Legal

Privacy Policy

Last updated: January 2026

1. Data We Collect

Public inbox data: Emails delivered to public temp inboxes are stored in memory only and automatically expire. We do not persistently store public inbox messages.

Account data: If you create an account, we store your email address, a hashed password, and session tokens. We do not store plaintext passwords.

Subscriber data: Subscriber aliases and their messages are stored in a SQLite database until deleted by the subscriber or after the grace period following plan lapse.

API usage logs: We log API requests including endpoint, method, API key prefix, domain, and cost for billing and abuse detection purposes.

IP addresses: Client IPs are used for rate limiting and abuse detection. They are not stored permanently.

2. How We Use Your Data

  • To deliver and display email messages to the correct inbox
  • To authenticate your account and manage sessions
  • To enforce rate limits and prevent abuse
  • To calculate and deduct API credit usage
  • To process subscription payments via third-party processors

3. Data Sharing

We do not sell, rent, or trade your personal data. We share minimal data with third parties only as required:

  • NowPayments: Payment processing for subscriptions and top-ups (order ID and amount only)
  • Cloudflare Turnstile: Bot detection for high-risk API requests (IP and request metadata)
  • Google OAuth: If you choose Google login, your Google profile email is shared with us

4. Data Retention

Public inbox messages are stored in memory and expire after inactivity. Subscriber messages are kept until the subscriber deletes them or the grace period ends. Account data is retained until you request deletion. API usage logs are retained for 90 days.

5. Cookies & Sessions

We use HTTP-only session cookies to maintain logged-in account state. No tracking cookies or third-party advertising cookies are used. Cloudflare Turnstile may set cookies as part of bot detection.

6. Security

Passwords are stored using bcrypt hashing. API keys are stored with prefix-only display after creation. Session tokens are random and expire automatically. We use HTTPS for all connections.

Despite our efforts, no system is fully secure. Use disposable addresses for throwaway flows and do not store sensitive information in public unprotected inboxes.

7. Your Rights

You may request deletion of your account data at any time. Subscriber aliases and messages are deleted when you delete your account or after the grace period. Public inbox data expires automatically.

8. Contact

For privacy-related requests or questions, contact us via the support channel listed on the DraxonMails website.