Privacy Policy

1. Who We Are

Inbox Insignia, Inc. ("Inbox Insignia," "we," "us," or "our") is a United States-based company that provides email authentication compliance monitoring services. We act as the data controller for the personal information we collect and process through our platform.

If you have any questions about this Privacy Policy or our data practices, you can contact us at privacy@inboxinsignia.com.

2. Information We Collect

We collect and process the following categories of information when you use Inbox Insignia:

Account Data

• Email address provided during registration
• Password hash (we never store plaintext passwords)
• Display name and profile settings

Workspace and Organization Data

• Workspace names, slugs, and configuration settings
• Organization names and hierarchy (for Agency-tier accounts)
• Member roles and permissions (owner, admin, member, viewer)
• Invitation records and membership history

Domain and DNS Record Data

• Domain names you add to the platform for monitoring
• SPF (Sender Policy Framework) records and validation results
• DKIM (DomainKeys Identified Mail) selector records and validation results
• DMARC (Domain-based Message Authentication, Reporting and Conformance) policy records
• MX (Mail Exchanger) records
• MTA-STS (Mail Transfer Agent Strict Transport Security) policies and check results
• TLS-RPT (TLS Reporting) records and reports
• Compliance scores and historical scan results

DMARC Aggregate Reports

• Source IP addresses of mail servers sending on behalf of your domains
• SPF and DKIM authentication pass/fail results
• DMARC policy evaluation outcomes (none, quarantine, reject)
• Message volume counts per source
• Reporting organization identifiers
• Report date ranges and metadata

Login and Session Data

• IP address at time of login
• User agent string (browser and operating system information)
• Login timestamps and session duration
• Authentication method used (password or magic link)

Billing Data

• Stripe customer ID and subscription ID
• Subscription plan, status, and billing cycle dates
• Invoice history and payment status
• We never store credit card numbers, CVVs, or full payment card details. Stripe, Inc., a PCI DSS Level 1 certified processor, handles all payment processing.

Usage Data

• Page views and navigation patterns (collected via Vercel Analytics)
• Vercel Analytics is cookieless and does not collect personally identifiable information
• Aggregate performance metrics (page load times, web vitals)

Audit Logs

• Action types (e.g., domain added, scan triggered, settings changed)
• Actor IDs (the user who performed each action)
• Timestamps of each action
• IP addresses associated with each action
• Affected resource identifiers

API Key Usage Metadata

• API key prefix (first 8 characters only; we do not store the full key after creation)
• Key name and associated permissions
• Last used timestamp
• Request counts and rate limit metrics

3. How We Use Your Information

We process your information for the following purposes, each supported by a lawful basis under the General Data Protection Regulation (GDPR) and equivalent privacy laws:

Contract Performance (Article 6(1)(b) GDPR)

• Creating and managing your account, workspaces, and organizations
• Performing DNS scans, compliance scoring, and generating findings and recommendations
• Processing and displaying DMARC aggregate reports
• Sending alerts and notifications about domain compliance changes
• Processing subscription payments and managing billing through Stripe
• Delivering transactional emails (account verification, password resets, scheduled reports)
• Providing customer support and responding to your requests

Legitimate Interest (Article 6(1)(f) GDPR)

• Monitoring platform security and preventing unauthorized access or abuse
• Maintaining audit logs for accountability and incident investigation
• Analyzing aggregated, non-identifying usage data to improve our services
• Detecting and preventing fraudulent activity, spam, and platform abuse
• Enforcing our Terms of Service and Acceptable Use Policy
• Improving the reliability, performance, and usability of the platform

Legal Obligation (Article 6(1)(c) GDPR)

• Responding to lawful requests from law enforcement or regulatory authorities
• Retaining billing and transaction records for tax compliance purposes
• Complying with applicable data protection laws and regulations

Consent (Article 6(1)(a) GDPR)

• Sending optional marketing communications about product updates or new features (where applicable)
• You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@inboxinsignia.com

4. How We Share Your Information

We share your information only with trusted third-party service providers (sub-processors) who process data on our behalf under strict contractual obligations. We never sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.

Sub-Processors

• Supabase, Inc.(United States) — PostgreSQL database hosting, user authentication, and real-time data services. Supabase stores your account data, workspace data, domain records, scan results, and DMARC reports.
• Stripe, Inc.(United States) — Payment processing, subscription management, and invoicing. Stripe processes your payment card information and billing details directly; we only receive and store Stripe customer and subscription identifiers.
• Vercel, Inc.(United States) — Application hosting, edge network delivery, serverless function execution, and cookieless web analytics. Vercel processes request data including IP addresses and user agent strings in the course of serving the application.
• Resend, Inc.(United States) — Transactional email delivery, including account verification emails, password reset links, alert notifications, and scheduled compliance reports (when email delivery is enabled).

A complete and up-to-date list of our sub-processors is available on our Sub-processors page.

