Privacy Policy

1. Introduction

oly Inbox ("we", "us") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. It applies to olyinbox.com and the oly Inbox email-forwarding service.

2. Information we collect

Account information: your name, email address, and password hash (we never store plaintext passwords; we use bcrypt).

Billing information: Stripe handles all payment data. We store only a Stripe customer ID, subscription ID, and the last-4 digits of your card as returned by Stripe.

Domain information: domains you connect, Mailgun verification state, DNS records, and alias configurations.

Usage data: timestamps of login, domain/alias CRUD actions, and aggregated deliverability statistics from Mailgun (accepted/delivered/failed counts per alias).

Device & analytics: on the marketing site, Google Analytics 4 collects anonymized, aggregated visit data (page views, referrers, country). IP addresses are truncated before storage. No GA4 is loaded inside the logged-in dashboard.

3. What we do NOT collect

We do not store the content of your emails. Messages pass through Mailgun's routing infrastructure and are forwarded to your destination mailbox in real time. We do not keep copies on oly Inbox servers.

We do not sell or rent your personal information to third parties.

4. How we use your information

To provide the Service (route your email, verify your domains, bill you), communicate about your account (receipts, security alerts, product updates), improve deliverability, and prevent abuse.

5. Sub-processors

We use the following processors:

· Mailgun (email routing and deliverability) — https://www.mailgun.com/privacy-policy/

· Stripe (payments) — https://stripe.com/privacy

· MongoDB Atlas (application database) — https://www.mongodb.com/legal/privacy-policy

· Google Analytics 4 (marketing-site analytics only) — https://policies.google.com/privacy

6. Data retention

We retain account and billing records for the life of your account plus 7 years for tax/accounting purposes. On account deletion we remove Mailgun routes within 30 days and anonymize alias/domain records after 90 days.

7. Your rights

You can access, correct, export, or delete your personal data at any time by emailing support@olyinbox.com. If you are in the EU/UK, you have GDPR rights (access, rectification, erasure, restriction, portability, objection). If you are in California, you have CCPA/CPRA rights. We respond within 30 days.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest. Passwords are bcrypt-hashed. Webhook signatures are verified. Admin access is 2-factor-gated on our infrastructure. No system is 100% secure; we work hard to protect yours.

9. Cookies

We use two httpOnly session cookies (access_token, refresh_token) to keep you logged in. These are Secure, SameSite=Lax, and cleared on logout. The marketing site uses a single GA4 cookie (_ga) only on olyinbox.com.

10. Children's privacy

oly Inbox is not directed to children under 13. We do not knowingly collect personal information from children. If you believe we have, email support@olyinbox.com for deletion.

11. International transfers

Your data may be processed in the United States where our sub-processors operate. We rely on Standard Contractual Clauses where required.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be emailed to the address on file at least 14 days before taking effect.

13. Contact

Questions, requests, or complaints: support@olyinbox.com. For privacy-specific matters please put "Privacy" in the subject line.