Privacy Policy
Effective 2026-07-03
What we process
- Email addresses you submit for verification. We act as a processor: addresses are used to run the verification, cached for up to 72 hours (so your re-verification is free), and retained in request logs for up to 90 days for billing and abuse prevention. They are never sold, shared with third parties for marketing, or used to build lists.
- Account data: your billing email, hashed API keys (we cannot recover raw keys), and a credit ledger. Payments are processed by Stripe or settled on-chain via x402 — we never see card numbers.
- Dashboard: your API key is stored in your own browser's localStorage only. We never transmit your API key to any analytics service.
- Analytics: we use Google Analytics 4 with IP anonymization to understand which pages and features people use, so we can improve the product. It sets a first-party
_gacookie. We do not send Google the email addresses you verify or your API key — only page views and product events (e.g. which call-to-action was clicked). You can block it with any tracker-blocking extension without affecting the API.
Escalated verifications
When a verification result is unknown, the single address may be submitted to a wholesale verification provider to resolve it. The response evidence discloses when this happened.
Your rights
Request deletion of any address or your account data: hello@inboxpolicy.com. We answer within 30 days. EU/UK data subjects: we support access, rectification, and erasure requests under GDPR.
Infrastructure
Servers are located in the EU (Sweden). Transport is TLS end to end.