We collect the minimum data needed to provide the Service — your account info, the domains you monitor, scan results, and basic usage analytics. We don't sell your data. We don't share it for advertising. We share it only with the service providers we need to run the platform (Stripe for payments, Supabase for our database, etc.). You can access, export, or delete your data at any time.
1. Who we are
This Privacy Policy explains how Luvia Digital LTD, a company registered in England and Wales, operating the InboxScore.ai service ("InboxScore", "we", "us", or "our"), collects, uses, and protects your personal data.
For the purposes of UK GDPR and EU GDPR, Luvia Digital LTD is the data controller of personal data collected through the Service.
If you have privacy questions or want to exercise your rights, contact us at hello@inboxscore.ai.
2. What data we collect
2.1 Account data
- Email address
- Password (stored as a one-way hash; we never see the plain-text)
- Name (optional)
- Company name (optional)
- OAuth identifiers if you sign in via Google
2.2 Service data
- Domain names you submit for monitoring
- Scan results (public DNS records, blacklist status, authentication configuration — this is technical metadata about your domains, not personal data about individuals)
- OAuth refresh tokens for Google Postmaster Tools and Microsoft SNDS if you connect those integrations
- Alert configurations (Slack channels, webhook URLs, email recipients)
- API tokens you generate
2.3 Billing data
- Billing address, country, tax ID (for VAT)
- Payment method tokens (we never store card numbers — Stripe does)
- Transaction history, invoice records, subscription status
2.4 Usage and technical data
- IP address (used for rate limiting, fraud prevention, and approximate geolocation)
- Browser type, operating system, device type
- Pages visited, features used, errors encountered
- Session duration, click events, page load times
- Server logs (HTTP requests, response codes, latency)
2.5 Communications
- Email correspondence with our support team
- Survey responses, feedback, cancellation reasons
3. Lawful basis for processing
Under UK GDPR and EU GDPR we rely on the following lawful bases:
- Contract (Article 6(1)(b)): Processing necessary to provide the Service you signed up for — account management, scans, alerts, billing
- Legitimate interests (Article 6(1)(f)): Service security, fraud prevention, product analytics to improve the Service, marketing to existing customers about similar services. We balance these interests against your rights and you can object at any time
- Legal obligation (Article 6(1)(c)): Tax records, invoice retention, responding to lawful government requests
- Consent (Article 6(1)(a)): Where required by law (e.g., non-essential cookies, marketing emails to non-customers). You can withdraw consent any time
4. How we use your data
- Provide the Service: run scans, store results, send alerts
- Authenticate you and secure your account
- Process payments and issue invoices
- Communicate with you about service changes, security issues, and your account
- Provide customer support
- Monitor and improve performance, debug issues
- Detect and prevent fraud, abuse, and security threats
- Comply with legal obligations
- Send product updates and marketing emails (you can unsubscribe any time)
We do not: sell your personal data, share it with advertisers, use it to train AI/ML models for third parties, or rent it out.
5. Who we share data with
We share data with the following categories of recipients:
5.1 Subprocessors
We use trusted third-party service providers ("subprocessors") to operate the Service. Each is bound by a data processing agreement and processes data only on our instructions:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, subscription billing, tax calculation | EU / US |
| Supabase | Database hosting, authentication backend | US |
| Render | Application hosting, infrastructure | US |
| Resend | Transactional email delivery (account verification, alerts, receipts) | US |
| HetrixTools | DNS blacklist data lookup (no personal data — only domain/IP queries) | EU |
| Sentry | Application error monitoring and crash reports | EU / US |
| Mixpanel | Product analytics, usage tracking | EU |
| Google Analytics 4 | Marketing site traffic analytics (anonymised IP) | US |
| Google Cloud / Postmaster Tools | Postmaster data retrieval (only if you connect your Google account) | US |
| Microsoft / SNDS | SNDS data retrieval (only if you connect your Microsoft account) | US |
A current list of subprocessors is maintained on this page. We will give 30 days' notice via email or in-app before adding a new subprocessor that materially affects your data.
5.2 Other sharing
- Legal compliance: If required by law, court order, or government request — we will challenge requests that are overly broad where lawful
- Business transfers: If Luvia Digital LTD merges with, is acquired by, or sells substantially all assets to another entity, your data may be transferred. We will give notice before any such transfer
- With your consent: Any other sharing requires your explicit consent
6. International transfers
Some of our subprocessors are located outside the UK and EEA, including in the United States. When we transfer your data outside the UK/EEA, we use one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement or UK Addendum to the EU SCCs
- Transfers to providers certified under the EU-US Data Privacy Framework or its UK extension where applicable
You can request a copy of the safeguards we rely on by emailing hello@inboxscore.ai.
7. How long we keep your data
- Account data: for as long as your account is active, plus up to 6 months after closure to handle disputes
- Scan and monitoring data: up to 12 months by default, longer if you have an active Pro subscription with extended history
- Billing records: 7 years (UK tax law requirement)
- Support correspondence: up to 3 years
- Server logs and analytics: up to 90 days for raw logs, aggregated and anonymised thereafter
- Marketing list: until you unsubscribe
When data is no longer needed, we delete or anonymise it.
8. Your rights
Under UK GDPR, EU GDPR, and equivalent laws in other jurisdictions, you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data (subject to legal retention requirements)
- Restriction: Limit how we process your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests, including direct marketing
- Withdraw consent: Where we rely on consent, you can withdraw it
- Lodge a complaint: With a supervisory authority — in the UK, the Information Commissioner's Office (ICO) at ico.org.uk
To exercise any right, email hello@inboxscore.ai. We will respond within 30 days. We may verify your identity before fulfilling a request.
8.1 California residents (CCPA / CPRA)
California residents have additional rights including: right to know, right to delete, right to opt out of sale or sharing, right to non-discrimination, and right to limit use of sensitive personal information. We do not sell or share personal data for cross-context behavioural advertising. To exercise these rights, contact us as above.
9. Cookies and tracking
We use cookies and similar technologies for:
- Essential cookies: authentication, session management, security. These cannot be disabled and don't require consent
- Functional cookies: remembering your theme preference, last-used filter
- Analytics cookies: Google Analytics 4 with IP anonymisation, Mixpanel for product analytics
You can manage cookies via your browser settings. Disabling essential cookies will prevent the Service from working.
10. Security
We use industry-standard security measures including:
- TLS 1.2+ for all data in transit
- Encryption at rest for the database and backups
- Password hashing using bcrypt or equivalent
- Access controls and audit logging on production systems
- Regular security reviews and dependency monitoring
- Multi-factor authentication available for accounts
No system is 100% secure. We will notify affected users and regulators of any data breach as required by law (within 72 hours where UK/EU GDPR applies).
11. Children's data
The Service is not intended for individuals under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy. Material changes will be notified by email and posted here with a new "Last updated" date. Continued use of the Service after changes take effect means you accept the updated policy.
13. Contact us
Privacy questions, data subject requests, or complaints:
Luvia Digital LTD
Data Protection Contact
Email: hello@inboxscore.ai
Registered in England and Wales
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with the supervisory authority in your country of residence.