Other Disclosures

We may also disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request
• Enforce our Terms of Service, including investigation of potential violations
• Detect, prevent, or otherwise address fraud, security, or technical issues
• Protect against harm to the rights, property, or safety of Inbox Insignia, our users, or the public

5. International Data Transfers

Inbox Insignia is based in the United States, and your data is primarily stored and processed in the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to the United States, we rely on the following transfer mechanisms:

• EU-US Data Privacy Framework (DPF)— Where our sub-processors are certified under the EU-US Data Privacy Framework, we rely on their certification as a valid transfer mechanism.
• Standard Contractual Clauses (SCCs)— As a fallback mechanism, we enter into European Commission-approved Standard Contractual Clauses with our sub-processors to ensure adequate protection for transferred personal data.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@inboxinsignia.com.

6. Data Retention

We retain your data for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Scan history and DMARC report retention periods vary by subscription plan:

Per-Plan Retention Periods

• Starter Plan: 60 days scan history, 60 days DMARC aggregate reports
• Growth Plan: 180 days scan history, 180 days DMARC aggregate reports
• Agency Plan: 365 days scan history, 365 days DMARC aggregate reports

Other Retention Periods

• Account data: Retained for the duration of your active subscription plus 30 days after account deletion to allow for account recovery and fulfill any pending obligations.
• Billing records: Retained in accordance with tax and legal obligations, typically for a period of 7 years from the date of the transaction.
• Audit logs: Retained for 60 days on Starter, 180 days on Growth, and 365 days on Agency.
• Support correspondence: Retained for up to 2 years after the last interaction for quality assurance and dispute resolution purposes.

Expired data is automatically purged by our daily retention cleanup process. You may also request early deletion of your data by contacting us (see Section 7 below).

7. Your Rights

Depending on your jurisdiction, you may have specific rights regarding your personal information. Below we outline the rights available under major privacy frameworks.

EEA and United Kingdom (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the right to:

• Access— Request a copy of the personal data we hold about you
• Rectification— Request correction of inaccurate or incomplete personal data
• Erasure— Request deletion of your personal data ("right to be forgotten")
• Restriction— Request that we restrict the processing of your personal data
• Data portability— Receive your personal data in a structured, commonly used, machine-readable format
• Object— Object to processing based on legitimate interest or direct marketing
• Withdraw consent— Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Lodge a complaint— File a complaint with your local data protection supervisory authority

California (CCPA / CPRA)

If you are a California resident, you have the right to:

• Right to know— Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the third parties with whom we share it
• Right to delete— Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to opt-out of sale— We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism
• Right to non-discrimination— We will not discriminate against you for exercising any of your CCPA/CPRA rights
• Right to correct— Request correction of inaccurate personal information we maintain about you

Canada (PIPEDA)

If you are located in Canada, you have the right to:

• Access— Request access to your personal information held by us and information about how it is used and disclosed
• Correction— Request correction of your personal information if it is inaccurate or incomplete
• Withdrawal of consent— Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Challenge compliance— Challenge our compliance with PIPEDA by contacting our privacy contact or filing a complaint with the Office of the Privacy Commissioner of Canada

Australia (Privacy Act 1988)

If you are located in Australia, you have the right to:

• Access— Request access to the personal information we hold about you
• Correction— Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading
• Complain— Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

How to Exercise Your Rights

To exercise any of the rights described above, please email us at privacy@inboxinsignia.com with the subject line "Privacy Rights Request." To protect your privacy and security, we will verify your identity before processing your request. Verification may require you to confirm your email address and provide additional identifying information.

We will respond to all valid requests within 30 days. If we need additional time (up to 60 additional days in complex cases), we will notify you in writing with the reason for the extension.

8. Cookies and Tracking

Inbox Insignia uses a minimal approach to cookies and tracking technologies:

Essential Cookies

• Supabase authentication session cookies (prefixed with sb-) — These cookies are strictly necessary for authenticating your session and maintaining your logged-in state. They cannot be disabled without breaking core platform functionality.

Analytics

• Vercel Analytics— We use Vercel's cookieless, privacy-friendly analytics to understand aggregate usage patterns. Vercel Analytics does not use cookies, does not collect personally identifiable information, and does not track individual users across sessions.

What We Do Not Use

• No advertising or remarketing cookies
• No third-party marketing trackers
• No social media tracking pixels
• No cross-site tracking of any kind

For more detailed information, please see our Cookie Policy.

9. Children's Privacy

Inbox Insignia is a business-to-business service designed for use by professionals managing email authentication for their organizations. Our service is not directed at children under the age of 16, and we do not knowingly collect personal information from children under 16.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take prompt steps to delete such information from our systems. If you believe that a child under 16 has provided us with personal information, please contact us immediately at privacy@inboxinsignia.com.

10. Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Encryption at rest: All stored data is encrypted at rest using AES-256 encryption
• Row-Level Security (RLS): Database-level policies enforce strict workspace isolation, ensuring users can only access data within their authorized workspaces
• Audit logging: All significant actions are recorded in tamper-evident audit logs for security monitoring and incident investigation
• Password hashing: User passwords are salted and hashed using industry-standard algorithms and are never stored in plaintext
• API key security: API keys are hashed after creation; only the key prefix is stored for identification

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. For a comprehensive overview of our security practices, please visit our Security page.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days' advance notice by sending a notification to the email address associated with your account before the changes take effect.

Your continued use of Inbox Insignia after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should discontinue your use of the service and contact us to delete your account.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@inboxinsignia.com
• Entity: Inbox Insignia, Inc.

We aim to respond to all privacy inquiries within 30 days of receipt.