Klearbox Privacy Policy

Effective Date: May 11, 2026

Version: 3.3

This Privacy Policy explains how Avestra-One GmbH processes personal data in connection with Klearbox.

Klearbox is a consumer email-management service. It helps users review, organise, clean up, unsubscribe from, and automate actions in connected third-party email accounts.

Klearbox is designed to minimize the personal data it keeps. We do not sell personal data, we do not use personal data for behavioral advertising, and we do not maintain a persistent archive of the full content of your mailbox. However, Klearbox is not a 'no data stored' service. We store certain email metadata, such as sender addresses and subject lines, where they are part of cleanup filters, rules, action history, unsubscribe records, or other service records. Cleanup-run filter details are purged after 90 days; active rule configuration is retained while the rule is active.

1. Controller and Contact Details

The controller responsible for the processing of personal data described in this Privacy Policy is:

Avestra-One GmbH
Aichhorngasse 10/3
1120 Vienna
Austria
Commercial Register: FN 629016z
Email: support@klearbox.net
Website: https://klearbox.net
Application: https://app.klearbox.net

In this Privacy Policy, “Klearbox”, “we”, “us”, “our”, “provider” refer to Avestra-One GmbH.

No Data Protection Officer (DPO) is appointed, as our processing activities do not require one under Article 37(1) GDPR. Privacy questions and data subject requests can be sent to support@klearbox.net.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed in connection with:

• the public Klearbox website;
• the Klearbox web application;
• account registration, login, email verification, session management, and account deletion;
• connection of supported email accounts;
• email cleanup, preview, unsubscribe, smart-rule, and automation features;
• subscriptions, purchases, cancellations, refunds, chargebacks, and billing-related workflows;
• customer support, legal requests, privacy requests, security operations, and service communications;
• cookies, local storage, session storage, analytics, and similar technologies used on Klearbox sites and applications.

 

This Privacy Policy does not replace the privacy notices of your email provider, Lemon Squeezy (merchant of record), or third-party newsletter senders whose unsubscribe mechanisms you choose to use through Klearbox. The Cookie Policy provides details on cookies/tracking technologies.

3. Supported Jurisdictions

Klearbox is available only to residents of EU member states, Iceland, Liechtenstein, Norway, the United Kingdom, and Switzerland, enforced via registration checks.

If resident elsewhere, we may reject registration/access for legal/regulatory/payments reasons. This does not limit rights under applicable law in your jurisdiction

4. What Klearbox Does

Klearbox connects to supported third-party email accounts when you provide or authorise the credentials needed for that connection.

Depending on the features you use, Klearbox may help you:

• connect a supported email account;
• list folders and mailbox information needed for service operation;
• search selected folders using filters or rules you choose;
• preview matched emails before taking action;
• move selected or rule-matched emails to Trash or another supported destination;
• detect newsletters or recurring senders;
• identify unsubscribe mechanisms;
• execute unsubscribe actions that you request;
• create or apply cleanup rules;
• generate smart-rule suggestions;
• run recurring cleanup operations where you configure them.

Klearbox is not an email provider and does not host your email infrastructure. When you use cleanup features, Klearbox moves selected or rule-matched emails to your email provider’s Trash folder or equivalent folder. Klearbox does not control your email provider’s later retention or permanent deletion of messages.

5. Roles Under Data Protection Law

For ordinary consumer use of Klearbox, Avestra-One GmbH acts as an independent controller for personal data processed in connection with the service.

This includes account data, subscription and billing-related data, support data, credentials, service configuration, mailbox metadata, temporary mailbox-content access where technically necessary for a requested feature, derived service records, operational logs, security logs, and legal-compliance records.

Your settings, rules, selections, and confirmations determine which Klearbox features are applied to your connected mailbox. They do not make Klearbox a processor or joint controller with you for ordinary consumer use.

We do not act as a processor for consumer users unless we expressly agree separate processor terms that satisfy Article 28 GDPR. If a different role applies to a specific business product, integration, or enterprise use case, we will state this separately before that use case applies.

