GDPR Statement

Effective date: June 29, 2026 · Last updated: June 30, 2026

Zeptun Intelligence Limited (Hong Kong SAR) ("we," "us," or "our") operates the Unbox mail platform at unbox.im and is committed to protecting personal data in line with the EU General Data Protection Regulation (GDPR) and similar laws. This page summarizes how we handle data for customers in the European Economic Area (EEA), UK, and Switzerland. It supplements our Privacy Policy and Terms of Service.

Who we are

Zeptun Intelligence Limited (Hong Kong SAR) is the data controller for personal data processed through Unbox at unbox.im. For data-protection inquiries, contact privacy@unbox.im.

What Unbox is (and is not)

Unbox is a transactional mail and domain inbox platform. We help you send and manage important mail — verification codes, password resets, order updates, and team notifications on your own domains.

We do not provide marketing or newsletter broadcasting. Our HTTP API and SMTP submission paths are limited to transactional mail only. That product choice reduces GDPR marketing-consent complexity: we do not send promotional campaigns on your behalf, and we do not require marketing opt-in or unsubscribe flows for platform mail.

Outbound API and SMTP — transactional only

The Unbox HTTP API (POST /v1/email) and optional SMTP submission must be used for transactional messages only — for example password resets, receipts, security alerts, and team notifications tied to a specific event. Marketing newsletters, promotional bulk sends, and cold outreach are prohibited.

Permitted examples

Prohibited examples

Rate and recipient limits (policy)

To prevent de-facto bulk marketing while allowing normal team notifications, outbound API and SMTP traffic is subject to the limits below in addition to plan quotas. Limits are enforced automatically and apply per workspace (owner and team members share one daily unique-recipient pool, reset at midnight UTC):

These rules are part of our Acceptable Use Policy. Automated enforcement is live on the web composer, HTTP API, and SMTP submission. Accounts that send marketing or bulk mail, or otherwise abuse sending infrastructure, may be throttled, suspended, or terminated.

We monitor deliverability signals. Sustained bounce rates above 3% or complaint rates above 0.1% may trigger a temporary send pause or manual review.

These rules are also stated in our Terms of Service.

Lawful bases for processing

What we already do

Sub-processors

We use trusted infrastructure partners to run Unbox. They process data only under our instructions and contractual safeguards:

A current list is maintained in our Privacy Policy. Business customers who need a signed Data Processing Agreement (DPA) may request one at privacy@unbox.im.

International transfers

Unbox is primarily operated from Singapore, with infrastructure in AWS ap-southeast-1 and global edge locations used by our hosting providers. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses and vendor DPAs. We are planning EU-region storage options for customers who require data residency in the EU.

Your rights under GDPR

If GDPR applies to you, you may have the right to:

How to exercise your rights today: email privacy@unbox.im from your registered address. We respond within one month. Self-service export and account deletion in Settings are on our roadmap — see below.

AI and your mail

When you use AI features, relevant message content may be sent to AI providers for summarization, classification, or drafting. We minimize what is sent and do not use your mail to train public models. Business customers will be able to restrict cloud AI processing in account settings; until that toggle ships, contact us to opt out of cloud inference.

Security and breaches

We maintain technical and organizational measures including access controls, encryption, MFA/passkey support, and incident response procedures. If a personal data breach poses risk to your rights, we will notify affected users and regulators as required by law.

Planned improvements

We are actively working to strengthen GDPR readiness, including:

Contact

Data protection inquiries: privacy@unbox.im
General support: hello@unbox.im

Unbox — GDPR Statement | Unbox.im