Skip to content

Version 1.0 · Last updated 22 May 2026

This document is provided as a plain-language draft and is pending legal review. If you spot an issue, email legal@inboxdesk.ai.

Trust

A one-page summary of where InboxDesk sits on data handling, sub-processors, and compliance.

Where your data lives

The primary database is hosted on Supabase in the European Union (eu-west-2). For full data-flow detail, see the Privacy Policy and the Data Processing Agreement.

Sub-processors

| Sub-processor | Purpose | Location | |---|---|---| | Supabase | Database, authentication, file storage | EU (eu-west-2) | | Vercel | Application hosting, edge network | EU + US (with SCCs for US edge) | | Anthropic | AI model provider (Claude) | US (with SCCs) | | Voyage AI | Embeddings for knowledge-base retrieval | US (with SCCs) | | Resend | Inbound webhook + outbound transactional email | EU + US (with SCCs) | | Stripe | Subscription billing | UK + US (with SCCs) | | Sentry | Error monitoring | US (EU residency where configured) | | PostHog | Product analytics | EU (eu.i.posthog.com) | | Cloudflare Turnstile | Anti-bot challenge on signup form | Cloudflare global edge | | Upstash Redis | Anti-abuse signup rate limit (hashed IP, 1-hour TTL) | EU (eu-west-1) |

We notify customers at least 14 days before adding or replacing any sub-processor that handles their data (per DPA §7).

International transfers

Where data leaves the UK or EEA, we rely on the UK International Data Transfer Addendum (IDTA) and the EU Standard Contractual Clauses (SCCs). DPA §8 carries the legal detail.

Compliance posture

| Standard | Status | |---|---| | UK GDPR / EU GDPR | Compliant. Full Article 6 lawful bases documented in Privacy §4. | | Google Workspace API Limited Use | Compliant. Disclosure in Privacy §5.1. | | SOC 2 | Not currently certified. See Security for transparency on why. | | ISO 27001 | Not currently certified. See Security for transparency on why. |

Self-serve data rights

Both Article 20 (data portability) and Article 17 (erasure) are self-serve from the Settings page in the app. Exports cover tenant data plus the account-identity row for the tenant owner; full detail in Privacy §10.

Contact

  • Vulnerabilities: security@inboxdesk.ai
  • Privacy / data requests: privacy@inboxdesk.ai
  • Everything else: hello@inboxdesk.ai

Effective date

This page was last updated 2026-05-22.