6. Sources of Personal Data

We obtain personal data from the following sources:

• from you, when you create an account, choose settings, connect an email account, configure rules, purchase a plan, contact support, or exercise privacy rights;
• from your connected email account, Klearbox accesses mailbox data to provide features you request or configure;
• from your email provider, when Klearbox connects through IMAP, App Password, or another supported interface;
• from payment providers or merchants of record, when they provide subscription, purchase, refund, chargeback, tax, or billing-status information;
• from your browser or device, when you use the website or application;
• from service providers, where they provide hosting, security, analytics, support, transactional email, logging, backup, or payment-related services.

Mailbox data may include personal data relating to other people, such as senders, recipients, and individuals mentioned in email metadata or content. Klearbox processes such data only as necessary to provide the service requested or configured by the Klearbox user, secure the service, comply with law, or protect legal rights.

7. Categories of Personal Data We Process

Depending on how you use Klearbox, we process the following categories of personal data.

7.1 Account and Profile Data

This includes your email address, password hash, language, country of residence, subscription plan and status, account creation timestamp, email-verification status, account-deletion status, and account-security settings such as two-factor authentication status where enabled.

7.2 Authentication and Session Data

This includes login events, failed-login events, access and refresh tokens, session status, device and browser information, and security-relevant session records.

7.3 Connected Email Account Data

This includes the email provider, connected email address, connection status, folder information, unread counts, credential metadata, connection timestamps, disconnection timestamps, and operational status information.

7.4 Credentials

This includes app passwords, IMAP credentials, OAuth tokens, or other authentication material that you provide or authorise to connect a supported email account. Where credentials are stored, they are stored in encrypted form. Klearbox does not export plaintext credentials, app passwords, or tokens in privacy exports.

7.5 Mailbox Metadata and Preview Data

This may include sender and recipient information, display names, subject lines, folder names, timestamps, message identifiers, thread or UID values, technical headers, search criteria, and filter criteria.

7.6 Limited Email Content

Readable email body content or structured body elements may be accessed transiently where technically necessary for a feature you request, such as identifying an unsubscribe mechanism in the "Unsubscribe Scan" phase when headers are insufficient. This content is processed transiently for the relevant operation and not retained as a persistent mailbox-content archive.

7.7 Cleanup, Rule, and Automation Data

This includes folder selections, filters, cleanup rules, automation rules, cleanup-run records, counts of messages moved or processed, task status, schedules, error information, and recurring-rule state.

7.8 Unsubscribe and Smart-Rule Data

This includes sender email addresses, sender display names, sender classifications, unsubscribe method, unsubscribe target, unsubscribe status, review timestamps, smart-rule suggestion status, and sender groupings.

7.9 Consent, Legal, and Audit Records

This includes accepted terms and policy versions, consent choices, withdrawal records, source flow or screen, timestamps, session identifiers where stored, hashed IP information where stored, audit events, account-deletion records, privacy-request records, and legal-request history.

7.10 Payment and Subscription Data

This includes customer or subscription identifiers, plan purchased, billing type, transaction or order references, payment status, subscription lifecycle events, refund or chargeback information, purchase timestamps, and receipt-related legal version information.

Klearbox uses Lemon Squeezy as merchant of record for payment processing. Klearbox does not store full payment card numbers or card security codes in its own systems.

7.11 Technical, Device, and Security Data

This includes IP-related data, browser and device information, access timestamps, rate-limiting data, abuse-prevention data, application logs, security logs, and error logs.

7.12 Support and Communications Data

This includes support messages, support attachments if you provide them, transactional email delivery data, marketing-consent status, unsubscribe status, and service communications sent to your account email address.

7.13 Cookies, Local Storage, Session Storage, and Similar Technologies

This includes information stored or accessed through cookies, local storage, session storage, and similar technologies, as described in our Cookie Policy.

