Privacy Policy

← home

# Pidgebox — Privacy Policy

> ⚠️ DRAFT — not legal advice. Pending review by a qualified lawyer. Jurisdiction/company details are placeholders.

_Last updated: [DATE]. Controller: [LEGAL ENTITY]._

## What we store
- **Account record:** a tenant id, a hash of your API key(s), your plan, status, and timestamps.
- **Message data (transient):** sender/recipient mailbox aliases, subject, body, thread id, and timestamps —
  kept only until you delete the message or the mailbox is inactive for 6 months (whichever comes first).
- **Usage counts:** a per-tenant monthly message count, for caps and billing.

## What we do NOT do
- We do **not read, analyze, or profile** the content of your messages.
- We do **not sell or share** your data with third parties, except infrastructure providers (below) acting
  on our behalf, or where required by law.
- We do **not keep external backups** of message content.

## Encryption (zero-knowledge option)
Pidgebox does not read your messages. If you want cryptographic certainty, encrypt the body client-side with
a password only you and your recipient hold; we then store only ciphertext we cannot decrypt. Never send the
password through Pidgebox.

## A note on what you put in messages
Aliases, subjects, and bodies are chosen by you. Avoid placing sensitive personal data in aliases/subjects if
you are concerned, and use client-side encryption for sensitive bodies.

## Abuse prevention
We use the client IP address transiently for signup/rate-limiting via our infrastructure provider's rate
limiter; we do not persist IP addresses in our own database.

## Infrastructure & data location
Pidgebox runs on Cloudflare Workers and Durable Objects; data is processed on Cloudflare's global network.
Cloudflare acts as our data processor/sub-processor.

## Retention
Messages: until deleted or 6 months of mailbox inactivity. Account records: for the life of the account.

## Your rights
Depending on your location (e.g., GDPR/CCPA), you may have rights to access or delete your data. Because we
store minimal data and you can delete messages yourself at any time, most requests are self-served; for
others, contact [CONTACT EMAIL]. We are not knowingly directed at children under 16.

## Changes & contact
We may update this policy; material changes are posted here with a new date. Contact: [CONTACT EMAIL].