Privacy Policy
Effective date: June 1, 2026 · Last updated: June 30, 2026
Zeptun Intelligence Limited (Hong Kong SAR) ("we," "us," or "our") operates the Unbox mail hosting platform at unbox.im. This Privacy Policy explains how we collect, use, and protect information when you use our service.
Information we collect
Account information. When you register, we collect your name, email address, company name, and authentication credentials (including OAuth tokens for connected accounts).
Hosted mail. For mail sent to and from addresses on domains you host with Unbox, we store message content, metadata, and attachments encrypted at rest in our database.
External mail. For Gmail, Outlook, and other connected accounts, we cache message metadata and short previews for up to seven days. Full message bodies are fetched on demand and are not persistently stored.
Outbound send metadata. When you send via the web app, HTTP API, or SMTP, we record delivery metadata (recipients, subject, timestamps, status) for abuse prevention and troubleshooting. Delivery logs do not store message bodies by default.
Usage data. We collect standard log data including IP address, browser type, pages visited, and feature usage to improve reliability and security.
How we use information
- Provide, maintain, and improve the Unbox service
- Process and deliver email on your hosted domains
- Generate AI summaries, classifications, and drafts at your direction
- Send transactional emails (account verification, billing, security alerts)
- Detect and prevent fraud, abuse, and security incidents
- Enforce transactional-only outbound policy and rate limits on API and SMTP traffic
Outbound API and SMTP (transactional mail only)
Unbox provides an HTTP API and optional SMTP submission for transactional mail only — not for marketing newsletters, promotional bulk sends, or cold outreach. We do not operate a broadcast or newsletter product.
Permitted examples include password resets, order confirmations, security alerts, and team notifications triggered by a specific event.
We apply recipient caps, send-rate limits, and plan quotas to outbound traffic. Enforcement is live on the web composer, HTTP API, and SMTP submission — see our Terms of Service and GDPR Statement for limits (50 recipients per message, 1,000 unique recipients per workspace per day, 10 send requests per minute per domain).
AI processing
When you use AI features, relevant message content may be sent to our AI providers for processing. We use efficient local models where possible and cloud models for complex tasks. Business customers may request restriction of cloud AI processing by contacting privacy@unbox.im; a self-service toggle is planned.
Data sharing and sub-processors
We do not sell your personal information. We share data only with:
- Vercel — application hosting and serverless functions
- Neon — PostgreSQL database
- Upstash — Redis (queues and rate limiting)
- Vercel Blob — attachment storage
- Amazon Web Services (SES) — inbound and outbound email delivery
- Stripe — billing and invoices
- OpenRouter — cloud AI inference when you use features that require remote models
- DigitalOcean — optional SMTP edge infrastructure when enabled for your account
- Law enforcement when required by valid legal process
These providers process data under contractual safeguards. See our GDPR Statement for more detail.
Data retention
Hosted mail is retained until you delete it or close your account. External account cache expires after seven days. Outbound delivery logs are retained for a short period (default 14 days) then purged. Account data is deleted within 30 days of account closure, except where retention is required by law.
Your rights
Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. Contact privacy@unbox.im to exercise these rights.
Security
We encrypt data in transit (TLS) and at rest (AES-256). OAuth tokens, API keys, and sensitive credentials are protected with industry-standard hashing or encryption. We conduct regular security reviews and maintain incident response procedures.
Contact
Questions about this policy: privacy@unbox.im