Privacy Policy
Last updated: March 16, 2026
Lumbox ("we", "us", "our") provides email infrastructure for AI agents. This policy explains what data we collect, how we use it, and your rights.
What we collect
Account data — When you sign up, we collect your email address, name, and password (hashed, never stored in plaintext).
Email data — Emails sent to your agent inboxes are stored in our database. This includes sender, recipient, subject, body, headers, and attachments. We parse emails to extract OTP codes, verification links, and categorize content. Email data is stored on servers in Germany (Hetzner) and the US (Neon PostgreSQL).
Credential vault — If you use the credential vault, passwords and secrets are encrypted with AES-256-GCM envelope encryption before storage. We cannot read your stored credentials. Each organization gets its own encryption key.
API usage — We log API calls (endpoint, timestamp, API key prefix) for rate limiting and billing. We do not log request or response bodies.
Browser sessions — If you use browser automation, Steel Browser sessions run in isolated containers. Page content, cookies, and screenshots are ephemeral and not stored permanently unless you explicitly save session state.
Payment data — Payments are processed by Dodo Payments. We store your subscription status and customer ID. We never see or store your card number.
How we use your data
- To provide and maintain the service
- To parse incoming emails and extract OTPs, links, and categories
- To deliver webhook notifications
- To send transactional emails (account verification, password reset)
- To enforce rate limits and usage quotas
- To improve the service
We do not sell your data. We do not use your email content to train AI models. We do not show ads.
Data storage and security
Infrastructure — Our API and mail server run on Hetzner (Germany). The database is hosted on Neon (US). The dashboard is hosted on Vercel. The landing page is on Cloudflare.
Encryption — All data is encrypted in transit (TLS). Sensitive fields (SMTP passwords, AI API keys, credential vault) are encrypted at rest with AES-256-GCM. Credential vault uses envelope encryption with per-organization keys.
API keys — API keys are hashed with SHA-256 before storage. We cannot recover your API key after creation.
Data retention
Email data is retained as long as your inbox exists. When you delete an inbox, all associated emails and attachments are permanently deleted. When you delete your account, all data is permanently deleted within 30 days.
Your rights
You can:
- Export your data via the API at any time
- Delete your inboxes, emails, and credentials at any time
- Delete your account from the dashboard
- Request a copy of all data we hold about you
For data requests or questions, email privacy@lumbox.co.
Cookies
The dashboard uses session cookies for authentication. The landing page does not use tracking cookies or analytics.
Changes
We may update this policy. If we make significant changes, we will notify you via email or a notice on the dashboard.
Contact
Lumbox
Email: privacy@lumbox.co