8. Purposes of Processing

We process personal data for the following purposes:

• creating, verifying, and managing user accounts;
• authenticating users and maintaining secure sessions;
• checking service eligibility and supported jurisdictions;
• connecting to supported email providers;
• listing folders and mailbox information needed for the service;
• searching mailbox folders based on user-selected filters;
• generating email previews for user review;
• moving selected or rule-matched messages to Trash or another destination made available by the service;
• running one-time and recurring cleanup operations based on rules you configure;
• identifying senders, newsletters, promotions, and similar message categories;
• detecting and executing unsubscribe mechanisms that you request;
• creating and managing smart-rule suggestions;
• storing and using encrypted credentials where required for stored-account or automation features you enable;
• enforcing plan limits and subscription entitlements;
• processing purchases, subscriptions, cancellations, refunds, chargebacks, invoices, and receipts;
• sending transactional, security, legal, support, and service-related communications;
• responding to support requests and troubleshooting issues;
• processing access, deletion, portability, objection, consent-withdrawal, and other privacy requests;
• maintaining consent, audit, cancellation, and withdrawal records;
• securing the service, detecting abuse, preventing fraud, and investigating incidents;
• monitoring service reliability, debugging, and improving product quality;
• complying with tax, accounting, consumer-law, data-protection, and other legal obligations;
• establishing, exercising, or defending legal claims.

Klearbox does not use readable email body content for behavioural advertising, sale of data, unrelated profiling, or training general-purpose artificial-intelligence models.

9. Legal Bases Under Article 6 GDPR

We rely on the following legal bases under Article 6 GDPR:

Processing activity	Legal basis
Account creation, verification, login, session management, account settings, and core service access	Article 6(1)(b) GDPR — performance of a contract
Connecting supported email accounts and processing credentials needed for requested mailbox operations	Article 6(1)(b) GDPR — performance of a contract
Temporary session credentials used for one-off cleanup or preview operations	Article 6(1)(b) GDPR — performance of a contract
Persistent encrypted credential storage for stored-account or recurring automation features	Article 6(1)(b) GDPR where necessary for the chosen feature; Article 6(1)(a) GDPR where the product flow separately asks for consent for credential storage.
Processing mailbox metadata, preview headers, folder names, filters, and message identifiers for cleanup and review features	Article 6(1)(b) GDPR — performance of a contract
Temporary access to limited email content to detect unsubscribe mechanisms or provide another requested feature	Article 6(1)(b) GDPR — performance of a contract
Cleanup runs, rule configuration, automation schedules, and action history	Article 6(1)(b) GDPR — performance of a contract
Unsubscribe workflows, unsubscribe status, sender lists, and smart-rule suggestions	Article 6(1)(b) GDPR — performance of a contract
Billing, subscription access, payment-status handling, receipts, refunds, and chargebacks	Article 6(1)(b) GDPR — performance of a contract; Article 6(1)(c) GDPR for statutory records
Accounting, tax, consumer-law, withdrawal, and legal-compliance records	Article 6(1)(c) GDPR — legal obligation
Consent records, policy-version records, audit records, and evidence of legally relevant actions	Article 6(1)(c) GDPR — legal obligation; Article 6(1)(f) GDPR — legitimate interests in accountability and legal defence
Security logs, fraud prevention, abuse detection, rate limiting, incident response, and service integrity	Article 6(1)(f) GDPR — legitimate interests
Product diagnostics, error monitoring, reliability monitoring, and limited operational analytics	Article 6(1)(f) GDPR — legitimate interests; consent where required by law for cookies or similar technologies
Optional analytics, optional marketing, and non-essential cookies or similar technologies	Article 6(1)(a) GDPR — consent, where required
Direct marketing to existing users, where legally permitted	Article 6(1)(f) GDPR or Article 6(1)(a) GDPR depending on the communication and consent status, subject to opt-out rights
Legal claims, dispute handling, authority requests, and enforcement of rights	Article 6(1)(c) GDPR where legally required; Article 6(1)(f) GDPR where necessary for legal defence

Where we rely on legitimate interests, we balance our interests against your rights and freedoms. You may object to processing based on legitimate interests as described in the “Your rights” section.

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

10. Mailbox Metadata and Email Content

Klearbox distinguishes between mailbox metadata and email content.

Mailbox metadata includes non-body information about emails, such as sender, recipient, subject line, folder, timestamps, message identifiers, technical headers, and provider-specific message references.

Email content means the readable body text of an email and, where applicable, structured elements within the email body.

Klearbox primarily processes mailbox metadata and preview headers to provide cleanup, review, sender-identification, rule, and automation features. For example, when you request a preview, Klearbox may fetch limited header fields such as From, Subject, and Date so that you can review matched messages before taking action.

