Privacy Policy

Last Updated: May 29, 2026

This Privacy Policy governs the manner in which Project Bordeaux, Inc., (collectively “Inbox Monster”, "we", "us", or "our"), and itsaffiliates and subsidiaries collect, use, maintain and disclose informationcollected from users (“Users”, "you", or "your") of the inboxmonster.com website, app.inboxmonster.com platform, and its related social media accounts (collectively, the "Services").

What Information Is Covered By This Policy?

At times, and to allow Inbox Monster to do its job, Inbox Monster may receive Personal Data (defined below) for those purposes outlined in its agreements with Users. Those agreements between Inbox Monster and its Users, in addition to applicable provisions of this Privacy Policy, govern what Inbox Monster does with User Data.

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person or household as defined under applicable global privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR).

Categories of Data We Collect

The types of User Data (i.e., data collected from visitors to Inbox Monster’s website) we collect for Inbox Monster’s own business purposes, and how it is used or shared dependson the reason(s) why it was collected. The purpose, however, is always to facilitate communication with businesses and people who utilize, or may become a future User of, Inbox Monster’s website. To that end, Inbox Monster collects the following categories of User Data on this Site:

Identifiable information, and anonymous information, through technologies such as “cookies”collected when you visit and interact with the Site.

Identifiable personal information you voluntarily give us (such as your name, address,telephone number, email address, or other information requested) so that we cancommunicate with prospective Users, current Users, former Users, and visitors further about our services, offerings, as well as in the course of providing services to Inbox Monster Users, whether or not collected through the Site, or otherwise.

User also grants Inbox Monster broad rights to use de-identified data, including de-identifiedUser Data collected by us through your use of the Inbox Monster Platform and Services, which rights continue even after an Agreement ends. Except for our limited rights to use the User Data, we acquire no right, title or interest from you or your Users, including any intellectual property rights therein.

Personally Identifiable Information (PII)

We may collect PIIfrom Users in a variety of ways, including, but not limited to, when Users visit our site, fill out a form, respond to a survey, and in connection withother activities, services, features or resources we make available on our Siteor outside or the Site. By way of example, Users may be asked for, as appropriate, name, email address, mailing address, phone number. We will collect PII from Users only if they voluntarily submit such information to usthrough the Site or otherwise. Users can always refuse to supply PII, exceptthat it may prevent them from engaging in certain Site related activities orobtaining services from Inbox Monster for which it is necessary to first obtain such information.

Web Browser Cookies, Pixels, and Tracking Technologies

Our Site may use“Cookies” to enhance User experience. A User’s web browser places cookies ontheir hard drive for record-keeping purposes and sometimes to track informationabout them. This type of information is collected to make the Site more useful to you and to tailor the experience with us to meet your special interests andneeds. A User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts ofthe Site may not function properly.

We, our partners, our advertisers, and third-party advertising networks use various technologies to collect information, including but not limited to cookies, pixels, scripts, and device identifiers. Cookies are small text files that are sent by your computer when you access our services through a browser. We, our partners, our advertisers, and third-party advertising networks may use session cookies (which expire when you close your browser), persistent cookies (which only expire when you choose to clear them from your browser), pixels, scripts, andother identifiers to collect information from your browser or device that helps us do things such as understand how you use our services and other services; personalize your experience; measure, manage, and display advertising on the Services or on other services; understand your usage of the Services and other services in order to serve customized ads; and remember that you are logged into the Services. Our partners, advertisers, and third-party advertising networks may use these technologies to collect information about your online activity over time and across different websites or online services. By using your browser settings, you may block cookies or adjust settings for notifications when a cookie is set. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.

Your browser can alert you when cookies are placed on your device, and how you can stop or disable them via your browser settings. Please note, however, that without cookies all of the features of our online services may not work properly. If you use a mobile device, you can manage how your device and browser share certain device data by changing the privacy and security settings on your mobile device. You can learn more about cookies and how to manage your preferences by visiting http://www.allaboutcookies.org.

For further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, you can also visithttps://youradchoices.com/ and www.youronlinechoices.eu for EU visitors.

Third-Party Analytics and Service Providers

We use other companies as service providers to help us analyze our site, track metrics, and advertise to you. These service providers generally promised us under contractto keep data private but have their own privacy policies that you should be aware of.

We may usethird-party analytics service providers to help us with our online services, such as Google Analytics, Intuit, Salesforce, and Twitter. The analytics providers that administer these services use technologies such as cookies, web beacons, and web server logs to help us analyze how you use our online services. We may disclose your site-use information (including IP address) tothese analytics providers, and other service providers who use the information to help us figure out how you and others use our online services.

