Privacy Policy

This Privacy Policy describes how Inboxrise ("we", "us", or "our") collects, uses, stores, and shares information when you use our platform at inboxrise.com and associated services ("Service").

We are committed to protecting your privacy and handling your data with transparency. This policy applies to all users of Inboxrise, including free trial users, paid subscribers, and visitors to our website.

For users in the European Union, we act as a data processor for the personal data of your contacts, and as a data controller for your own account data. We are committed to full compliance with the General Data Protection Regulation (GDPR).

We collect the following categories of information:

Account information

• Name, email address, and password (hashed using bcrypt — never stored in plain text)
• Company name and billing information (payment card data is processed by our payment provider and never stored on our servers)
• Profile preferences and account settings

Email infrastructure data

• SMTP and IMAP credentials you provide to connect your inboxes (encrypted with AES-256 at rest)
• Email sending logs including timestamps, recipient addresses, and delivery status
• Inbox warmup activity logs for reputation scoring
• Reply detection events and lead status updates

Contact data

• Names, email addresses, and custom fields of prospects you import into the platform
• Campaign engagement data (open events, reply events) associated with your contacts
• Unsubscribe and bounce records maintained for compliance purposes

Usage and technical data

• IP address, browser type, and device information collected when you access the Service
• Pages visited, features used, and session duration for product analytics
• Error logs and performance data used to maintain and improve the Service

We use the data we collect for the following purposes:

• Providing the Service: Operating inbox warmup, campaign sending, IMAP monitoring, and all other core features
• Account management: Processing your registration, authentication, and subscription billing
• Customer support: Responding to your enquiries, resolving issues, and onboarding assistance
• Service improvement: Analysing usage patterns (in aggregate) to improve features and performance
• Security: Detecting and preventing fraud, abuse, and unauthorised access
• Legal compliance: Meeting our obligations under applicable laws including GDPR, CAN-SPAM, and Indian data protection law
• Communications: Sending you product updates, billing notices, and security alerts (you can opt out of marketing communications at any time)

We do not: sell your data to third parties, use your data for advertising, share your contact lists with other users, or use your email content to train machine learning models.

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

• Contract performance: Processing necessary to deliver the Service you have subscribed to, including account management, email sending, and billing
• Legitimate interests: Product analytics, security monitoring, and fraud prevention — where our interests do not override your fundamental rights
• Legal obligation: Compliance with applicable laws, responding to lawful requests from authorities, and maintaining required records
• Consent: Marketing communications, where you have explicitly opted in. You may withdraw consent at any time.

For your contacts' personal data (names, email addresses you import), you are the data controller and we act as a data processor under Article 28 of the GDPR. A Data Processing Agreement (DPA) is available on request at privacy@inboxrise.com.

We share your data only in the following limited circumstances:

• Sub-processors: Third-party services we use to operate the platform (see Section 6). These providers are contractually bound to process data only on our instructions.
• Legal requirements: If required by law, court order, or a governmental authority with jurisdiction over us, we may disclose data. We will notify you where legally permitted to do so.
• Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the successor entity. You will be notified in advance.
• With your consent: In any other circumstances, only with your explicit prior consent.

We do not share, sell, rent, or trade your personal data or your contacts' data with any third party for their own marketing or commercial purposes.

We use the following third-party sub-processors to operate our Service. Each is bound by a data processing agreement and appropriate safeguards:

We review our sub-processors regularly and will update this list when changes occur. You may request notification of sub-processor changes by emailing privacy@inboxrise.com.

We retain different types of data for different periods based on the purpose for which they were collected:

• Account data: Retained for the duration of your subscription and for 30 days after cancellation, after which it is permanently deleted
• Contact lists and campaign data: Retained for the duration of your subscription. Deleted within 30 days of account closure.
• Email sending logs: Retained for 90 days for deliverability analysis and troubleshooting, then deleted
• Billing records: Retained for 7 years as required by Indian accounting and tax law
• Security logs: Retained for 90 days, then deleted
• Suppression lists (unsubscribes, bounces): Retained indefinitely to honour opt-outs and prevent future unwanted contact

You may request early deletion of your data at any time (subject to legal retention obligations) by contacting privacy@inboxrise.com.

We take data security seriously and implement the following technical and organisational measures:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: SMTP and IMAP credentials are encrypted using AES-256. Passwords are hashed using bcrypt with a high work factor and never stored in plain text.
• Access controls: Production systems are accessible only to authorised personnel via SSH key authentication. No password-based access.
• Database security: Row Level Security (RLS) is enforced at the database level, ensuring each user can only access their own data
• Monitoring: We monitor for unusual access patterns and potential security incidents 24/7
• Vulnerability management: We apply security patches promptly and conduct periodic security reviews

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware, as required by GDPR Article 33.

To report a security vulnerability, please email security@inboxrise.com. We take all reports seriously and respond within 48 hours.

Depending on your location, you have the following rights regarding your personal data. We respond to all valid requests within 30 days.

To exercise any of these rights, email privacy@inboxrise.com with your request. We may need to verify your identity before processing. If you are unhappy with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).

We use a minimal set of cookies to operate the Service:

• Essential cookies: Authentication session tokens required to keep you logged in. These cannot be disabled without breaking the Service.
• Preference cookies: Storing your UI preferences such as dashboard layout. These expire after 12 months.
• Analytics cookies: Aggregate, anonymised usage data to understand how the product is used. No personally identifiable information is captured. You may opt out via your browser settings.

We do not use third-party advertising cookies. We do not place tracking pixels in emails we send on your behalf without your explicit configuration to do so.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in to the Service.

Inboxrise is headquartered in India. Our primary database infrastructure is hosted in South Asia (Mumbai). Some sub-processors are located in the United States or European Union.

For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Our sub-processors in the USA have signed SCCs or are covered by equivalent safeguards.

You may request a copy of the relevant transfer mechanisms by contacting privacy@inboxrise.com.

The Service is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

If you believe we have inadvertently collected data from a child, please contact us at privacy@inboxrise.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all active account holders at least 14 days before changes take effect
• Display a prominent notice within the platform for the first login after the updated policy is published

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

• Privacy enquiries: privacy@inboxrise.com
• Security issues: security@inboxrise.com
• General contact: inboxrise.com/contact
• Postal address: Inboxrise, Jamshedpur, Jharkhand, India

We respond to all privacy-related enquiries within 30 days. For complex requests involving data access or erasure, we may take up to 3 months and will notify you of any extension within the initial 30-day period.