GDPR & Privacy Policy

1. Data Controller

The controller of mboxly.app and the data processed in connection with its operation is:

2. Important Note: Personal Data Processing

We do not process your personal data in the traditional sense. All messages and files you send through mboxly.app are encrypted end-to-end using AES-256-GCM before they are stored on our servers. We have no technical ability to access or read your content.

3. Zero-Knowledge Architecture

mboxly.app is built on a Zero-Knowledge architecture, which means:

• No access to your content: All messages and files are encrypted in your browser using AES-256-GCM before being sent to our servers.
• The key remains yours: The decryption key exists only in the unique link (URL fragment after #), which is never transmitted to our servers.
• No ability to view: As administrators, we have no technical means to read your message content because we don't possess the decryption key.

4. What Data Do We Collect?

We collect only the minimum necessary data:

• Technical logs: To ensure security (e.g., protection against DDoS attacks or abuse), we may process temporary server logs, including IP address and request time. These are automatically deleted within 24 hours.
• Contact data: If you contact us by email, we process your data solely to respond to your inquiry.

5. Infrastructure Security & Data Location

• Hosted on AWS EU: mboxly.app infrastructure is hosted on Amazon Web Services servers located in the European Union, ensuring compliance with data residency requirements.
• End-to-End Encryption: All data in transit is protected by TLS 1.3 encryption protocol. Communication between your browser and our servers is secured by SSL/TLS certificates.
• At-Rest Encryption: Encrypted messages are stored as incomprehensible ciphertexts. Even if our servers were compromised, attackers would only find encrypted data without decryption keys.
• Regular Security Updates: Our infrastructure receives regular security patches and updates to protect against known vulnerabilities.

6. Message Retention (Auto-Destruction)

Your messages are stored according to your chosen expiration settings:

• Burn after reading: The message is automatically deleted from our database immediately after the recipient opens it.
• TTL (Time To Live): If not read, messages are permanently deleted after your chosen time (e.g., 1 hour, 24 hours, or up to 90 days).
• No backups: We do not create backup copies of message content. Once deleted, recovery is impossible.

7. Your Rights Under GDPR

Under GDPR, you have the right to:

• Request access to any personal data we hold about you (separate from encrypted message content, which we cannot access)
• Request correction of inaccurate data
• Request deletion of your data
• Lodge a complaint with the supervisory authority (in Poland: President of the Personal Data Protection Office (UODO))

To exercise these rights, contact us at contact@mboxly.app

8. Cookies

mboxly.app does not use tracking, marketing, or analytical cookies (such as Google Analytics). We use only essential technical cookies required for the proper functioning of the service.

9. Contact & Support

For questions about this Privacy Policy or our data protection practices: