Cleanbox
Features Blog Pricing Developers
Sign in Start free trial
Home Privacy Policy

Privacy Policy

Last updated: June 14, 2026

This Privacy Policy (“Policy”) describes how Cleanbox (“Cleanbox”, “we”, “us”, or “our”), a product of Directbit, registered in the Netherlands (KvK: 69848440), Schoutlaan 28, 6002EA Weert, collects, uses, stores, shares, and protects your personal data when you access or use our platform, website, APIs, and related services (collectively, the “Service”) available at cleanbox.app. This Policy applies to all users of the Service, including visitors, registered users, and API consumers.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not use the Service.

Cleanbox is an email alias and filtering management service. We act as an intermediary, allowing you to create email aliases that forward messages to your real mailboxes, filter incoming emails, and manage sender contacts — all without exposing your personal email address.

Before reading, please note:

  • Cleanbox is not intended for anyone under the age of 16. If you are under 16, do not submit personal data through our platform.
  • If you have questions about emails you received through a Cleanbox alias, contact the original sender directly.
  • For your account data, billing data, connected-mailbox (IMAP) credentials, and contact records, Cleanbox acts as the data controller. For the content of email messages that pass through the Service, Cleanbox acts as a data processor on your behalf, and you remain the data controller for that content. We process email content solely according to your instructions (alias configuration, filter rules, shield settings) and this Policy.

1. What data do we collect?

1.1 Account data

When you register for Cleanbox, we collect:

  • Email address (required)
  • Password (stored using industry-standard one-way hashing — we never store or have access to your password in plain text)
  • First name and last name (optional)
  • Timezone and locale preferences (optional)

We also generate a unique identifier (UUID) for your account and record your account creation and last-updated timestamps.

1.2 Team and billing data

When you create or join a team, we store:

  • Team name and unique identifier
  • Your membership role (owner, admin, or member) and granular permissions
  • Weekly message usage count (reset every Monday at 00:00 UTC)
  • Stripe customer identifier and subscription identifier (if on a paid plan)
  • API key (if you enable API access for the team)

1.3 Email message data

When an email is received at one of your aliases, we process and store:

  • Sender information: email address, display name, registered domain
  • Message metadata: recipient alias address, subject line (decoded from MIME encoding), message size in bytes, received timestamp, and delivery status (pending, delivered, rejected, denied, snoozed, quarantined, bounced, or failed)
  • Message property flags: indicators for whether the email contains attachments, is a newsletter, is encrypted, includes calendar data, is a forwarded message, requests read confirmation, is high priority, is automated, or was sent to multiple recipients (CC/BCC)
  • Spam analysis results: a numerical spam score and a detailed report in JSON format, generated by our spam detection system (rspamd)
  • Delivery options: target IMAP folder and flags (e.g., mark as read, mark as flagged), if applicable
  • Filter reference: which filter rule, if any, was applied to the message
  • Raw email content: the full RFC 822 email (including all headers, body parts, and inline content) is stored temporarily in our object storage infrastructure. By default, raw messages are automatically deleted after 7 days. This retention period varies based on your subscription plan.

We do not extract or index the full email body text in our database. Only metadata is stored in the database; the raw email file is held in secure, private object storage and automatically purged after the applicable retention period.

1.4 Contact data

For each unique sender that emails your aliases, we automatically create and maintain a contact record containing:

  • Sender email address and display name history (we track name changes over time)
  • Registered domain (extracted from the sender’s email address)
  • Contact category (automatically assigned based on domain; you may override this manually)
  • Contact state (unset, blocked, whitelisted, prioritized, or muted)
  • Total email count from this sender and last seen date
  • Whether the sender uses a private/free email provider (e.g., Gmail, Outlook)
  • Cloud storage preference (whether to store attachments for this contact)

1.5 Subscription and unsubscribe data

When incoming emails contain List-Unsubscribe headers (common in newsletters and marketing emails), we extract and store:

  • Unsubscribe URL and/or mailto address
  • Whether one-click unsubscribe is supported (RFC 8058)
  • Subscription status (active, unsubscribed, or failed)
  • Mailing list identifier (if present)
  • First seen and last seen timestamps

When you use our unsubscribe feature, we make HTTP requests (GET or POST) to the unsubscribe URLs provided by the original sender. These requests are made on your behalf and may transmit your email address or a list-specific token to the sender’s unsubscribe endpoint.

