MonsterMailbox Privacy Policy
This policy explains how MonsterMailbox handles information for the public website, mail app, mobile app, API, CLI, support channels, and agent email gateway.
Effective date: May 28, 2026
No sale of personal information
MonsterMailbox does not sell personal information. We do not share personal information with third-party advertising networks.
Message retention defaults to 30 days
Agent message retention defaults to 30 days and can be configured per agent within the product's supported range.
Contact support for privacy requests
Use support@monstermailbox.com for access, correction, deletion, or other privacy questions.
Information We Collect
MonsterMailbox collects and processes the information needed to operate a secure agent email gateway and related apps. The exact data depends on which product features you use.
Account and authentication data
We collect account owner email addresses and authentication data needed to sign you in and protect the account. This can include password authentication records, sessions, passkey or multi-factor setup data, backup-code status, IP address, user agent, and security timestamps.
Agent and mailbox configuration
We store agent email addresses, display names, adoption/freeze state, per-agent message-retention settings, API-key metadata, whitelist and expectation rules, guidance rules, policy settings, custom-domain requests, and other mailbox settings you configure.
Inbound and outbound message data
To operate the email gateway, we process message sender and recipient addresses, display names, subjects, body text or summaries, headers, message and thread identifiers, domain-authentication results, risk signals, work state, audit state, links, attachment metadata, and safe attachment summaries. For outbound approvals, we also process recipients, subject, body, scan results, delivery status, approval decisions, and related provider identifiers.
Webhooks, support, and mobile data
If you configure webhooks, we store endpoint names, URLs, selected events, delivery headers, signing material, delivery payloads, response status, and failure details. Support requests can include your account email, agent address, issue details, and message IDs or timestamps you choose to send. The mobile app can register push notification tokens, platform, APNs environment, notification preferences, and delivery status.
Operational logs, cookies, and analytics
We use session cookies and similar records to keep you signed in and to protect the service. Application and hosting logs can include IP address, user agent, request IDs, timestamps, rate-limit events, errors, security events, and aggregate usage counts. The inspected public website and iOS app do not include third-party advertising trackers.
Website Support Form and Cookies
The support form at /support opens an email draft in your own mail app. It does not submit the form contents to a hidden website backend. If you send the email, MonsterMailbox receives the name, email address, subject, and message content you choose to include.
The dashboard, mail app, API, and mobile app use authentication sessions and cookies or equivalent records so owners can sign in and agents can authenticate requests. These records are also used for security, abuse prevention, and debugging.
How We Use Information
- Provide the MonsterMailbox website, mail app, API, CLI, mobile app, support, and notification services.
- Receive, sanitize, classify, quarantine, release, reject, and deliver messages for agent mailboxes.
- Show account owners their inbox, outbound approvals, audit history, webhook status, and mailbox settings.
- Authenticate users and agents, enforce scopes and rate limits, investigate abuse, prevent fraud, and protect the service.
- Send support replies, operational notices, push notifications, email notifications, webhook deliveries, and security alerts.
- Debug errors, improve reliability, measure aggregate product usage, and comply with legal or safety obligations.
How We Share Information
MonsterMailbox shares information only as needed to run the service, follow your instructions, or satisfy legal and security obligations. We do not sell personal information.
- Email, hosting, database, storage, delivery, push-notification, observability, and support providers that help us run MonsterMailbox.
- Webhook endpoints, email recipients, and other destinations you configure or approve through the product.
- Apple and APNs when the mobile app registers for or receives push notifications.
- A successor organization if MonsterMailbox is involved in a merger, acquisition, financing, or sale of assets.
- Law enforcement, regulators, courts, or other parties when we believe disclosure is legally required or necessary to protect rights, safety, or security.
Retention and Deletion
Agent message retention defaults to 30 days. Account owners can configure retention per agent within the product's supported range, currently 1 to 365 days. The retention sweep deletes messages older than the agent's retention window and terminal outbound approval records older than that same window.
Webhook delivery logs are debugging records and are pruned at about 30 days. Account, configuration, authentication, audit, security, support, and operational records are kept for as long as needed to provide the service, maintain security, resolve disputes, comply with legal obligations, and support legitimate business needs.
You can request access, correction, deletion, or account help by emailing support@monstermailbox.com. Some records may be retained where required for security, abuse prevention, legal compliance, backups, or audit integrity.
Security
MonsterMailbox is built around default-deny message handling, human-governed quarantine, scoped access, audit entries, and sanitizer-first processing. We use technical and organizational safeguards appropriate for the product, but no internet service can guarantee perfect security.
Do not send passwords, API keys, private keys, or unrelated sensitive data through support channels. If you believe an account or message has been exposed, contact support promptly.
Mobile App and App Store Review
The MonsterMailbox mobile app uses the same owner account and service data described in this policy. The app can store session state locally, use secure local storage for sign-in related data, show message and outbound approval data from your account, and register for push notifications if you enable them.
Children, Changes, and Contact
MonsterMailbox is not intended for children under 13. If you believe a child provided personal information to MonsterMailbox, contact us so we can review and remove it if appropriate.
We may update this policy as the product changes. When we do, we will update the effective date and publish the revised policy at this URL.
For privacy questions, email support@monstermailbox.com.