Some features require temporary access to limited email content. For example, if an unsubscribe mechanism cannot be identified from headers or metadata alone, Klearbox may temporarily access message body content to locate an unsubscribe link or mechanism.

Klearbox does not maintain a persistent stored archive of the full content of your emails. After the relevant operation is completed, Klearbox does not retain readable email body text as mailbox content, except for transient technical processing necessary to carry out that operation or where you provide content to support or legal handling.

Klearbox may retain derived records, such as sender classifications, unsubscribe status, rules, filter criteria, cleanup history, and audit records, as described in this Privacy Policy.

11. Credential Handling and Connected Email Accounts

To connect a supported email account, you may need to provide or authorise a provider email address and an app-specific password, IMAP credential, OAuth token, or other authentication material supported by your email provider.

Klearbox uses these credentials only to provide the features you request or configure, such as listing folders, fetching limited previews, identifying senders, moving selected or rule-matched emails to Trash, and running configured cleanup or unsubscribe workflows.

Klearbox supports two credential-handling modes.

Session credentials. For one-off or session-based use, credentials are stored temporarily in encrypted session infrastructure for the time needed to perform requested operations and are then deleted or expire automatically.

Stored credentials. If you enable features that require reconnect-free access or recurring operations, Klearbox may store credentials in encrypted form. Stored credentials are used only for the connected account and features you enable. Credential metadata may be displayed to you, but decrypted credentials are not returned to the frontend after storage.

You may revoke Klearbox’s access by deleting the relevant stored credential or disconnecting the connected account in Klearbox settings. You may also revoke an app password, OAuth grant, or similar credential directly in your email provider’s security settings. Once access is removed, Klearbox will stop using that credential for future operations, subject to technical propagation and limited legal or security records.

Klearbox does not include plaintext credentials, app passwords, or tokens in data exports.

12. Cleanup Preview, Cleanup Runs, and Automation

When you use cleanup features, Klearbox may search selected mailbox folders using criteria that you choose or configure, such as sender, subject keyword, folder, age, or similar filter settings.

Before a cleanup action, Klearbox may display preview information to help you review the matched emails. This preview may include message identifiers, sender, subject, date, and folder information.

When you confirm a cleanup action, or when a recurring rule that you configured runs automatically, Klearbox may move selected or rule-matched messages to the Trash folder or another destination supported by the service and your provider. Klearbox does not control your provider’s later permanent deletion of messages from Trash.

Klearbox may retain cleanup-run records, rule configurations, filter criteria, message counts, task status, timestamps, and error information to show history, support troubleshooting, enforce plan limits, operate recurring rules, and maintain service integrity.

13. Unsubscribe and Smart-Rule Features

If you use unsubscribe features, Klearbox may scan newsletter-like senders and messages to identify unsubscribe mechanisms. This may include processing List-Unsubscribe headers, sender information, unsubscribe links, and, where needed, limited email body content to locate an unsubscribe mechanism.

When you instruct Klearbox to unsubscribe, Klearbox may contact the relevant unsubscribe endpoint, send an unsubscribe request, or otherwise execute the unsubscribe mechanism supported by the sender and the message. The relevant newsletter sender or unsubscribe endpoint may receive the information necessary to process the unsubscribe request.

Klearbox may store unsubscribe records, including sender email address, sender display name, unsubscribe method, unsubscribe target, status, review timestamp, and related operational records. These records help us show your unsubscribe history, avoid repeated actions, support troubleshooting, and maintain service reliability.

Klearbox may also generate smart-rule suggestions from sender patterns detected during scans, such as suggestions for shipping, OTP, promotional, newsletter, or similar recurring senders. You remain responsible for reviewing and enabling any suggested rule.

14. Special Categories of Data

Klearbox is not designed to identify, infer, classify, or intentionally process special categories of personal data, such as health data, political opinions, religious or philosophical beliefs, trade-union membership, biometric data, genetic data, or data concerning sex life or sexual orientation.

However, email accounts may contain such information. Limited incidental access may occur when Klearbox technically processes mailbox data to provide a feature you request or configure, such as preview, cleanup, unsubscribe, or rule functionality.

We minimise such access and do not use special-category information to create sensitive profiles, for advertising, for unrelated analytics, or for training general-purpose artificial-intelligence models.

