Privacy Policy

Last Updated: January 25, 2026

This Privacy Policy explains how Innbocks collects, uses, stores, and protects information when you use our platform.

Innbocks Privacy Policy

1. Introduction

Innbocks ("we," "us," "our") is a business-to-business software-as-a-service (SaaS) platform that provides mailbox operators ("Operators") with tools for mail management, digital scanning, customer communication, and record-keeping.

Important Distinction:

  • Innbocks is a software platform only. We do not provide postal addresses, receive mail, forward packages, or operate mailbox facilities.
  • For Operators: Innbocks acts as a data processor. You are the data controller for your end customers' data.
  • For End Users: Your Operator is the data controller. Please contact your Operator for data subject requests.

This Privacy Policy applies to data we collect directly from Operators and data we process on behalf of Operators.

2. Information We Collect

2.1 Information Collected from Operators

  • Account registration information (name, email, phone, business name)
  • Billing and payment information
  • Business address and contact details
  • Platform usage data and preferences
  • Support communications

2.2 Information Processed on Behalf of Operators

When Operators use our platform, we process the following data on their behalf:

  • End customer account information (as provided by Operator)
  • Mail metadata (sender information, dates, tracking numbers)
  • Images of mail and package exteriors (as scanned by Operator)
  • Scanned mail content images (when initiated by Operator)
  • Timestamps and activity logs
  • Communication records between Operator and End User

2.3 Information We Do NOT Collect

  • Physical mail contents (unless scanned and uploaded by Operator)
  • End customer identity verification documents (processed by Operator only)
  • Postal regulatory forms (e.g., USPS Form 1583)
  • Financial account information of End Users

2.4 Automatically Collected Information

  • IP addresses and device information
  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Cookies and similar technologies (see Section 8)

3. How We Use Information

We use collected information for the following purposes:

  • Providing, operating, and maintaining the Innbocks platform
  • Processing payments and managing subscriptions
  • Communicating with Operators about their accounts and services
  • Providing customer support
  • Improving and developing new features
  • Ensuring platform security and preventing fraud
  • Complying with legal obligations
  • Analyzing usage trends (in aggregated, anonymized form)

For data processed on behalf of Operators, we act only in accordance with Operator instructions and applicable data processing agreements.

4. Legal Basis for Processing (EU & UK GDPR)

For individuals in the European Union and United Kingdom, we process personal data under the following legal bases pursuant to EU GDPR (Regulation 2016/679) and UK GDPR:

  • Contract Performance (Article 6(1)(b)): Processing necessary to perform our agreement with Operators
  • Legitimate Interests (Article 6(1)(f)): Processing for our legitimate business interests (platform improvement, security, fraud prevention), balanced against individual rights
  • Legal Compliance (Article 6(1)(c)): Processing required to comply with legal obligations
  • Consent (Article 6(1)(a)): Where required by law (e.g., marketing communications), we obtain explicit consent

When acting as a data processor for Operators, we process data based on the Operator's instructions and the legal basis established by the Operator as data controller, in accordance with Article 28 of the EU/UK GDPR.

5. Data Sharing and Disclosure

We may share information with:

  • Service Providers: Third-party vendors who assist in providing our services (hosting, payment processing, analytics), bound by confidentiality agreements
  • Operators: End User data is shared with the relevant Operator as the data controller
  • Legal Requirements: When required by law, court order, or government authority
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Consent: When you have provided explicit consent

We do NOT sell or rent personal data to third parties for marketing purposes.

6. International Data Transfers

Innbocks is based in the United States. Data may be stored and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the UK, EU, or Canada to countries without an adequate level of data protection:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO
  • We implement appropriate technical and organizational safeguards
  • EU and UK Operators may request our International Data Transfer Addendum
  • We conduct transfer impact assessments where required

7. Data Retention

We retain data as follows:

  • Operator Account Data: Retained while the account is active and for a reasonable period thereafter for legal and business purposes
  • End User Data (Processed for Operators): Retained in accordance with Operator instructions and our data processing agreement. Operators may configure retention periods and request data deletion.
  • Billing Records: Retained as required by tax and accounting regulations
  • Security Logs: Retained for security analysis and legal compliance purposes

Operators have access to data deletion controls within the platform and may request complete data removal upon account termination.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Maintain session authentication
  • Remember user preferences
  • Analyze platform usage
  • Ensure platform security

