Calmbox, LLC – Privacy Policy

Effective Date: January 13, 2025

Calmbox, LLC (“Calmbox,” “we,” “us,” or “our”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, or any related services (collectively, the “Service”).

By using the Service, you agree to this Privacy Policy. If you do not agree, you should not use our Service.

1. Information We Collect

1. Personal Information
   
   • Account Data: When you create an account, we collect information such as your name, email address, and payment details (handled by a third-party processor like Stripe).
   • Third-Party Account Credentials: We use secure, industry-standard protocols (e.g., OAuth) to connect to your email or other services. We do not store plain-text passwords.
2. Email & Message Data
   
   • We can process the full body of emails and see attachments when scanning for spam; however, we generally retain only certain metadata (sender, subject, date received, external message ID) for ongoing operations.
   • Content, including subject lines, may contain personal or sensitive information, which is processed primarily for spam detection and filtering.
   • Google User Data: For users who connect their Google/Gmail accounts, we strictly limit our use of Google user data (including emails and attachments) to:
     • Providing and improving our core email filtering functionality
     • Detecting and filtering spam messages
     • Managing user-defined filtering rules
     • Maintaining necessary service operations
     Important Note: Google user data is never used for:
     • Marketing or promotional purposes
     • Training or improving third-party AI/ML models
     • Any purpose beyond our core email filtering service
     Service Improvements: To improve our spam detection accuracy, we may use anonymized email patterns and metadata to enhance our filtering capabilities. This process:
     • Only uses data that has been fully anonymized
     • Is strictly limited to improving our spam detection service
     • Never shares data with third-party AI/ML providers for their model training
3. Usage Data & Logs
   
   • We maintain access logs and may use third-party analytics tools (e.g., PostHog) to track how users interact with our Service. This may include IP addresses, device information, and browsing data.
4. Cookies
   
   • We use cookies and similar technologies to manage user sessions, remember preferences, and secure accounts. By using our Service, you consent to our use of cookies in accordance with this Privacy Policy.

2. How We Use Your Information

1. Service Provision
   
   • To filter and manage your inbox or message streams, including spam detection via third-party LLM providers.
   • To provide customer support, fulfill requests, or respond to inquiries.
2. Analytics & Improvements
   
   • To monitor usage patterns, improve our Service, and develop new features.
3. Payment Processing
   
   • To handle subscription fees and renewals through third-party payment processors (e.g., Stripe).
4. Communications
   
   • To send transactional or informational communications (e.g., account notifications, subscription updates, weekly spam summaries).
   • To send marketing or promotional messages, if you have opted in or if otherwise permitted by law. We never use Google user data for marketing purposes.
5. Legal Compliance & Enforcement
   
   • To comply with applicable laws, regulations, or legal processes.
   • To enforce our Terms of Service or other agreements.

3. Disclosure of Your Information

1. Third-Party LLM Providers
   We use LLM or AI providers strictly for real-time spam analysis of individual messages. Important: When processing messages through third-party AI providers:
   • Each message is processed individually and solely for spam detection
   • Third-party providers are not permitted to retain or store message data
   • Message data is never used to train or improve third-party AI models
   • Processing is limited to real-time spam analysis only
2. Service Providers
   We rely on third-party service providers (e.g., Heroku for hosting, Stripe for payments, PostHog for analytics) that access data solely to perform tasks on our behalf. We contractually require them to protect your data, though we cannot guarantee their compliance in all cases.
3. Business Transfers
   If we undergo a merger, acquisition, or asset sale, your information may be transferred as part of that transaction.
4. Legal Obligations
   We may disclose information if required by law, subpoena, or court order, or if such disclosure is necessary to protect our rights or the safety of others.
5. With Your Consent
   We may share your data for additional purposes if you explicitly consent.

4. Data Retention

1. Retention Period
   We keep your data as long as you are a customer. If you cancel or delete your account, we will anonymize or delete your data, unless retention is required for legal, compliance, or legitimate business purposes (e.g., proof of transactions).
2. Anonymization
   After you are no longer a customer, we may retain anonymized records (e.g., usage stats) that do not identify you personally.

5. Security

We take commercially reasonable measures to protect your information. However, no data transmission or storage system is 100% secure, and we cannot guarantee the absolute security of your information. You assume the risks associated with transmitting information to us.

6. International Data Transfers

1. Location of Servers
   Our Service is primarily hosted in the United States (e.g., on Heroku’s U.S.-based servers). If you access the Service from outside the U.S., your data may be transferred to and processed in the U.S.
2. Legal Protections
   If you reside in a jurisdiction with data protection laws (e.g., the GDPR in the European Union, CCPA/CPRA in California), you acknowledge that your data will be transferred in accordance with the laws applicable to Calmbox, LLC.

7. Your Rights

Depending on your jurisdiction, you may have certain data rights, such as:

1. Access & Rectification: The right to request a copy of your personal data and to request corrections.
2. Deletion: The right to request deletion of your personal data (subject to legal exceptions).
3. Opt-Out of Marketing: The right to unsubscribe from marketing emails.
4. Revoke Authorizations: The right to disconnect your third-party accounts or delete your account.

To exercise any of these rights, contact us at support@calmbox.com. We may need to verify your identity before processing certain requests.

8. Children’s Privacy

Our Service is not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us so we can remove it.

9. Corporate Changes & Dissolution

1. Transfers
   In the event of a merger, sale, or other transfer of assets, your data may be transferred to the acquiring entity in line with this Policy.
2. Dissolution
   If Calmbox, LLC is dissolved, we will delete or anonymize all user data within a reasonable time, subject to any legal or compliance requirements.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you by posting the updated version on our website or by other means. Your continued use of the Service after any revisions indicates your acceptance of the updated terms.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact:

Calmbox, LLC
2261 Market Street #22952
San Francisco, CA 94114
Email: support@calmbox.ai