Websites owned by Inbox.com AS offer email services and other related services, collectively referred to as the “Service”.
The Service is owned in its entirety by Inbox.com AS (“the Company”, “we” or “us”). The Company is registered and located in Norway, with organization number 920 243 347.
This Privacy Statement was originally written in English; and has been translated into other languages for your convenience. In the event of any inconsistencies between the original version and a translated version, the original (English) version shall prevail: https://www.inbox.com/privacy-policy
We are responsible for the protection of your personal data, and we take this responsibility very seriously.
This Privacy Statement explains what personal data we collect; why we collect data about you; how we use this data; and how we store the data.
By accepting this Privacy Statement, you consent to the processing of your personal data as described in this Privacy Statement.
Processing of personal data takes place in compliance with the General Data Protection Regulation (GDPR) as well as with the country-specific data protection laws applicable to the Company.
The Data Controller is:
Øvre Måsan 10C
2. Personal data collected
To deliver the Service with high quality, we need to collect various types of information, including personal data about you. Below is an overview of how we typically collect personal data and what information this typically is. We do not collect sensitive information.
a) Information provided directly by you
When you register an account or contact us, you provide some information that is stored by us, such as name, email address, mobile number, and payment related information. This information will be stored until you ask us to remove it or the account is deleted. Please see our Terms of Service for information about when an account is deleted.
b) Information obtained through use of the Service
When you use the Service, we may collect certain information, such as your device (e.g., mobile/PC manufacturer, operating system, and browser) and your connection (such as you IP addresses).
Our email service logs all emails that enter and leave the server, login attempts, etc., as well as information about this traffic (such as the IP address and email address of the sender of an email or of the person trying to log in). This logging is done to prevent abuse of the Service and to help you in the event of problems (such as blacklisting of your IP address). The log will be stored on our servers for a maximum of 12 months.
By using the email service, you choose which data we will store on your behalf (such as received emails, sent emails and contacts).
When you use the Service or visit our websites, cookies and other data may be stored on your device, which can later be read by us. A cookie is a text file that is placed in your browser’s internal memory.
4. Purpose of processing personal data
We use personal data for the following purposes:
a) To be able to provide the Service
We use personal data to make sure you can maintain access to the Service. For example, we need your contact details to help you reset your email account password. For this purpose, we collect the following personal data: name, email address, mobile phone number.
If you contact our customer support, we may also need to know who you are, to be able to help you.
Furthermore, we need your contact details to be able to contact you with important information about your email account.
The legal basis for data processing described in this section is the necessity of performing a contract to which you as a data subject are a party in (GDPR art 6(1)(b)).
b) To prevent misuse of the Service
We use personal data to prevent misuse of the Service. Abuse can be attempts to log into other individual’s email accounts, attempts at fraud, “spamming”, incitement, harassment, and other actions prohibited by law or by our Terms of Service. The legal basis for data processing described in this section is the necessity to perfrom legal obligations set to Us (GDPR art 6 (1)(c) and the need to perform a contract (Terms of Service) to which you as a data subject are a party to (GDPR art 6 (1)(b)).
c) To comply with law
We are required to store certain personal data, like your purchase history, to comply with legal obligations set to Us (notably, the Norwegian accounting act, the consumer purchase act and the GDPR) on the legal basis of GDPR art 6(1)(c).
Although the legal basis that applies for our data processing is usually a requirement necessary to enter into a contract (GDPR art 6(1)(b)), other legal basis may also apply. In any case, please feel free to contact us, and we will gladly help to clarify the legal basis that applies to any specific data processing.
d) To ensure information security In order to ensure information security and take the necessary measures to prevent information security incidents, the technical team at the Company may need to access and monitor email traffic. The legal basis for the processing of personal data for this purpose is the legitimate interest (GDPR Art 6(1)(f)) of the company to prevent information security incidents or handle them accordingy.
5. Information sharing
We do not sell your personal data or use data stored in your mailbox for commercial purposes.
We do share personal data with other companies that perform services on our behalf, and we are sometimes required to share information with public authorities:
a) When others perform services on our behalf
To a large extent, IT development, IT operations, data storage, and Customer support is carried out by third parties.
To control the access and usage of personal data by such third parties, we have entered into separate data processing agreements with the companies that process information on our behalf to protect your rights as a data subject. These third parties are not allowed to use any personal data for any other purposes than to perform the agreed services on our behalf. For the execution of card payments your card data will be shared with our payment service provider Stripe. This includes the transfer of personal data into a third country (USA). Our agreement with Stripe defines the appropriate method for such transfer, so that the data is only processed in compliance with GDPR and for the purpose of payment execution.
b) When required by public authorities
If an offense or violation of law is suspected, any stored personal information and other information of interest, may be handed over to public authorities.
We normally do not share any such information without being presented with a valid court order or other legal obligation that specifies exactly what data we are required to share with the public authorities.
Data about customers’ purchase history may also be shared with public authorities to ensure or prove compliance with existing laws and regulations.
6. Data storage
a) How data is stored
The security of your personal data is important for us. All personal data is kept secure and protected from unauthorized access.
We use appropriate security measures to protect personal data under our control against unauthorized access, collection, use, disclosure, modification, or disposal.
Email data and account data (such as name, email addresses, and mobile number) is stored on servers within the European Economic Area (EEA) through our third-party providers. If sending an email to our support team, the support ticket will be stored in our ticketing system Zendesk (USA).
Payment information is stored with Stripe (USA) and NETS (EU).
b) Data retention policy You can delete your email account in the webmail under “My account”.
Lack of an active subscription or successful renewal will also lead to account and data deletion.
Please refer to the Terms of Service for important information about our data retention policy.
7. Your privacy rights
You may exercise certain rights regarding your data. In particular, you have the right to:
- Withdraw your consent to processing of personal data at any time;
- Object to processing of your data;
- Access your data and obtain disclosure regarding certain aspects of the processing;
- Verify and seek rectification of your data;
- Restrict the processing of your data
- Have your personal data deleted (e.g. the right to be „forgotten“);
- Receive a copy of your data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another data controller;
- Lodge a complaint and bring a claim before the competent data protection authority;
Please note that execution of some of these rights will require your email account to be permanently deleted.
We reserve the right to make changes to this Privacy Statement at any time without giving further notice. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom of this page.
In the event of major overhauls or changes, we will usually send a notification to your email address at the Service.
Please also refer to the Terms of Service for additional information about the terms and conditions that applies for the Service.
In addition, as per Article 77 of the GDPR, you have the right to lodge a complaint related to your data processing to a supervisory authority, in particular in your habitual residence, place of work or place of an alleged infringement. In Estonia, this is the Estonian Data Protection Inspectorate.
If you have any questions or inquiries about your data, the processing of it or anything else about the Service, feel free to contact our Support team (link at the bottom of this webpage).
Inquiries regarding this Privacy Statement can also be sent via the contact information listed under section 1 of this Privacy Statement.
Effective from the 3rd of October 2023 (see previous version here)