1.6 Attachment data

If you enable cloud storage for a contact, we store attachments associated with their messages:

  • File name, file extension, and file size
  • File content in secure, private object storage

Attachments persist independently of message retention — deleting or purging an email does not delete its stored attachments. Attachments remain available until you manually delete them, disable cloud storage for the contact, or delete your account. Total attachment storage is limited by your team’s cloud storage quota.

1.7 Connected mailbox data

If you connect an external IMAP mailbox for email delivery, we store:

  • IMAP server hostname and port
  • IMAP username
  • IMAP password (encrypted at rest using industry-standard authenticated encryption with a server-side key — never stored in plain text)
  • Target IMAP folder name (default: INBOX)
  • Mailbox active/inactive status

When delivering emails to your connected mailbox, we connect to your IMAP server using these stored credentials and append the raw email message. We may apply IMAP flags (such as \Seen or \Flagged) based on your filter and shield configuration.

1.8 Custom domain data

If you configure a custom domain, we store:

  • Domain name
  • Verification token (cryptographically random string)
  • MX record validity status
  • TXT record validity status
  • Overall verification status
  • Creation timestamp

Domain verification is performed by querying public DNS records (MX and TXT) for your domain. These are standard DNS lookups and do not involve sending data to any third-party verification service.

1.9 IP addresses

We process IP addresses in the following limited contexts:

  • Inbound email processing: The sending mail server’s IP address is captured during the SMTP session. This IP is used in real-time for DNS-based blacklist (DNSBL) lookups to assess spam risk. The IP is not permanently stored in our database.
  • Bot protection: Your IP address is transmitted to CloudFlare Turnstile during registration and login for CAPTCHA verification.
  • Server logs: IP addresses may appear in our server application logs as part of standard SMTP session logging. See Section 1.11 for log retention details.

We do not store IP addresses in user, contact, or message database records.

1.10 Activity logs

We maintain an internal activity log for each team that records significant events such as filter deletions, shield modifications, and other administrative actions. These logs contain brief text descriptions (up to 500 characters) and timestamps.

1.11 Server and application logs

Our servers generate operational log files that may contain:

  • Timestamps of email processing events
  • Email addresses (sender and recipient aliases)
  • Truncated subject lines (up to 60 characters)
  • Sending server IP addresses
  • Spam scores
  • Delivery success/failure status
  • Error messages and stack traces (in error conditions)
  • Registration attempt records (email address only)

These logs are used exclusively for debugging, monitoring service health, and investigating abuse. Server logs are stored on our infrastructure and are not shared with third parties.

1.12 Client-side storage

On the client side (in your browser), we store only:

  • Theme preference (light/dark mode) in localStorage
  • Cookie consent preference via the cleanbox_consent cookie (see Section 4)
  • Session data via standard browser cookies (see Section 4)

We do not use IndexedDB, Service Workers, or any other client-side persistent storage mechanisms. We do not operate as a Progressive Web App (PWA).

1.13 Team invitations

When you invite someone to your team, we store:

  • Invitee email address
  • Invitation token (cryptographically random string)
  • Inviter identity (name and email)
  • Team reference
  • Invitation status (pending, accepted, or expired)
  • Creation timestamp

The invitee receives an email containing the inviter’s name, email address, team name, and a link to accept the invitation. Invitations expire after 7 days.


2. How do we collect your data?

We collect data through the following means:

  • Directly from you: When you register, configure settings, create aliases, connect mailboxes, set up filters, or interact with the Service.
  • Automatically from incoming email: When third parties send email to your aliases, we automatically process the email content, extract metadata, analyze for spam, and create contact records.
  • Automatically from your browser: Essential cookies and localStorage entries are set when you use the web interface.
  • From third-party services: We receive webhook notifications from Stripe regarding your subscription status (e.g., payment confirmation, subscription changes, cancellations).

We do not purchase, scrape, or otherwise acquire personal data from data brokers or other third-party sources.


3. How do we use your data?

We use your data strictly for the following purposes:

Purpose Lawful basis (GDPR) Data used
Providing the core service (alias creation, email forwarding, filtering, delivery) Performance of contract Account data, email data, mailbox data, filter/shield configuration
Spam detection and prevention Legitimate interest (security) Raw email content, sender IP address, sender information
Automated contact categorization Legitimate interest (service functionality) Sender domain, contact data
Billing and subscription management Performance of contract Team data, Stripe identifiers
Bot protection during registration and login Legitimate interest (security) IP address (via CloudFlare Turnstile)
Sending transactional emails (verification, invitations) Performance of contract Email address, verification codes, invitation details
Enforcing usage limits per subscription plan Performance of contract Weekly message count, team plan data
Processing unsubscribe requests on your behalf Your explicit action (consent) Unsubscribe URLs, sender tokens
DNS-based spam blacklist checks Legitimate interest (security) Sending server IP address
Domain verification for custom domains Performance of contract Domain name, DNS records
Debugging and maintaining service reliability Legitimate interest (operations) Server logs, error logs
Validating connected mailbox credentials Performance of contract IMAP credentials (encrypted)

