

E2E by Default
Client-side encryption for lists/templates/content.
Per-Tenant Domains
Mandatory customer CNAMEs for tracking/unsub (or disable tracking entirely).
No Shared Infrastructure
No shared tracking links or pooled IPs that can taint other tenants.
Access Revocation
Installer auto-removes bootstrap users/keys and emits a signed "access revoked" receipt.

Logging & Retention

We don't keep message logs, recipient lists, or content.
We do keep minimal billing records for tax/audit periods.
On your VPS: you control system logs; defaults use short retention.

Payments & Billing

Crypto-Only
Stablecoins or BTC via supported gateways; we never custody your funds.
What We Keep
Company name, billing email, plan, invoice/tx IDs—that's it.
Refunds
Crypto refunds sent back to customer-provided address (subject to AML/sanctions checks).

Hosting & Jurisdiction

Recommended regions: CH primary; EU edge (NL/DE) for latency.
Law follows the users: Your marketing compliance depends on where you email, not where the VPS sits.
Company status: mailb0x acts as a software vendor; if you enable optional features that process personal data on our infra, we'll offer a DPA.

Compliance Posture (Who Does What)

You are the sender/controller
Under GDPR, CAN-SPAM, CASL, and other regulations, you control recipient data and decide when to send. We process only billing info.
We're the software licensor
We provide the tool. We can't see your contacts or content. If you enable optional analytics that touch our servers, we'll sign a DPA.
Deliverability rules enforced
We block obvious spam patterns (purchased lists, no unsubscribe link, blacklisted domains) to protect our IP reputation pool.

Business Logic (How the App Behaves)

The software performs pre-flight checks and real-time health monitoring to protect deliverability:

  • Pre-flight checks: DMARC/SPF/DKIM, sender domain reputation, required headers (List-Unsubscribe).
  • Rate & health controls: Automatic pausing if bounce rate >5%, complaint rate >0.1%, or blacklist detection.
  • Diagnostics without PII: We may see aggregate metrics (open%, bounce%) but never email addresses or message content.

Customer Responsibilities

You must comply with applicable laws and regulations when using mailb0x:

Obtain valid consent before sending (GDPR, CASL, etc.)
Include working unsubscribe links in every message
Honor opt-outs within 10 days (CAN-SPAM) or 30 days (GDPR)
Configure SPF, DKIM, and DMARC for your sending domains
Keep your VPS and software updated (we'll notify you of critical patches)
Maintain backups of your data (we provide daily snapshots, but you own the data)
Secure your encryption keys (lose them = permanent data loss)

Acceptable Use (Hard Lines)

We terminate accounts immediately for:

Purchased, scraped, or rented email lists
Phishing, malware, or fraudulent content
Spam complaints >0.3% sustained over 7 days
Attempts to bypass pre-flight checks or rate limits
Sending without consent or to suppression-listed addresses
Adult content, gambling, payday loans, or crypto schemes (case-by-case review)

Violations may result in immediate suspension without refund. Serious abuse reported to authorities.

Our Commitments

We will never sell, share, or monetize your customer data
We will notify you of any security incidents within 72 hours
We will provide 30 days notice before material privacy policy changes
We will maintain SOC 2 Type II compliance once achieved
We will delete your billing data within 90 days of account closure (unless required for tax/audit)

Your Rights

Depending on your location, you may have rights to access, correct, delete, or restrict the use of your data. Submit requests through the privacy center in the dashboard or email privacy@mailb0x.dev. We respond within 30 days.

Changes to This Policy

We will post any updates on this page and notify workspace owners in-app at least 30 days before changes take effect. Material changes require your acceptance to continue using the service.

Contact

Privacy questions? Email privacy@mailb0x.dev or write to mailb0x Labs, Neue Bahnhofstr. 12, 10245 Berlin, Germany.

We are GDPR compliant and pursue SOC 2 Type II certification. Details are available in our security addendum.