To learn more about how Google Analytics uses your data, please visit https://policies.google.com/technologies/partner-sites?hl=en-US.
To learn more about how Intuit uses your data, please visit
https://www.intuit.com/privacy/.
To learn more about how Salesforce uses your data, please visit https://www.salesforce.com/company/privacy/.
To learn more about how Twitter uses your data, please visit https://twitter.com/en/privacy.

How We Use Collected Information

Inbox Monster may collect and use Users personal information for the following purposes:
To run and operate our Site we may need your information to display content onthe Site correctly.
To improve customer service, information you provide helps us respond to your customer service requests and support needs more efficiently.
To personalize user experience, we may use information in the aggregate tounderstand how our Users as a group use the services and resources provided on our Site.
To run a promotion, contest, survey or other Site feature.
To send Users information they agreed to receive about topics we think will beof interest to them.
To send periodic emails for account and/or marketing purposes.
To respond to inquiries, questions, and/or other requests.

We may identify you from your Personal Data and merge or co-mingle Personal Data and Non-Personal Data, for any lawful business purpose. Except as otherwise stated, we may use information we collect from you for the legitimate business purpose of providingour Services to you, including, but not limited to:

to respond to yourrequests and provide user support;
to evaluate and improve the content of our Services;
to customize the Services to your preferences;
to establish accounts to use the Services;
to communicate information and promotional materials to you (where you have notexpressed a preference otherwise);
to check on your account status and maintain record of activities in connectionwith your use of the Site;
to notify you of any changes to relevant agreements or policies;
to enforce our agreements, terms, conditions, and policies;
to work with our service providers who perform certain business functions orservices on our behalf and who are bound by contractual obligations consistentwith this Privacy Policy;
to prevent or investigate fraud (or for risk management purposes), or to complywith a legal obligation, court order, or in order to exercise our legal claimsor to defend against legal claims;
to comply with a legal obligation, a court order, or in order to exercise our legal claims, or to defend against legal claims;
to describe our Services to current and prospective business partners and toother third parties for other lawful purposes; and
for other purposes identified to you and as requested by you.

If you have agreed to our Terms of Use, or other terms of service, and you have created an account or initiated a purchase through our Services, we may also use your information:

to establish your account to use the Services;
to charge your credit card or bank account for Services;
to validate your username, email, password, and/or other login credentials;
to respond to your requests;
to fulfill your purchase(s);
to send you email and postal mail supplying you with the most recent service information or to send you information;
to notify you of any changes to relevant agreements or policies; and
to process your Non-Personal Data as outlined as described throughout this Privacy Policy.

Purpose and Legal Bases for Processing Data

If you are aresident of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, our legal bases for collecting and using your Personal Data depend on the context and specific purpose, which include:

Purpose for Processing

Legal Basis (GDPR / UK GDPR)

To operate and provide the Services: Displaying content, establishing accounts, validating credentials, processing transactions.

Performance of a Contract: Necessary to fulfill our obligations under our Terms of Service or User agreements.

To improve our Services: Customizing user experience, analyzing usage metrics, conducting surveys.

Legitimate Interests: Our legitimate business interest in optimization, innovation, and service security.

Customer Support: Responding to your inquiries, technical issues, or complaints.

Performance of a Contract / Legitimate Interests

Marketing Communications: Sending promotional materials, newsletters, and periodic updates.

Consent / Legitimate Interests: Based on your explicit consent or our legitimate interest where permitted by law (with an opt-out always available).

Legal Compliance: Preventing fraud, defending legal claims, complying with court orders or regulatory audits.

Legal Obligation / Defense of Legal Claims

Sharing and Disclosing Your Personal Information

Inbox Monster doesnot sell or rent your Personal Data to marketers or unaffiliated thirdparties. We do not "Share" your data for cross-context behavioral advertising unless you have permitted tracking cookies. We disclose Personal Data to the following categories of recipients:

Corporate Affiliates: Parents, subsidiaries, and joint ventures under common control, who must adhere to this policy.
Service Providers (Processors): Contracted vendors helping us operate our business (e.g., hosting, customer support, email delivery). They are contractually obligated to maintain confidentiality, security, and data integrity.
Business Transfers: Third parties involved in a merger, acquisition, reorganization, or sale of assets, where the data will remain subject to similar privacy commitments.
Legal Compliance and Safety: Courts, law enforcement, or regulatory bodies when required by law, to enforce our agreements, or to protect the safety and rights of Inbox Monster, our Users, or the public.
With Your Consent: To any other third party with your explicit, prior approval.

