Privacy Policy

1. Our Role

Under the General Data Protection Regulation (GDPR), Sinkbox acts in two capacities:

• Data Controller: For your account and billing information.
• Data Processor: For the data (emails, HTTP(S) payloads) you choose to send to or capture with Sinkbox during your testing and development activities.

2. Information We Collect

We only collect the information necessary to provide and maintain our Service.

• Account Information: When you sign up, we collect your email address and password.
• Billing Information: Payments are processed securely by our European Merchant of Record, TBD. We do not store your full credit card details on our servers.
• Service Data: We temporarily store the emails and HTTP(S) payloads that you route through Sinkbox.
• Support Data: If you contact us for support, we collect your email address and the content of your message.
• Usage Data: We collect usage data to improve our service, such as which features are used and how the service performs. This data is collected by our own server-side analytics system — we do not use any external analytics tools. Any non-aggregated or non-anonymous usage data (such as IP addresses and browser information) is stored exclusively on our own EU-hosted servers and will never leave them.

3. How We Use Your Information

We use your data exclusively to:

• Provide, maintain, and improve the Service.
• Process your subscription payments (via our Merchant of Record, TBD).
• Provide customer support and respond to your inquiries.
• Prevent fraud or abuse of the Service.
• Monitor service performance and understand feature usage to improve the Service.

We never sell your data to third parties or use it for advertising purposes.

4. Cookies

We only use Session Cookies. These are strictly necessary for the core functionality of Sinkbox, such as keeping you logged in during your visit. We do not use tracking, advertising, or third-party analytics cookies. Because we only use essential session cookies, you will not see a cookie consent banner on our site.

5. Privacy-First Marketing and Ad Links

When we run advertising campaigns on third-party platforms (such as search engines or social media networks), those platforms may use their own data and algorithms to target our ads to specific audiences in accordance with their respective privacy policies. However, we ensure that this individual tracking stops at our front door.

If you click on one of our promotional links or ads, your click is processed through an intermediary routing page on our end. This page only logs high-level, aggregated, and anonymous statistical data (specifically: the campaign identifier, general country location, and preferred language). Immediately after this anonymous count is registered, you are automatically redirected to a clean, generic version of the campaign page. No individual tracking parameters, retargeting cookies, or personal identifiers from the external ad network are allowed to follow you onto our website or into the Sinkbox application.

6. Data Retention

We do not hold onto your data longer than necessary:

• Service Data (Emails/Payloads): Automatically permanently deleted based on your subscription plan (ranging from 24 hours to 365 days, or longer if your plan allows and is set to, as outlined in our Terms of Service).
• Account Data: Stored for as long as your account is active. If you delete your account, your data will be erased, except for data we are legally required to keep (such as accounting records).

7. Data Storage and Security

All data—including application databases, captured payloads, support emails, and analytics—is strictly hosted on servers located within the European Union (EU). We implement industry-standard security measures to protect your data against unauthorized access, alteration, or destruction.

• Main infrastructure: Our public services (such as application servers, database servers and load balancers) etc. are hosted on Scaleway (France).
• Updown monitoring: Updown (France) and Scaleway (France).
• Transactional email: Brevo (France) and Scaleway (France).
• Domain and email: Beebyte (Sweden).
• Payment processing: Vatly (The Netherlands).
• Accounting: Wint (Sweden).
• Automatic error reporting: Sinkbox (Sweden).

Other non-essential services (such as automatic and manual error or issue reporting, analytics) are, when applicable, hosted within EU.

Some of our company related tools and services that doesn't process customer data (project management, documentation, and internal communication) may be hosted outside the EU. Our policy for internal communication is to avoid sharing any customer data on those platforms, and to only share our own internal IDs of customers, projects, or items when necessary for support or troubleshooting purposes. We do not share any personal data or content of customer data on those platforms.

8. Your GDPR Rights

If you are a resident of the European Economic Area (EEA), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your personal data ("Right to be forgotten").
• Restrict or object to our processing of your data.
• Request data portability.

To exercise any of these rights, please contact us. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you via email or a prominent notice within the Service.

Contact Information

If you have any questions, concerns, or requests regarding these Terms, the Data Processing Agreement, or our Privacy Policy, please reach out to us:

• Technical Support: support@sinkbox.dev
• Legal Inquiries & GDPR Requests: legal@sinkbox.dev
• General Inquiries: info@sinkbox.dev
• Accessibility: accessibility@sinkbox.dev

Bedriva Sverige AB
Swedish Organisation Number: 559001-8502
Sweden