You may control cookies through your browser settings. Disabling certain cookies may affect platform functionality.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and authentication requirements
  • Regular security assessments and monitoring
  • Employee training on data protection
  • Secure data center facilities

While we implement industry-standard security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

10. Your Data Protection Rights

10.1 Rights Under EU & UK GDPR (European Union & United Kingdom)

If you are in the European Union or United Kingdom, you have the following rights under EU GDPR (Regulation 2016/679), UK GDPR, and the Data Protection Act 2018:

  • Right of Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Request correction of inaccurate data
  • Right to Erasure (Article 17): Request deletion of your data (subject to legal requirements)
  • Right to Restrict Processing (Article 18): Request limitation of processing
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making (Article 22): Not be subject to solely automated decisions with legal effects

EU data subjects may lodge a complaint with their local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

UK data subjects may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10.2 Rights Under PIPEDA (Canada)

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation, including:

  • Access to your personal information
  • Correction of inaccurate information
  • Information about our privacy practices
  • Withdrawal of consent (subject to legal or contractual restrictions)
  • Complaint to the Privacy Commissioner of Canada

We adhere to PIPEDA's ten fair information principles, including accountability, consent, accuracy, and safeguards.

10.3 Rights for U.S. Residents

While the U.S. does not have a comprehensive federal privacy law, we provide transparency about our data practices and respond to reasonable requests regarding your personal information. Residents of states with specific privacy laws (e.g., California, Virginia, Colorado) may have additional rights under those laws.

10.4 End User Requests

If you are an End User accessing Innbocks through an Operator, please direct data subject requests to your Operator, as they are the data controller for your information. We will cooperate with Operators to fulfill legitimate requests.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms:

  • EU GDPR (Article 33/34): We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where the breach is likely to result in a high risk
  • UK GDPR: We will notify the ICO within 72 hours and affected individuals without undue delay where required
  • PIPEDA: We will notify the Privacy Commissioner and affected individuals as required by Canadian law
  • Operators: We will promptly notify affected Operators of any breach involving their data

12. Children's Privacy

Innbocks is a business platform not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or through the platform. The "Last Updated" date at the top indicates when this policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, please contact us:

Contact Innbocks

Data Processing Addendum (Summary)

This section summarizes key terms applicable to Innbocks as a data processor. A full Data Processing Addendum (DPA) is available upon request for Operators requiring formal processor agreements under EU GDPR (Article 28), UK GDPR, or PIPEDA.

Scope

This DPA applies when Innbocks processes personal data on behalf of Operators (data controllers) in connection with the Innbocks platform.

Processing Instructions

Innbocks processes personal data only in accordance with documented instructions from the Operator, unless required by law to do otherwise.

Confidentiality

Innbocks ensures that personnel authorized to process personal data are bound by confidentiality obligations.

Security Measures

Innbocks implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.

Sub-processors

Innbocks engages sub-processors (hosting providers, analytics services) to assist in providing the platform. A list of sub-processors is available upon request. We ensure sub-processors are bound by data protection obligations.

Data Subject Requests

Innbocks assists Operators in responding to data subject access requests, deletion requests, and other rights requests as required by applicable law.

Audit Rights

Innbocks provides Operators with information necessary to demonstrate compliance and allows for audits, subject to reasonable confidentiality and scheduling arrangements.

Data Return and Deletion

Upon termination of services, Innbocks returns or deletes personal data as instructed by the Operator, unless retention is required by law.

To request a full Data Processing Addendum, please contact us.

Notice to Operators: Your Privacy Responsibilities

As an Operator using Innbocks, you are the data controller for your end customers' personal data. You are responsible for:

  • Establishing and publishing your own privacy policy for end customers
  • Obtaining appropriate consent or establishing lawful bases for processing
  • Responding to data subject access, correction, and deletion requests
  • Ensuring lawful cross-border transfers of end customer data
  • Notifying end customers of data breaches as required by law
  • Complying with all applicable data protection laws in your jurisdiction (EU GDPR, UK GDPR, PIPEDA, U.S. state laws, etc.)

Innbocks provides tools to help you manage customer data, configure retention periods, and respond to data requests, but ultimate compliance responsibility rests with you as the data controller.