Privacy Policy

At ThePurpleBox, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our transactional email service platform.

ThePurpleBox is a transactional email service that allows developers and businesses to send automated emails via API and SMTP. We are committed to transparency about our data practices and protecting your information.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy should be read in conjunction with our Terms and Conditions.

We collect different types of information to provide and improve our Service:

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (encrypted, never stored in plain text)
• Company or organization name (optional)
• Billing information (for paid accounts)
• Account preferences and settings

2.2 OAuth Authentication Data

If you authenticate using Google or GitHub, we receive limited information:

• Your name as provided by the OAuth provider
• Your email address
• OAuth provider user ID (unique identifier)
• Profile picture URL (if available)

We do NOT receive or store your Google or GitHub passwords. OAuth access tokens are encrypted and stored securely.

2.3 Email Metadata

To provide delivery analytics, we collect:

• Sender and recipient email addresses
• Email subject lines
• Timestamps and delivery status
• Open and click events (if tracking enabled)
• Bounce reasons and error codes

2.4 Limited Message Content

Important: Email content is processed temporarily for delivery (2-30 days) and then automatically deleted. We do not read, analyze, or use email content for marketing or advertising.

2.5 Usage and API Logs

For service monitoring and abuse prevention:

• API request logs and response codes
• IP addresses making requests
• Usage metrics and volume statistics
• Error logs and debugging information

2.6 Cookies and Session Data

We use cookies to keep you logged in and remember preferences.

3.1 Service Delivery and Operations

• Processing and delivering transactional emails
• Account authentication and API access
• Providing analytics and reporting
• Processing payments and billing

3.2 Security and Fraud Prevention

• Detecting and preventing spam and abuse
• Monitoring for suspicious activity
• Enforcing our Terms and usage policies
• Investigating security incidents

3.3 Customer Support

• Responding to inquiries and support requests
• Troubleshooting delivery issues
• Providing technical assistance

3.4 Service Improvement and Analytics

• Analyzing usage patterns to improve our Service
• Identifying and fixing bugs
• Developing new features

What We DON'T Do: We do not sell, rent, or share your personal information for marketing purposes. We do not use your email content for advertising. We do not build user profiles for behavioral advertising.

4.1 How OAuth Works

When you sign in with Google or GitHub, you're redirected to their authentication page. We never see or store your Google or GitHub password.

4.2 Data Received from OAuth Providers

We only request and receive minimum information:

• From Google: Name, email, profile picture, user ID
• From GitHub: Name, email, profile picture, user ID

We do not request access to repositories, contacts, calendar, or other data.

4.3 OAuth Token Storage

OAuth tokens are encrypted and stored securely. You can revoke access anytime through your Google or GitHub account settings.

4.4 Third-Party Responsibility

• Google and GitHub are independent third parties not controlled by ThePurpleBox
• Their privacy policies govern how they handle your data
• You are responsible for securing your OAuth accounts
• We are not liable for OAuth provider service issues

We Do NOT Sell Your Data: We never sell, rent, or lease your personal information to third parties.

5.1 Service Providers and Infrastructure

We work with trusted partners who help operate our platform:

• Cloud hosting providers (infrastructure and storage)
• Email delivery partners (routing emails)
• Payment processors (billing)
• Monitoring services (performance tracking)

These providers are contractually required to protect your data and use it only for providing services to us.

5.2 Legal Requirements and Protection

We may disclose information when required by law:

• In response to legal requests (subpoenas, court orders)
• To comply with applicable laws and regulations
• To protect our rights, users, or public safety
• To enforce our Terms and Conditions

5.3 Business Transfers

If ThePurpleBox is involved in a merger or acquisition, your information may be transferred. We will notify you of any such change.

5.4 Aggregate and Anonymous Data

We may share aggregated, anonymized data that cannot identify you personally (e.g., industry statistics).

6.1 Account Information

Retained while your account is active. Deleted within 30 days after account deletion (except for legal compliance requirements).

6.2 Email Content

• Temporary storage: 2-30 days for delivery troubleshooting
• After retention: Automatically and permanently deleted

6.3 Email Metadata and Logs

• Delivery metadata: 2-30 days
• API logs: 30-90 days
• Security logs: Up to 1 year

6.4 Backups

Data in backups may be retained for up to 90 days, then permanently deleted.

6.5 Legal Retention Requirements

Billing records retained up to 7 years for tax purposes. Data subject to legal hold retained until resolved.

7.1 Encryption

• In transit: TLS 1.2 or higher
• At rest: Passwords, API keys, OAuth tokens encrypted in databases
• Password storage: Hashed using bcrypt or similar

7.2 Access Controls

• Restricted access to production systems
• Multi-factor authentication for admin access
• Role-based access controls
• Regular access reviews and audits

7.3 Infrastructure Security

• Secure cloud infrastructure
• Regular security updates and patches
• Firewalls and intrusion detection
• Network segmentation

7.4 Incident Response

In the event of a security incident:

• We have incident response procedures in place
• We will notify affected users as required by law
• We will work to remediate issues promptly

Your Security Role: Use strong passwords, keep API keys secure, enable 2FA on OAuth accounts, and report suspicious activity immediately.

8.1 Access Your Information

Access your personal information through your account dashboard. Contact info@thepurplebox.io for complete data copies.

8.2 Correct Your Information

Update account information directly in your account settings or contact support.

8.3 Delete Your Account

Delete your account anytime through account settings. Upon deletion:

• Account immediately deactivated
• Personal information deleted within 30 days
• Some data may remain in backups for 90 days
• Legal compliance data may be retained longer

8.4 Data Portability

Export your data (email logs, analytics) through your dashboard. Contact us for specific formats.

8.5 Regional Rights

• EU (GDPR): Access, rectification, erasure, restriction, portability, objection
• California (CCPA): Right to know, delete, opt-out of sale (we don't sell data)
• We respect data protection rights under your local laws

8.6 How to Exercise Your Rights

Contact info@thepurplebox.io with your name, account email, and request description. We respond within 30 days.

ThePurpleBox is headquartered in Ghana. If you access our Service from outside Ghana, your information may be transferred to, stored in, and processed in Ghana and other countries where our service providers operate.

9.1 Data Transfer Safeguards

• Standard contractual clauses
• Service providers implement adequate security measures
• Compliance with applicable data transfer regulations

9.2 Your Consent

By using our Service, you consent to the transfer of your information to Ghana and other countries where we operate.

9.3 EU Users

We ensure data transfers comply with GDPR through appropriate safeguards and data processing agreements.

10.1 Types of Cookies

10.2 Managing Cookies

Control cookies through your browser settings. Note: Disabling essential cookies may affect Service functionality.

10.3 Third-Party Cookies

We may use analytics providers (e.g., Google Analytics), error tracking services, and performance monitoring tools.

ThePurpleBox is not intended for children under 18. We do not knowingly collect personal information from children under 18.

If you believe your child has provided us with personal information, contact us at info@thepurplebox.io and we will delete it promptly.

12.1 How We Notify You

When we make changes, we will:

• Update the "Last Updated" date
• Notify you via email for material changes
• Post a notice in your account dashboard

12.2 Material Changes

For significant changes, we provide at least 30 days' notice before they take effect.

12.3 Your Acceptance

Continuing to use the Service after changes means you accept the updated Privacy Policy. If you don't agree, stop using the Service and delete your account.

If you have questions about this Privacy Policy or how we handle your personal information:

13.1 Data Protection Inquiries

For privacy-specific inquiries, email info@thepurplebox.io with "Privacy Request" in the subject line. We respond within 30 days.