Privacy Policy

Effective date: June 1, 2026 · Last updated: June 30, 2026

Zeptun Intelligence Limited (Hong Kong SAR) ("we," "us," or "our") operates the Unbox mail hosting platform at unbox.im. This Privacy Policy explains how we collect, use, and protect information when you use our service.

Information we collect

Account information. When you register, we collect your name, email address, company name, and authentication credentials (including OAuth tokens for connected accounts).

Hosted mail. For mail sent to and from addresses on domains you host with Unbox, we store message content, metadata, and attachments encrypted at rest in our database.

External mail. For Gmail, Outlook, and other connected accounts, we cache message metadata and short previews for up to seven days. Full message bodies are fetched on demand and are not persistently stored.

Outbound send metadata. When you send via the web app, HTTP API, or SMTP, we record delivery metadata (recipients, subject, timestamps, status) for abuse prevention and troubleshooting. Delivery logs do not store message bodies by default.

Usage data. We collect standard log data including IP address, browser type, pages visited, and feature usage to improve reliability and security.

How we use information

Outbound API and SMTP (transactional mail only)

Unbox provides an HTTP API and optional SMTP submission for transactional mail only — not for marketing newsletters, promotional bulk sends, or cold outreach. We do not operate a broadcast or newsletter product.

Permitted examples include password resets, order confirmations, security alerts, and team notifications triggered by a specific event.

We apply recipient caps, send-rate limits, and plan quotas to outbound traffic. Enforcement is live on the web composer, HTTP API, and SMTP submission — see our Terms of Service and GDPR Statement for limits (50 recipients per message, 1,000 unique recipients per workspace per day, 10 send requests per minute per domain).

AI processing

When you use AI features, relevant message content may be sent to our AI providers for processing. We use efficient local models where possible and cloud models for complex tasks. Business customers may request restriction of cloud AI processing by contacting privacy@unbox.im; a self-service toggle is planned.

Data sharing and sub-processors

We do not sell your personal information. We share data only with:

These providers process data under contractual safeguards. See our GDPR Statement for more detail.

Data retention

Hosted mail is retained until you delete it or close your account. External account cache expires after seven days. Outbound delivery logs are retained for a short period (default 14 days) then purged. Account data is deleted within 30 days of account closure, except where retention is required by law.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. Contact privacy@unbox.im to exercise these rights.

Security

We encrypt data in transit (TLS) and at rest (AES-256). OAuth tokens, API keys, and sensitive credentials are protected with industry-standard hashing or encryption. We conduct regular security reviews and maintain incident response procedures.

Contact

Questions about this policy: privacy@unbox.im

Unbox — Privacy Policy | Unbox.im