We use email message data to train our spam detection models, including Bayesian classifiers and crowd-sourced sender reputation (see Section 11). This training is an integral part of providing the Service. We do not use your data for: advertising or marketing (we send no marketing emails), user profiling or cross-site tracking, selling renting or trading to any third party, or any purpose unrelated to providing and maintaining the Service. Website analytics (Google Analytics, Plausible) are used solely to understand aggregate traffic patterns and are not linked to your Cleanbox account or email data.


4. Cookies and similar technologies

We use a minimal number of cookies to operate the Service and to understand how our website is used.

4.1 Strictly necessary cookies

Cookie Purpose Duration
cleanbox_session Maintains your authenticated login session. Contains a session identifier. 7 days
cleanbox_session_validation Validates the integrity of your active session. Automatically set when you are logged in. 3 days
REMEMBERME Keeps you logged in between browser sessions. Only set if you opt in at login. 7 days
cleanbox_consent Stores your cookie consent preference (granted or denied). This cookie is strictly necessary to remember your choice. 180 days

4.2 Analytics cookies

We use Google Analytics to understand how visitors interact with our website (pages visited, traffic sources, session duration). Analytics cookies are only set after you consent via our cookie banner. If you reject analytics cookies, Google Analytics operates in cookieless mode via Google Consent Mode v2 and does not store any cookies on your device. Google Analytics sets the following cookies upon consent:

Cookie Purpose Duration
_ga Distinguishes unique visitors. 2 years
_ga_* Maintains session state. 2 years

We also use Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. Plausible aggregates page views without identifying individual visitors.

4.3 Cookie consent

When you first visit our website, a cookie banner asks for your consent before any analytics cookies are set. You can change your preference at any time using the “Cookie Settings” link in the website footer. Your consent preference is stored in the cleanbox_consent cookie for 180 days.

4.4 Cookie security

Cookie security settings: SameSite: Lax (prevents cross-site request forgery), Secure: all cookies are transmitted over HTTPS only, CSRF tokens are generated per form submission for additional protection.

We do not use: marketing or advertising cookies, third-party tracking cookies, or fingerprinting techniques.


5. Who do we share your data with?

We share your data only with the following third-party service providers, strictly as necessary to operate the Service:

Provider Purpose Data shared
Stripe Payment processing and subscription management Customer identifier, subscription identifier, payment events (via webhooks). We do not store or have access to your credit card details — these are handled entirely by Stripe.
CloudFlare (Turnstile) Bot protection during registration and login IP address and browser challenge response. Used solely for CAPTCHA verification.
DigitalOcean Spaces Object storage for raw email messages and attachments Raw email files and attachment files. Stored in private, non-publicly-accessible buckets with server-side encryption.
Your IMAP provider Email delivery to your connected mailbox Raw email content (forwarded to your mailbox via IMAP). This is initiated by you when you connect a mailbox.
DNS-based blacklist providers (DNSBL) Spam prevention for inbound email Sending mail server IP address (queried against public blacklists such as Spamhaus, Barracuda, and SpamCop).
Unsubscribe endpoints Processing your unsubscribe requests When you click unsubscribe, we send a request to the sender’s unsubscribe URL or mailto address on your behalf. This may include your email address or a list-specific token.
Mailgun Transactional email delivery (account verification, password resets, team invitations) Recipient email address and message content. We do not use Mailgun for marketing emails.
Google Analytics Website usage analytics Anonymized page views, traffic sources, session duration, and browser/device type via cookies (_ga, _ga_*). We do not enable Google Signals, User-ID, or advertising features. Data is not linked to your Cleanbox account.
Plausible Analytics Privacy-focused website analytics Aggregated, anonymous page view counts. Plausible does not use cookies and does not collect personal data or IP addresses.
Proofly Social proof notifications on the marketing website Anonymous page visit data used to display recent activity notifications. No personal data from your Cleanbox account is shared.

We do not sell, rent, trade, or otherwise share your personal data with any party not listed above. We do not use advertising networks or data brokers.


