Skip to main content
InboxRobot

Privacy Policy

Effective: 6 February 2025

anycast.io UG (haftungsbeschränkt) (hereafter “we,” “us,” or “our”) takes your privacy seriously. To better protect your privacy, we provide this privacy policy notice explaining how your personal information is collected, processed, and used.

1. Who Collects Your Data?

We act as the controller of your personal data when you use our site and services (“Services”). However, for certain generative AI features, we rely on Mistral AI, a French company (incorporated in Paris, under number 952 418 325, having its registered offices at 15 rue des Halles, 75001 Paris, France). Mistral AI may act as a processor or sub-processor for your data. For more information about Mistral AI’s data-processing practices, please see their Privacy Policy.

2. Data We Collect

Account Data

  • Profile Information: Name, email address, avatar/profile picture
  • Authentication Data: Hashed passwords, confirmation timestamps, two-factor authentication settings (if enabled)
  • Access Information: Last sign-in time, IP addresses, browser details
  • Account Settings: Marketing email preferences, beta feature access, account status

Organization Data

  • Team Information: Organization names, membership roles, join dates
  • Usage Metrics: Email processing counts, API usage statistics

Email Processing Data (InboxRobot Feature)

  • Email Metadata: Sender addresses, recipients, subject lines, message IDs
  • Processing Records: Forwarding actions, spam classifications, timestamps
  • Mail Account Settings: IMAP/SMTP configurations (encrypted)
  • Note: Email body content is processed transiently and not permanently stored

Activity & System Data

  • Activity Logs: User actions within the system (limited to 1000 most recent entries)
  • Notifications: System notifications and alerts
  • Technical Data: Browser information, timestamps, referring pages for administration

3. Email Processing & Use of AI Services

InboxRobot Email Automation

  • Automated Processing: We process emails through IMAP connections according to your configured rules
  • Data Retention: Email metadata (sender, subject, timestamps) is retained for accounting and history
  • Email Content: Body content is processed transiently for classification but not permanently stored
  • Processing Limits: Subject to plan-based limits on number of emails processed per month
  • Email History: Processing records retained based on your subscription plan (6-24 months)

AI-Powered Features

  • Default GDPR-Compliant Option: We use Mistral AI’s services (EU-based) for email content analysis and classification. Your data remains within EU infrastructure.
  • Alternative Non-GDPR Option: If you explicitly select “GDPR compliance: no, thank you,” your data may be sent to OpenAI (U.S.-based). By selecting this option, you acknowledge:
    • Data leaves EU jurisdiction
    • Different privacy standards may apply
    • We cannot guarantee GDPR compliance for this processing
  • AI Training: For Mistral AI paid tiers, you can opt out of having your data used for model training

4. Cookies and Tracking

Essential Cookies

  • Session Management: Authentication and security cookies required for login
  • Remember Me: Optional long-term authentication cookie (60 days) if you check “Remember me”
  • Language Preference: Stores your selected language (1 year)

Analytics (Privacy-Focused)

  • Plausible Analytics: We use Plausible.io for privacy-friendly, cookie-free analytics
  • No Personal Data: Plausible collects only aggregated statistics without tracking individual users
  • EU-Based: All analytics data is processed and stored within the EU
  • No Cookie Consent Required: As Plausible doesn’t use cookies or collect personal data

5. Third-Party Services

We integrate with the following third-party services:

Payment Processing

  • Stripe: Handles all payment transactions securely. We do not store credit card details.
  • Customer Data: Stripe customer IDs and subscription status are synced with our system

Infrastructure Services

  • Email Delivery: Third-party SMTP services for transactional emails
  • File Storage: Cloud storage providers for user-uploaded files (avatars, etc.)

Analytics

  • Plausible.io: Privacy-focused, GDPR-compliant analytics (no cookies, EU-based)

All third-party services are bound by data processing agreements ensuring GDPR compliance.

6. Links to Third-Party Websites

We include links on this site for reference. We are not responsible for the privacy policies on these external sites.

7. Security

We prioritize the security of your personal data. However, no method of transmission over the internet or electronic storage is 100% secure. We strive to use commercially acceptable means to protect your personal data but cannot guarantee absolute security.

8. Your Data Rights

Under GDPR, you have the following rights:

Access & Portability

  • Data Export: Request a complete export of your personal data through your account settings
  • Rate Limited: One export request per hour to prevent abuse
  • Format: Data provided in human-readable HTML format

Correction & Deletion

  • Profile Updates: Edit your information directly in account settings
  • Account Deletion: Soft delete (marks account as deleted but retains data for recovery)
  • Team Deletion: Hard delete of organization data when team owner deletes the team
  • Data Retention: Deleted account data may be retained for legal/tax requirements

Control & Consent

  • Marketing Communications: Opt in/out of marketing emails in settings
  • Cookie Preferences: Managed through browser settings
  • AI Processing: Choose between GDPR-compliant (Mistral) or alternative (OpenAI) processing

To exercise these rights, contact us at support@inboxrobot.de

9. Data Retention

  • Active Accounts: Data retained for duration of service use
  • Email History: 6-24 months based on subscription plan, then automatically deleted
  • Activity Logs: Limited to 1000 most recent entries
  • Deleted Accounts: Soft-deleted, may be retained for legal compliance
  • Financial Records: 7 years for tax/accounting requirements (German law)
  • Backups: 30-day backup retention for disaster recovery

10. Changes to This Privacy Policy

This Privacy Policy is effective as of the date above and will remain in effect unless we make any future revisions. If material changes occur, we will notify you via email or a prominent notice on our website. Please check back periodically to stay informed of any updates.

11. Data Processing Agreement

For business customers requiring a Data Processing Agreement (DPA) under GDPR Article 28, please contact us to request our standard DPA.

12. Contact Information & Data Protection Officer

For privacy-related questions or to exercise your data rights:

  • Email: support@inboxrobot.de
  • Controller: anycast.io UG (haftungsbeschränkt)
  • Address: Hintere Strasse 125a

For Mistral AI-related inquiries: privacy@mistral.ai

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.