Where processing of special-category data cannot be avoided and Article 9 GDPR applies, we process such data only where a valid Article 9 condition is available, with appropriate safeguards and only to the extent necessary for the relevant feature or legal purpose.

15. Payment and Subscription Data

Paid plans, subscriptions, one-time purchases, refunds, chargebacks, and related payment workflows are processed through Lemon Squeezy as merchant of record.

Klearbox does not store full payment card numbers or card security codes in its own systems. We may receive limited payment and subscription metadata, such as customer or subscription identifiers, plan purchased, billing type, transaction or order references, payment status, subscription lifecycle events, refund or chargeback status, purchase timestamps, and receipt-related legal version information.

As merchant of record, Lemon Squeezy may process certain personal data as an independent controller for payment processing, fraud prevention, tax, accounting, regulatory compliance, and merchant-of-record obligations. Lemon Squeezy’s processing is also governed by its own privacy notice.

16. Cookies, Local Storage, Session Storage, and Analytics

Klearbox uses cookies, local storage, session storage, and similar technologies to operate the website and application, maintain secure sessions, remember choices, protect accounts, detect abuse, and, where enabled, measure usage and reliability.

Strictly necessary technologies may be used without consent where they are required to provide the website or service you request, including login, security, session management, load balancing, fraud prevention, and consent-preference storage.

Optional analytics or similar technologies are used only where legally permitted and, where required, after you have given consent. You can manage your choices through the Cookie Settings or other consent mechanism made available by Klearbox.

Full details, including names, purposes, providers, whether they are cookies or local storage, and retention, are provided in the Klearbox Cookie Policy.

17. Recipients and Service Providers

We share personal data only where necessary to provide, secure, support, bill, maintain, or improve Klearbox, comply with law, or protect legal rights.

Depending on the workflow, recipients may include:

• infrastructure and hosting providers;
• database and application infrastructure providers;
• content-delivery, DNS, DDoS-protection, and network-security providers;
• transactional email providers;
• payment providers or merchants of record;
• analytics and error-monitoring providers acting within the limits described in this Privacy Policy and the Cookie Policy;
• backup and storage providers;
• source-control and deployment providers where they process operational or security data;
• your selected email provider, where Klearbox connects to your mailbox;
• third-party newsletter senders or unsubscribe endpoints when you instruct Klearbox to execute an unsubscribe action;
• professional advisers, auditors, insurers, courts, authorities, regulators, and law-enforcement bodies where legally required or necessary to protect rights.

Examples of service providers and recipients currently used include Supabase/PostgreSQL, Hetzner Cloud, including backup storage, Cloudflare, Resend, Lemon Squeezy, GitLab, Ghost CMS, Sentry (server-side error monitoring, EU region), and self-hosted Plausible analytics. We may also use backup and storage providers that process encrypted backup data within the limits described in this Privacy Policy.

We do not disclose personal data to advertising networks for behavioural advertising.

18. International Transfers

Klearbox is based in Austria and aims to operate primarily using infrastructure in the European Union or other supported regions. However, some service providers or their subprocessors may process personal data outside the European Economic Area, the United Kingdom, or Switzerland.

Where personal data is transferred internationally, we use legally recognised safeguards where required, such as:

• adequacy decisions for countries or organisations recognised as providing an adequate level of protection;
• the European Commission’s Standard Contractual Clauses;
• UK international data transfer addenda or equivalent UK safeguards where applicable;
• Swiss transfer safeguards where applicable;
• supplementary technical, contractual, or organisational measures where required.

You may contact us for further information about the safeguards used for international transfers.

19. Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Data category	Retention
Account and profile data	We keep account and profile data while the account is active. After an account deletion request, the account may be soft‑deleted first and then anonymised or deleted, normally within approximately 30 days unless longer retention is required.
Email verification tokens	Email verification tokens are stored temporarily and expire automatically, normally within 24 hours.
Session credentials	Session credentials are stored only for the session lifecycle or until expiry or invalidation. IMAP session credentials normally expire automatically after approximately 30 minutes.
Stored credentials	Stored credentials are kept until you delete the credential, disconnect the relevant account, revoke access, or delete your Klearbox account, subject to limited legal or security records and backup cycles.
Mailbox preview data	Mailbox preview data is processed for the relevant preview or operation and is not retained as a permanent mailbox‑content archive, except where it is reflected in user‑selected filters, rules, action history, logs, or derived records.
Cleanup-run records and rule data	Cleanup-run records and rule data are kept as operational history. Cleanup-run filter details are purged after 90 days; active rule configuration is retained while the rule is active.
Unsubscribe sender records and smart-rule suggestion records	Unsubscribe sender records and smart‑rule suggestion records are kept while needed to provide unsubscribe history, review, follow‑up, and suggestion features. They are normally purged or anonymised after approximately 90 days where applicable.
Consent, withdrawal, policy-version, and legal acceptance records	Consent, withdrawal, policy‑version, and legal acceptance records are kept for the period necessary to demonstrate compliance and defend legal claims, generally up to 7 years.
Audit logs and security logs	Audit logs and security logs are kept for security, accountability, dispute, and legal‑compliance periods appropriate to the event type. Longer retention may apply for incidents, abuse, or legal claims.
Support communications	Support communications are kept for as long as needed to handle the issue and for legal defense or accountability, normally no longer than necessary for the relevant limitation period.
Payment, invoice, tax, and accounting records	Payment, invoice, tax, and accounting records are kept for statutory accounting, tax, consumer‑law, and legal‑compliance periods.
Backups	Encrypted backups are kept according to the documented backup‑retention schedule and are isolated from ordinary production use.
Aggregated or anonymised data	Aggregated or anonymised data may be kept longer where individuals are no longer identifiable and re‑identification is not reasonably likely.

Where we retain data for legal claims, security investigations, or compliance, we restrict access and retain it only for the relevant purpose.

20. Account Deletion, Disconnection, and Credential Revocation

You may disconnect a connected email account or delete stored credentials through Klearbox settings where this feature is available. You may also revoke app passwords, OAuth grants, or similar credentials directly in your email provider’s security settings.

When you delete stored credentials or disconnect a connected account in Klearbox, we will stop using those credentials for future operations and delete or render them unusable in active production systems without undue delay, subject to legal retention obligations and limited technical logging necessary to evidence the security operation.

If you request deletion of your Klearbox account, we will deactivate the account, stop further automated or scheduled operations, delete stored credentials for connected email accounts, and delete or anonymise other personal data derived from your use of Klearbox in accordance with this Privacy Policy and legal retention obligations.

We may retain consent records, audit logs, accounting records, payment records, security records, and other legal-evidence records where required or permitted by law.

Deleting your Klearbox account or disconnecting Klearbox does not automatically delete emails from your email provider’s mailbox, Trash folder, backups, or systems. Your email provider’s own retention and deletion rules continue to apply.

21. Your Rights

Subject to the conditions and limitations under applicable law, you have the following rights:

• the right to be informed about the processing of your personal data;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restriction of processing;
• the right to data portability;
• the right to object to processing based on legitimate interests;
• the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal;
• rights relating to automated decision-making where applicable.

You can submit privacy‑related requests by contacting support@klearbox.net or through any privacy request tools made available in the application.

We may need to verify your identity before fulfilling a request. If your request concerns personal data contained in another user’s mailbox, or data relating to other individuals in mailbox content or metadata, we may have limited ability to identify or act on that data without additional information and without affecting the rights of other users or third parties.

You also have the right to lodge a complaint with a supervisory authority. In Austria, the competent authority is:

Österreichische Datenschutzbehörde

Barichgasse 40–42

1030 Vienna Austria

Email: dsb@dsb.gv.at

Phone: +43 1 52 152‑0

You may also contact the supervisory authority in your country of residence, place of work, or place of the alleged infringement, where applicable.

22. Data Exports and Portability

Where available, Klearbox provides downloadable personal data exports containing account data, consent records, cleanup rules, unsubscribe sender history, smart‑rule suggestions, and audit logs, to the extent such data are included in the export tools then made available by Klearbox.

Klearbox does not include plaintext passwords, app passwords, OAuth tokens, IMAP credentials, encryption keys, or other secrets in data exports.