Data Retention

We retain the Personal Information we collect where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). This means that we retain different categories of data for different periods of time depending on the category of user to whom the datarelates, the type of data, and the purposes for which we collected the data. When we have no ongoing legitimate business need to process your Personal Information, we will either delete or aggregate it. At any time, users mayrequest deletion of their account data immediately by sending an email to privacy@inboxmonster.com. When we delete your account, it cannot be recovered.

Inbox Monster as a Data Processor

We may collect, use, and disclose certain Personal Data about you when acting as service provider toan organization that uses or provides our Site or Services. These organizationsare responsible for ensuring that your privacy rights are respected, and shouldinclude information to help you understand how third parties collect and use your Personal Data. To the extent that we are acting as a data processor, wewill process your Personal Data according to the terms of our agreement withthe respective organization and its lawful instructions.

We currently use third party subprocessors to provide infrastructure services (Amazon WebServices), to help us provide customer support (Intercom), and for emailcommunication purposes (Google Workspace). Prior to engaging any third party subprocessor, we perform due diligence to evaluate their privacy, security and confidentiality practices.

Third Parties:

Amazon Web Services Security and Privacy Information
‍IntercomSecurity and Privacy Information
‍GoogleSecurity and Privacy Information

Core Data Security Principles

We implement a "Security by Design and by Default" framework. To safeguard the Personal Data entrusted to us, Inbox Monster adheres to the following foundational data security principles:

A. Data Minimization and Purpose Limitation

We only collect, process, and retain Personal Data that is strictly adequate, relevant, andlimited to what is necessary to fulfill the specific business purposes outlined in this policy. We do not process this data for incompatible purposes withoutyour explicit consent.

B. Technical and Organizational Measures (TOMs)

We maintain acomprehensive, written information security program containing appropriate administrative, technical, and physical safeguards designed to ensure the confidentiality, integrity, and availability of Personal Data. These measures include:

Encryption: Personal Data is encrypted at rest (using industry-standard algorithms such as AES-256) and in transit over public networks (using secure protocols such as TLS 1.3).
Access Controls: We enforce the Principle of Least Privilege. Access to systems containing Personal Data is strictly restricted to authorized personnel who require it to perform their specific job duties, secured by Multi-Factor Authentication (MFA) and continuous logging.
Vulnerability Management: We conduct regular vulnerability scanning, automated code analysis, and periodic independent third-party penetration testing to proactively identify and remediate security flaws.

C. Accountability and Governance

We maintain detailed internal documentation of our processing activities, conduct regular DataProtection Impact Assessments (DPIAs) for high-risk processing activities, and continuously train our workforce on data privacy and information security best practices.

International Data Transfers

Inbox Monster is headquartered in the United States. Personal Data we collect may be transferred to, and processed in, the United States or other countries where oursubprocessors operate. These countries may have data protection laws that differ from those of your home country.

Whenever we transfer Personal Data across international borders (such as out of the EEA, UK, orSwitzerland), we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, to ensure your data receives an equivalent level ofprotection.

Regional Privacy Rights & Choices

Depending on your geographic location (including the EU, UK, and US states like California,Virginia, Colorado, Connecticut, Utah, Texas, etc.), you are entitled tospecific legal rights regarding your Personal Data. Inbox Monster complies withGDPR, CCPA, and other domestic/international regulations.

A. European Union, United Kingdom, and Switzerland (GDPR/UKGDPR Rights)

If you are locatedin the EEA or UK, you have the following rights:

Right of Access & Portability: Request a copy of your Personal Data in a machine-readable format.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal exceptions.
Right to Restrict or Object to Processing: Object to direct marketing or request that we limit how we process your data.
Right to Withdraw Consent: If we process data based on your consent, you can withdraw it at any time.
Right to Complain: You have the right to lodge a complaint with a local Data Protection Authority.

B. California Residents (CCPA / CPRA Notice at Collection& Rights)

This section supplements our policy for California residents pursuant to the CaliforniaConsumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).

No Sale or Sharing of Personal Information: Inbox Monster does not "sell" your Personal Data for monetary value. We do not "share" your Personal Data for cross-context behavioral advertising unless you consent to targeting cookies.
No Sensitive Personal Information Processing: We do not collect or process "Sensitive Personal Information" (as defined under CPRA) to infer characteristics about you.
Your CPRA Rights:
- Right to Know/Access: Request the categories of data collected, specific pieces of data collected, sources of collection, and categories of third parties to whom data is disclosed.
- Right to Delete: Request deletion of your Personal Information.
- Right to Correct: Request correction of inaccurate Personal Information.
- Right to Opt-Out of Sale/Sharing: Request to opt out of the sale or sharing of your data (via cookie banners or GPC signals).
- Right to Non-Discrimination: We will not discriminate against you (e.g., deny services or charge different rates) for exercising your privacy rights.

