Privacy self-serve
Most of the GDPR rights you have against inboxy you can exercise yourself, without writing to us.
What you can do yourself
| Right | Where | Time |
|---|---|---|
| Access (Art. 15) — see what we hold | Export | Instant |
| Portability (Art. 20) — download as JSON | Export | Instant |
| Rectification (Art. 16) — fix wrong info | Settings | Instant |
| Erasure (Art. 17) — delete the account | Delete | Within 30 days |
| Restriction (Art. 18) — suspend processing | Email dpo@inboxy.net |
7 days |
| Object (Art. 21) — to specific processing | Email dpo@inboxy.net |
7 days |
What deletion actually does
Triggering Account → Delete from the UI:
- Marks your
usersrowstatus = 'deleted'immediately. You are signed out and can no longer access the account. - Retires all your
@inboxy.netaddresses — incoming mail to them starts bouncing within minutes. - Revokes all your API keys — any agent or extension holding one returns 401 on its next request.
- Queues a hard-delete job that purges your messages, attachments, and R2 blobs within 30 days.
Audit-log entries are retained for the statutory period set by the Bailiwick of Guernsey ODPA (currently 6 years for the security-relevant subset) and then purged.
Address local-parts are not recycled
When your aliases are retired they are not freed for re-allocation. Nobody who signs up after you can claim your-old-alias@inboxy.net. This is by design — it means mail sent to an address you used while you were a customer cannot reach a stranger.
Lawful basis we rely on
- Contract (Art. 6(1)(b)) — operating the service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — abuse prevention, fraud detection, security.
- Legal obligation (Art. 6(1)(c)) — retention of audit logs, response to lawful orders.
We do not rely on consent for the core service. There is no "consent withdrawal" needed to stop core processing — deleting the account stops everything except statutory retention.
Complaints
If you think we are processing your data unlawfully, you have the right to complain to the supervisory authority — the Office of the Data Protection Authority of the Bailiwick of Guernsey (ODPA).
We would rather hear it from you first — dpo@inboxy.net — but you don't need our permission to escalate.
Still need help? support@inboxy.net