The right to data portability applies only where the legal conditions under Article 20 GDPR are met, in particular where processing is based on consent or contract and carried out by automated means.

23. Automated Processing, Sender Classification, and Smart Suggestions

Klearbox uses automated processing to provide features such as identifying OTP, shipping, promotional, newsletter, or similar recurring senders in order to suggest cleanup rules. These suggestions do not produce legal effects and require your confirmation to become active rules.

These automated processes are used to provide technical email‑management functionality. They do not produce legal effects concerning you and are not intended to similarly significantly affect you within the meaning of Article 22 GDPR.

Where Klearbox provides previews, recommendations, suggested rules, or sender lists, these are technical suggestions. You remain responsible for reviewing selections and confirming actions, unless you have configured an automation or recurring rule to run automatically.

Klearbox does not use readable email body content to train general‑purpose artificial‑intelligence models.

24. Security Measures

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure.

These measures may include, as appropriate:

• encryption in transit;
• encryption of stored credentials;
• password hashing;
• access controls and least-privilege practices;
• session controls and logout invalidation;
• logging, monitoring, and abuse controls;
• rate limiting and fraud-prevention measures;
• backup and recovery procedures;
• vendor security assessment and contractual safeguards;
• confidentiality obligations for personnel and service providers.

No system can guarantee absolute security. You should also protect your own devices, Klearbox credentials, email-provider credentials, app passwords, and email accounts. If you suspect unauthorised access to your Klearbox account or connected email account, contact us and revoke the relevant provider credentials without undue delay.

25. Children and Eligibility

Klearbox is intended for consumer users who are at least 18 years old or have reached the age of full legal capacity in their country of residence. The service is not directed to children.

We do not knowingly allow children to create Klearbox accounts. If you believe that a child has created an account or provided personal data to Klearbox, please contact us at support@klearbox.net.

26. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version is published on our website or in the application with its effective date.

If we make material changes that affect your rights, the purposes of processing, the categories of data processed, or how Klearbox accesses connected email accounts, we will take appropriate steps to inform you, such as by email, in-product notice, or another suitable method.

Where legally required, we will obtain consent or provide additional notice before applying a change.

27. Contact

For questions about this Privacy Policy or the processing of personal data, contact:

Avestra-One GmbH
Aichhorngasse 10/3
1120 Vienna
Austria
Email: support@klearbox.net

Annex: Summary of Key Processing Activities

Activity	Data involved	Purpose	Legal basis
Account registration and login	Email, password hash, verification status, country, language, session data	Account creation, authentication, and access to the service	Article 6(1)(b) GDPR
Mailbox connection	Provider email address, credentials, credential metadata, connection status	Connecting supported email accounts and providing requested features	Article 6(1)(b) GDPR; Article 6(1)(a) GDPR where separate credential‑storage consent is used.
Cleanup preview and actions	Folder, sender, subject, date, message IDs, filters, counts, action history	Allowing you to review and move selected or rule‑matched emails	Article 6(1)(b) GDPR
Unsubscribe workflows	Sender details, headers, unsubscribe target, status, limited body content where needed	Detecting and executing unsubscribe mechanisms requested by you	Article 6(1)(b) GDPR
Smart-rule suggestions	Sender classifications, sender groupings, suggestion status	Suggesting recurring cleanup rules	Article 6(1)(b) GDPR
Payments and subscriptions	Customer, subscription, and order references, plan details, status information, refund and chargeback data	Billing, subscription management, receipts, refunds, chargebacks, and statutory records	Article 6(1)(b) GDPR; Article 6(1)(c) GDPR for statutory records.
Security and audit logs	Login events, failed logins, credential access events, security events, timestamps, IP‑related data, browser and device data, audit logs, security logs, abuse indicators	Protecting the service, investigating abuse, maintaining accountability, and legal defence	Article 6(1)(f) GDPR; Article 6(1)(c) GDPR where legally required.
Support	Support messages, attachments provided by user, troubleshooting data	Customer support and issue resolution	Article 6(1)(b) or 6(1)(f) GDPR
Cookies and analytics	Cookie/local storage/session storage data, usage and reliability events	Service operation, security, preferences, optional analytics	Article 6(1)(f) GDPR or Article 6(1)(a) GDPR where consent is required