How we handle the things you tell us.

InboxBarn is operated by InboxBarn Labs AS, a Norwegian aksjeselskap registered in Trondheim, Norway. We are the data controller for personal data processed through the InboxBarn marketing site (inboxbarn.com), the dashboard application, and the channel integrations we provide.

We're a small team — six full-time, three time zones — and we'd rather you reach a person than a portal. Our public DPO contact is the alias [email protected]. When the team grows past ten, we'll name an individual; until then, the alias goes to two of the founders.

This policy applies to anyone who interacts with InboxBarn — whether you're a visitor reading this page, an account holder using the dashboard, or an end-user whose message reached one of our customers through a channel we bridge.

We use three terms throughout: account holders (customers who pay us), end-users (people who write into a customer's support channels), and visitors (everyone else who lands on our marketing site). Where a section applies to only one of those audiences, we'll say so.

It does not cover any third-party platform you connect through us — your Discord server, your Slack workspace, your email provider. Those run under their own policies, which we link to where it matters.

We collect five categories of personal data. They are listed below in plain English, with what we use them for inline so you don't have to cross-reference the next section.

• 01Account data — your work email, team name, role, and the channels you connect (Slack workspace IDs, Discord server IDs, the email addresses you bridge in).
• 02Conversation content — the messages flowing through the channels you connect — both the customer's side and your team's replies. We process this to deliver the service.
• 03Billing data — handled directly by Stripe. We see invoice metadata (plan, seat count, amount, last four digits) but never the full card number.
• 04Product analytics — anonymized page views and feature-usage counters, collected via Plausible (cookie-less). No identifiers leave your account.
• 05Support correspondence — the emails, threads, and notes you send us when you ask for help — kept as long as the matter is open and a year after.

We do not collect special-category data (health, biometrics, political views) deliberately. If you put it into a message — for example, an end-user telling your team about a medical issue — we process it incidentally as part of running the service.

We use the data we collect for the operational job of running InboxBarn. Specifically:

• Routing customer conversations to the right teammate.
• Suggesting macros and replies based on message context, computed inside your workspace.
• Billing you and emailing receipts.
• Securing the service — abuse detection, rate limiting, audit logs.
• Communicating with you — product updates, security notices, the occasional letter from the team.

What we do not do: we do not sell personal data. We do not share it with advertisers. We do not train third-party AI models on customer messages. If we ever change one of those, we'll say so on this page first and email every account holder thirty days before the change takes effect.

We rely on four legal bases under Article 6 of the GDPR. Each piece of processing we do maps to one of these:

• 01Performance of a contract — for everything required to operate the service for you — routing messages, storing your account, billing.
• 02Legitimate interests — for product analytics, abuse prevention, and improving the service — balanced against your reasonable expectations.
• 03Consent — only for optional things — marketing emails, beta-program invitations. You can withdraw it at any time without affecting the service.
• 04Legal obligation — where we have to retain records (tax invoices, certain audit logs) for a period set by law.

We share personal data only with vendors we use to operate the service — never with advertisers, brokers, or anyone running their own product on top of yours. Each vendor below is bound by a data-processing agreement and processes data on our written instructions.

The canonical list lives in the band below this section. We update that list before we change vendors — not after.

We prefer EU-region vendors. The application, the database, and the channel bridges all run inside the European Economic Area. The exception is Stripe, which processes a portion of payment data in the United States.

For any transfer outside the EEA, we use the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, rely on the EU-US Data Privacy Framework. Copies of the relevant agreements are available on request to [email protected].

We hold data only as long as we need it for the purpose it was collected. Concretely:

• Account data — while your account is active, plus thirty days after deletion to support recovery.
• Conversation content — per the retention you configure in the dashboard (default 24 months from the last message in a thread).
• Audit logs — twelve months.
• Backups — thirty-five days, then permanently overwritten.
• Billing records — kept for as long as Norwegian tax law requires (currently five years).

When a retention window closes, the data is deleted from production. Backups age out within thirty-five days; a deletion request for active data does not retroactively remove it from backups still in the retention window.

All personal data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 on managed disks. Production access is limited to the engineers who need it — currently three of six teammates — and every production action is logged.

We review access quarterly. We run a quiet annual security review (the kind where two of us sit in a room and read through every connection ourselves) and a deeper one whenever we add a sensitive vendor. If a security incident affects your data, we will contact you within 72 hours of becoming aware of it, name what happened in plain language, and explain what we're doing to keep it from happening again.

Security disclosures are welcome at [email protected]. A PGP key is available on request.

Under the GDPR (and similar frameworks in California, Brazil, and the UK), you have the rights listed in the band below. To exercise any of them, email [email protected] with the request in plain English. We'll reply within seven days and complete the request within thirty unless we genuinely can't, in which case we'll tell you why.

We never charge a fee for an access or deletion request, and we never retaliate against an account that exercises these rights. We are also a Do Not Sell or Share business in the sense of the California Privacy Rights Act — because we don't sell or share personal data with anyone for advertising purposes, full stop.