6. Data retention

We retain your data for the minimum period necessary to provide the Service and comply with our legal obligations.

Data type Retention period
Account data Retained for the lifetime of your account. Deleted when you delete your account.
Raw email messages (object storage) Automatically purged based on your subscription plan: Free — 7 days, Personal — 30 days, Premium — 60 days, Advanced — 120 days, Enterprise — 365 days.
Message metadata (database) Retained for the same period as raw messages, per your subscription plan.
Quarantined messages Fixed 30-day retention window, regardless of plan. Automatically deleted after 30 days if not released or manually deleted.
Attachments (cloud storage) Persist independently of message retention. Deleted when you manually remove them, disable cloud storage for the contact, or delete your account. Subject to your team’s cloud storage quota.
Contact records Retained for the lifetime of your account. You may delete individual contacts at any time.
Server and application logs Retained for up to 30 days, then automatically rotated and deleted.
Activity logs Retained for the lifetime of your team.
Team invitations Pending invitations expire after 7 days. Accepted and expired invitation records are retained for audit purposes.
IMAP credentials Retained until you disconnect the mailbox or delete your account. Stored encrypted at rest.

When you delete your account, we delete all associated data (account information, team data, aliases, contacts, messages, mailbox credentials, filters, shield rules, and stored files) within 30 days. Some data may persist in encrypted backups for up to an additional 30 days before those backups are rotated.


7. Data security

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit: All connections to our website and application are encrypted using TLS (HTTPS). IMAP connections to your mailbox provider use TLS/SSL.
  • Encryption at rest: IMAP passwords are encrypted using industry-standard authenticated encryption with a server-side key. Raw email files and attachments are stored in private object storage buckets with server-side encryption.
  • Password hashing: User passwords are stored using industry-standard one-way hashing. We never store or have access to your password in plain text.
  • Session security: Session cookies are configured with Secure (HTTPS-only), SameSite: Lax, and a cryptographically random session identifier. CSRF tokens are generated per form submission.
  • API authentication: API access requires bearer token authentication. Inbound email processing uses a separate token-based authentication mechanism.
  • Two-factor authentication: Users may enable TOTP-based two-factor authentication with backup recovery codes for an additional layer of account security.
  • Access control: Team-based permissions restrict access to resources. Role-based access (owner, admin, member) with granular per-feature read/write permissions ensures users only access data they are authorized to see.
  • Private object storage: All stored email files and attachments are in private (non-publicly-accessible) storage buckets. Access requires server-side authentication.
  • Minimal data collection: We collect only the data necessary to provide the Service. We do not index email body content in our database.

No data transmission or storage system can be guaranteed to be fully secure. If you have reason to believe your interaction with us is no longer secure, contact us immediately at legal@cleanbox.app.


8. International data transfers

Our infrastructure is hosted by DigitalOcean. Your data may be processed and stored in data centers located in the European Union and/or the United States.

Where your data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Data processing agreements with our service providers that include adequate data protection commitments

Stripe processes payment data in accordance with their own privacy policy and is certified under the EU-U.S. Data Privacy Framework. CloudFlare processes Turnstile challenge data in accordance with their privacy policy.


9. Your rights under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right Description
Right of access You may request a copy of the personal data we hold about you.
Right to rectification You may request that we correct inaccurate or incomplete personal data. You can also update most of your data directly through the Service (profile settings, mailbox configuration, etc.).
Right to erasure You may request that we delete your personal data. You can delete your account through the Service, which triggers deletion of all associated data.
Right to restriction of processing You may request that we restrict the processing of your personal data under certain circumstances.
Right to data portability You may request a copy of your data in a structured, commonly used, and machine-readable format.
Right to object You may object to the processing of your personal data where we rely on legitimate interest as the legal basis.
Right to withdraw consent Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at legal@cleanbox.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.


10. Your rights under the CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to correct: You have the right to request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. There is no need to opt out because no sale or sharing occurs.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at legal@cleanbox.app. We will verify your identity and respond within 45 days as required by law.


11. Spam detection and crowd-sourced data

Cleanbox uses rspamd as its spam detection engine. In addition to standard spam checks (Bayesian classification, SPF, DKIM, DMARC, URL reputation, and header analysis), Cleanbox applies crowd-sourced sender reputation data.

How this works:

  • When you provide feedback on a message (marking it as spam or not spam), the raw email is sent to rspamd for Bayesian classifier training. This improves spam detection for all Cleanbox users.
  • Sender reputation is aggregated across all Cleanbox users. For example, if multiple users mark emails from the same sender as spam, that sender receives a higher spam score for all users.
  • Contact state signals (such as the number of teams that have whitelisted a given sender) are used to adjust spam scores. These signals are anonymized and aggregated — no individual user’s contact preferences are exposed to other users.

