← Back to Phenom Mailbox

TEMPLATE NOTICE: This document is a working template and has not been reviewed by legal counsel. It should be reviewed and customized by a qualified attorney before use in production.

Privacy Policy

Effective Date: [DATE]

1. Introduction

This Privacy Policy describes how [COMPANY NAME] ("Company", "we", "us") collects, uses, and protects your information when you use Phenom Mailbox ("Service"). We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

Account Information

Data	Purpose	Retention
Username	Account identification	Until account deletion
Email address	Account recovery, billing notifications	Until account deletion
Password (hashed)	Authentication	Until account deletion
Billing information	Payment processing (via Stripe)	Per Stripe's retention policy

Service Data

Data	Purpose	Retention
Subdomain configurations	Email routing and RSVP settings	Until subdomain deletion
Received email content	Core service functionality	Configurable TTL (auto-deleted)
SMTP metadata (sender, recipient, headers)	Email inspection features	Same as email content

Automatically Collected

Data	Purpose	Retention
IP address	Rate limiting, security	Not persisted beyond rate-limit window
Session data	Authentication state	24 hours
Audit log entries	Security and compliance	Rolling window

3. How We Use Your Information

We use collected information to:

Provide and operate the email testing Service
Authenticate you and secure your account
Process payments and manage subscriptions
Enforce rate limits and prevent abuse
Maintain audit logs for security purposes
Communicate service updates or billing issues

We do not use your data for advertising, profiling, or selling to third parties.

4. Data Sharing

We share data only with:

Stripe, Inc. — Payment processing. Stripe's privacy policy applies to billing data they handle.
Infrastructure providers — Cloud hosting necessary to operate the Service. Bound by data processing agreements.
Law enforcement — When required by valid legal process (subpoena, court order).

We do not sell, rent, or trade your personal information.

5. Email Content

Email content received through your subdomains is stored temporarily for your inspection. We do not read, scan, mine, or analyze the content of emails received by the Service except as technically necessary to provide features you have enabled (e.g., auto-RSVP for calendar invites).

Email content is automatically deleted after the configured retention period.

6. Data Security

We implement security measures including:

Password hashing with bcrypt
Rate limiting on authentication and API endpoints
Session-based authentication with secure cookies
Audit logging of administrative actions
Input validation and sanitization

While we take reasonable measures to protect your data, no system is completely secure. You are responsible for keeping your account credentials confidential.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — Request a copy of the personal data we hold about you
Correction — Request correction of inaccurate data
Deletion — Request deletion of your account and associated data
Export — Request your data in a portable format
Restrict processing — Request that we limit how we use your data

To exercise these rights, contact us at [CONTACT EMAIL]. We will respond within 30 days.

8. GDPR (European Users)

If you are in the European Economic Area, our legal basis for processing is:

Contract performance — Processing necessary to provide the Service you subscribed to
Legitimate interest — Security, fraud prevention, and service improvement
Legal obligation — Compliance with applicable laws

For data transfers outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

9. CCPA (California Users)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, contact us at the email below.

10. Cookies

We use a single session cookie required for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect.

13. Contact

For privacy-related inquiries:

[COMPANY NAME]
Email: [CONTACT EMAIL]
[ADDRESS]