Privacy Policy

Last updated: 2026-04-18

This Privacy Policy describes how Dini Labs Pty Ltd (ABN 87 691 095 477) (“Dini Labs”, “we”, “us”, or “our”) handles personal information in connection with InboxAPI.

InboxAPI is a programmable email infrastructure service for developers, businesses, and software operators, including those using AI agents. This policy explains how we collect, hold, use, and disclose personal information when we provide and operate the Service.

1. Scope

This Privacy Policy applies to:

Account creation, authentication, recovery, and support interactions
Customer use of InboxAPI to send, receive, store, search, and process email
Operational, security, diagnostic, and service-improvement activities related to InboxAPI
Our website and documentation to the extent they collect technical information needed to operate and secure them

This policy does not govern third-party services, recipient mail systems, or AI tools you connect to InboxAPI.

2. Personal Information We Collect and Hold

Depending on how you use the Service, we may collect and hold:

Account and identity information

Account names, email addresses, verified owner email addresses, and recovery details
Authentication credentials, encrypted secrets, token identifiers, and account status information
Billing or commercial relationship information if paid plans are introduced or used

Customer content and communication data

Email headers and metadata, such as sender, recipient, subject line, timestamps, thread identifiers, and delivery status
Email bodies, attachments, and message content processed through the Service
Address book and contact relationship data generated by product usage

Usage, device, and operational data

API request logs, timestamps, error logs, and rate-limit or abuse-prevention events
Client, device, browser, IP address, and network information reasonably necessary to operate and secure the Service
Service configuration, diagnostics, telemetry, and observability data

Support and communications data

Correspondence with us, including support requests, legal inquiries, bug reports, and feedback

We do not currently use personal information for advertising profiling, and we do not sell personal information.

3. How We Collect Personal Information

We collect personal information:

Directly from you when you use the Service, contact us, verify an owner email address, or submit account recovery details
Automatically from your use of the Service, website, API, and client software
From communications and content processed through the Service at your direction
From third parties involved in email delivery, abuse prevention, infrastructure, authentication, or legal compliance

If you provide us with personal information about another person, you are responsible for ensuring you have the right to do so.

4. How We Hold Personal Information

We hold personal information in a combination of:

Cloud-hosted application systems and infrastructure used to operate InboxAPI
Security, logging, backup, and observability systems used to maintain and protect the Service
Internal tools used for support, legal, compliance, and incident response

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. However, no method of transmission or storage is completely secure, and email is not an inherently secure medium.

5. How We Use Personal Information

We use personal information to:

Provide, maintain, authenticate, and secure the Service
Send, receive, store, search, route, and process email and related metadata at your direction
Enforce limits, prevent abuse, detect fraud, investigate suspicious activity, and protect users and third parties
Debug errors, monitor performance, improve reliability, and develop service features
Respond to support requests, account recovery requests, legal inquiries, and privacy requests
Comply with legal obligations and enforce our Terms of Service

We do not currently use personal information for targeted advertising.

6. How We Disclose Personal Information

We may disclose personal information to:

Infrastructure, hosting, security, storage, analytics, and support providers who help us operate the Service
Email ecosystem participants, such as recipient mail servers, relays, mailbox providers, anti-spam systems, and network operators, as part of normal email transmission
Your authorised users, connected software, MCP clients, AI agents, and service integrations
Professional advisers, auditors, insurers, and corporate transaction counterparties where reasonably necessary
Regulators, law enforcement, courts, or other authorities where required or permitted by law

We do not control how recipient systems, third-party mailbox providers, or AI/LLM tools configured by you handle data once it leaves our systems.

7. Data Roles

InboxAPI can involve different privacy roles depending on the data and context.

Customer content

For email content and related data you choose to process through InboxAPI, you are generally the controller or equivalent responsible party, and Dini Labs generally acts as a processor, service provider, or similar provider acting on your instructions.

Service operations

For account administration, authentication, security, abuse prevention, diagnostics, support, legal compliance, and similar service-operation purposes, Dini Labs may act as an independent controller or equivalent responsible party.

Nothing in this Privacy Policy shifts your obligation to provide notices, establish lawful bases, or respond to end-user requests where those obligations belong to you.

8. International Data Handling

We operate from Australia, but personal information may be stored, accessed, or processed in other countries where our service providers, support personnel, infrastructure, or email counterparties operate.

Depending on your use of the Service, likely overseas disclosures may include Australia, the United States, and other jurisdictions involved in cloud infrastructure, support tooling, email routing, delivery, and recipient mail handling.

By using the Service, you acknowledge that cross-border handling of personal information is an inherent part of internet and email infrastructure.

9. Retention

We retain personal information for as long as reasonably necessary for:

Providing the Service
Maintaining security, fraud prevention, and abuse controls
Debugging, backups, disaster recovery, and audit purposes
Legal, regulatory, accounting, and contractual obligations

Retention periods vary depending on the data type, account status, operational needs, and legal requirements. Deleted information may persist for a limited period in backups, logs, or archival systems before being overwritten or removed.

10. Sensitive Information

InboxAPI is not designed for processing highly sensitive personal information. You should not use the Service for health records, payment card data, government identifiers, or other highly sensitive information unless you have independently assessed that use and implemented appropriate safeguards.

If you choose to process sensitive information through the Service, you do so at your own risk and remain responsible for compliance with applicable law.

11. Access and Correction

Subject to applicable law, you may request access to personal information we hold about you and request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information.

To make a request, contact us at [email protected]. We may need to verify your identity before responding. In some cases, we may decline a request where the law permits us to do so, including where granting the request would unreasonably impact the privacy of others, compromise security, or conflict with legal obligations.

Where we hold personal information solely on behalf of a customer in a processor or service-provider capacity, we may direct the request to the relevant customer or ask you to contact them directly.

12. Privacy Complaints

If you have a complaint about how we have handled your personal information, please contact us at [email protected] with enough detail for us to investigate.

We will review the complaint and respond within a reasonable period, usually within 30 days.

If you are not satisfied with our response, you may be able to refer the complaint to the Office of the Australian Information Commissioner (OAIC) or another applicable regulator in your jurisdiction.

Where the General Data Protection Regulation or similar laws apply:

You are generally responsible for identifying the lawful basis for customer content you process through InboxAPI
We may assist with reasonable processor-related requests where required by law and appropriate to the nature of our role
You are responsible for your own privacy notices, controller obligations, and data subject request handling unless we are legally required to handle a request directly

If you require a separate data processing addendum or enterprise privacy commitments, contact us.

14. California and Similar US State Privacy Laws

For personal information processed on behalf of customers, Dini Labs generally acts as a service provider or contractor and processes that information for the limited purposes of providing and securing the Service.

We do not currently sell personal information or share personal information for cross-context behavioural advertising.

15. Children

InboxAPI is not directed to children, and we do not knowingly provide the Service for use by children under 16.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised “Last updated” date. Your continued use of the Service after an update takes effect constitutes acceptance of the updated policy to the extent permitted by law.

17. Contact

For privacy or legal inquiries:

Dini Labs Pty Ltd
Sydney, New South Wales, Australia
Email: [email protected]