C. Other US State Privacy Rights (VA, CO, CT, UT, TX, etc.)

Residents of USstates with comprehensive privacy regulations have similar rights to Access, Delete, Correct, Port, and Opt-Out of targeted advertising or profiling. If we deny a privacy request, you have the right to appeal our decision by contactingus using the information below.

How to Exercise Your Rights

To exercise any ofthese rights, please submit a verifiable request to privacy@inboxmonster.com. We will verify your identity (or your authorized agent's identity) beforefulfilling the request to ensure security. We respond to all legitimate requests within required statutory timelines (typically 30 days for GDPR, 45 days for US state laws).

Children’s Privacy

We do not market or sell products or services to anyone under the age of sixteen (16), and we donot knowingly collect or solicit Personal Data from children. In accordance with the Children’s Online Privacy Protection Act (“COPPA”) and the CPRA, if we discover that we have inadvertently collected Personal Data from a child under sixteen (16) without verifiable parental consent, we will delete that information from our systems immediately.

Reporting Security Incidents

For the protectionof our clients and our own systems, Inbox Monster does not publicly disclose ordiscuss security vulnerabilities until our internal research is complete andany necessary updates are deployed. If you believe you have discovered a security incident or vulnerability, please contact support@inboxmonster.com. We are committed to collaborating swiftly with security researchers to resolve issues.

Dispute and Complaint Resolution Mechanisms

We take your privacy seriously and aim to resolve any concerns or disputes swiftly and transparently. If you believe your data privacy rights have been infringed, the following avenues of resolution are available to you:

A. Internal Resolution (First Point of Contact)

We encourage you to first direct any complaints, inquiries, or grievances regarding our data handling practices directly to our Privacy Team at privacy@inboxmonster.com. Our Chief Privacy Officer will investigate your concern and respond to you within thirty (30) days of receipt, providing a clear roadmap of any corrective actions taken.

B. Alternative Dispute Resolution (ADR) for US and International Users

If an internal inquiry does not resolve your concern to your satisfaction, we provide an independent recourse mechanism to resolve disputes at no cost to you.

Independent Arbitration: For unresolved privacy complaints, Inbox Monster commits to cooperating with recognized alternative dispute resolution providers, such as the JAMS International Arbitration and Mediation rules, to provide independent, binding, or non-binding arbitration as appropriate. If you do not receive timely acknowledgement of your DPR Principles-related complaint from us, or if we have not addressed your DPR Principles-related complaint to your satisfaction, please contact or visit JAMS at https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

C. European and UK Supervisory Authorities

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have the statutory right to bypass internal mechanisms entirely and lodge a formal complaint with a competent Data Protection Authority (DPA).

In the EU: You may file a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. A complete list of EU DPAs can be found at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
In the UK: You may contact the Information Commissioner’s Office (ICO) directly at ico.org.uk.

D. US State Regulatory Appeals

For residents of USstates with comprehensive privacy laws (such as California, Virginia, Colorado, Connecticut, Utah, and Texas), if we decline to take action on a privacy rights request (e.g., a request to delete or access data), you have a legal right toappeal our decision.

To initiate an appeal, email privacy@inboxmonster.com with the subject line "Privacy Request Appeal."
If your appeal is denied and you still believe your rights were violated, you may submit a formal complaint to your state’s Attorney General or the dedicated privacy enforcement agency (such as the California Privacy Protection Agency - CPPA).

Changes To This Privacy Policy

Inbox Monster hasthe discretion to update this privacy policy at any time. When we do, we willpost a notification on the main page of our Site. We encourage Users tofrequently check this page for any changes to stay informed about how we arehelping to protect the personal information we collect. You acknowledge andagree that it is your responsibility to review this privacy policy periodicallyand become aware of modifications.

Contacting Us

If you have anyquestions, concerns, or complaints regarding this Privacy Policy, our datacompliance, or to exercise your privacy rights, please contact our Chief Privacy Officer:

Chief Privacy Officer Project Bordeaux, Inc. (Inbox Monster)

Email: privacy@inboxmonster.com

Address: 9935-D Rea Road, #234, Charlotte, NC 28277