The crowd-sourced data is limited to aggregate counts and ratios (e.g., “X users marked this sender as spam”). Individual user identities, email content, and personal data are never shared between users.


12. Children’s privacy

Cleanbox is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as soon as possible.

If you are a parent or guardian and believe your child has provided personal data to Cleanbox, please contact us at legal@cleanbox.app so we can take appropriate action.


13. Third-party links and services

Emails forwarded through Cleanbox may contain links to third-party websites and services. We are not responsible for the privacy practices, content, or security of any third-party websites or services linked in email messages that pass through the Service.

When you use our unsubscribe feature, you are interacting with the original sender’s unsubscribe endpoint. We do not control how the sender processes the unsubscribe request or what data they collect during that process.

We encourage you to review the privacy policies of any third-party services you interact with through email content forwarded by Cleanbox.


14. Relay and custom domain processing

If you use Cleanbox Relay (available on Advanced and Enterprise plans) to filter inbound email for your domain, the following additional data processing applies:

  • SMTP forwarding: After filtering, email is forwarded to your mail server via SMTP with SRS (Sender Rewriting Scheme) envelope rewriting for SPF compliance. The full email content passes through our servers during this process.
  • Virus scanning: Relay emails are scanned using ClamAV for viruses and malware. If a virus is detected, the email is rejected and not forwarded.
  • IP blacklist checking: The sending mail server’s IP address is checked against DNS-based blacklists (DNSBL) including Spamhaus, Barracuda, and SpamCop.
  • SMTP relay credentials: We store the hostname, port, and authentication details for your destination mail server, encrypted at rest.
  • Retry queue: If your mail server is temporarily unreachable, messages are queued for automatic retry with exponential backoff for approximately 4 days. Queued messages are stored temporarily on our infrastructure.

A validation header containing a random token is added to relayed messages, allowing your mail server to verify that inbound email has been processed by Cleanbox. This token does not contain personal data.


15. Automated decision-making

Cleanbox performs the following automated processing that may affect email delivery:

  • Spam scoring: Incoming emails are automatically scored for spam probability. Messages exceeding your configured spam threshold are rejected. Messages exceeding your quarantine threshold are held for manual review. You control both thresholds per alias.
  • Contact categorization: Sender contacts are automatically assigned to one of 20 categories based on the sender’s domain. You may override the automatically assigned category at any time.
  • Filter rule evaluation: Your manually configured filter rules are applied to incoming messages in the order you specify. The first matching rule determines the action taken.
  • Shield enforcement: Rate limits, delivery windows, and gatekeeper rules are automatically enforced per your configuration.

All automated decisions are based on rules you configure or on transparent spam scoring criteria. You have full control over thresholds, filter rules, shield settings, and contact states. No automated decision is made about you as a person — automated processing applies only to incoming email messages based on their content and sender attributes.


16. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document the breach, its effects, and the remedial actions taken

Notifications will be sent to the email address associated with your Cleanbox account. We will provide a clear description of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach.


17. Account deletion

You may delete your account at any time through the Service. When you delete your account:

  • All personal data associated with your account is scheduled for deletion
  • Your aliases stop receiving email immediately
  • All stored messages, contacts, filters, shield rules, mailbox connections, and cloud-stored files are permanently deleted
  • If you are the owner of a team, the team and all its resources are deleted
  • Active Stripe subscriptions are cancelled
  • Data is removed from our primary systems within 30 days
  • Data may persist in encrypted backups for up to an additional 30 days until backup rotation

Account deletion is irreversible. We cannot recover your data after deletion has been processed.


18. Do Not Track signals

Cleanbox does not track users across third-party websites and does not use advertising cookies. Analytics cookies are only set with your consent (see Section 4). We do not respond to Do Not Track (DNT) browser signals. You can control analytics cookies directly via our cookie banner or the “Cookie Settings” link in the website footer.


19. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes:

  • We will update the “Last updated” date at the top of this Policy
  • We will notify registered users by email if the changes materially affect how we process personal data
  • The updated Policy will be posted at this URL (cleanbox.app/privacy)

We encourage you to review this Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Policy.


20. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

We aim to respond to all privacy-related inquiries within 30 days.

Have a question about your privacy?

Contact our support team and we'll get back to you as soon as possible.

Contact support