GDPR Statement
Effective date: June 29, 2026 · Last updated: June 30, 2026
Zeptun Intelligence Limited (Hong Kong SAR) ("we," "us," or "our") operates the Unbox mail platform at unbox.im and is committed to protecting personal data in line with the EU General Data Protection Regulation (GDPR) and similar laws. This page summarizes how we handle data for customers in the European Economic Area (EEA), UK, and Switzerland. It supplements our Privacy Policy and Terms of Service.
Who we are
Zeptun Intelligence Limited (Hong Kong SAR) is the data controller for personal data processed through Unbox at unbox.im. For data-protection inquiries, contact privacy@unbox.im.
What Unbox is (and is not)
Unbox is a transactional mail and domain inbox platform. We help you send and manage important mail — verification codes, password resets, order updates, and team notifications on your own domains.
We do not provide marketing or newsletter broadcasting. Our HTTP API and SMTP submission paths are limited to transactional mail only. That product choice reduces GDPR marketing-consent complexity: we do not send promotional campaigns on your behalf, and we do not require marketing opt-in or unsubscribe flows for platform mail.
Outbound API and SMTP — transactional only
The Unbox HTTP API (POST /v1/email) and optional SMTP submission must be used for transactional messages only — for example password resets, receipts, security alerts, and team notifications tied to a specific event. Marketing newsletters, promotional bulk sends, and cold outreach are prohibited.
Permitted examples
- Account verification, password resets, and security alerts
- Order confirmations, receipts, shipping updates, and payment notices
- Notifications triggered by a specific user or system event
- Team and workspace messages (invites, assignments, internal alerts)
Prohibited examples
- Newsletters, promotional campaigns, or broadcast marketing
- Cold outreach or mail to purchased, scraped, or non-consenting lists
- Affiliate spam, phishing, or deceptive content
- Any attempt to bypass recipient caps, rate limits, or plan quotas
Rate and recipient limits (policy)
To prevent de-facto bulk marketing while allowing normal team notifications, outbound API and SMTP traffic is subject to the limits below in addition to plan quotas. Limits are enforced automatically and apply per workspace (owner and team members share one daily unique-recipient pool, reset at midnight UTC):
- Recipients per message: Up to 50 total (To + Cc + Bcc combined)
- Unique recipients per day: Up to 1,000 per workspace
- Send request rate: Up to 10 API or SMTP submissions per minute per domain
- Plan outbound quota: Monthly send limits on your subscription still apply
These rules are part of our Acceptable Use Policy. Automated enforcement is live on the web composer, HTTP API, and SMTP submission. Accounts that send marketing or bulk mail, or otherwise abuse sending infrastructure, may be throttled, suspended, or terminated.
We monitor deliverability signals. Sustained bounce rates above 3% or complaint rates above 0.1% may trigger a temporary send pause or manual review.
These rules are also stated in our Terms of Service.
Lawful bases for processing
- Contract — to provide hosting, DNS, inbox, API send, billing, and support you signed up for.
- Legitimate interests — security, abuse prevention, deliverability monitoring, and product improvement, balanced against your rights.
- Consent — where required, such as optional AI features that send content to cloud model providers, or connecting third-party mail accounts.
- Legal obligation — tax, billing, and lawful requests from authorities.
What we already do
- Verified registration — new accounts must confirm email (one-time code or magic link) before signing in.
- Encryption — TLS for data in transit; sensitive credentials and tokens encrypted at rest; API keys stored hashed.
- Data minimization — outbound delivery logs store metadata only (no message bodies). External account previews expire after seven days. Delivery logs are purged on a short retention schedule (default 14 days).
- User-controlled retention — recycle bin, spam quarantine, and permanent delete flows; you choose how long deleted mail is kept before purge.
- DNS authentication — we guide you through SPF, DKIM, and DMARC setup and block sending until your domain is verified.
- Operator accountability — platform staff actions in our admin console are audit-logged; team membership changes are recorded in your workspace activity feed.
- No sale of personal data — we do not sell your information to advertisers or data brokers.
Sub-processors
We use trusted infrastructure partners to run Unbox. They process data only under our instructions and contractual safeguards:
- Vercel — web application hosting and serverless functions
- Neon — PostgreSQL database
- Upstash — Redis (queues and rate limiting)
- Vercel Blob — attachment and message blob storage
- Amazon Web Services (SES) — inbound and outbound email delivery
- Stripe — subscription billing and invoices
- OpenRouter — cloud AI inference when you use AI features that require remote models
A current list is maintained in our Privacy Policy. Business customers who need a signed Data Processing Agreement (DPA) may request one at privacy@unbox.im.
International transfers
Unbox is primarily operated from Singapore, with infrastructure in AWS ap-southeast-1 and global edge locations used by our hosting providers. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses and vendor DPAs. We are planning EU-region storage options for customers who require data residency in the EU.
Your rights under GDPR
If GDPR applies to you, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Export your data in a portable format
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Withdraw consent where processing is consent-based
- Lodge a complaint with your local supervisory authority
How to exercise your rights today: email privacy@unbox.im from your registered address. We respond within one month. Self-service export and account deletion in Settings are on our roadmap — see below.
AI and your mail
When you use AI features, relevant message content may be sent to AI providers for summarization, classification, or drafting. We minimize what is sent and do not use your mail to train public models. Business customers will be able to restrict cloud AI processing in account settings; until that toggle ships, contact us to opt out of cloud inference.
Security and breaches
We maintain technical and organizational measures including access controls, encryption, MFA/passkey support, and incident response procedures. If a personal data breach poses risk to your rights, we will notify affected users and regulators as required by law.
Planned improvements
We are actively working to strengthen GDPR readiness, including:
- Self-service data export and account deletion in Settings
- Stored consent records at registration with policy version tracking
- Outbound send limits that prevent bulk marketing abuse while allowing normal team notifications (see above)
- Expanded sub-processor transparency and customer DPA templates
- Optional EU data residency
Contact
Data protection inquiries: privacy@unbox.im
General support: hello@unbox.im