Privacy Policy
Last Updated: June 29, 2026
This Privacy Policy governs the manner in which Project Bordeaux, Inc., (collectively “Inbox Monster”, "we", "us", or "our"), and its affiliates and subsidiaries collect, use, maintain and disclose information collected from users (“Users”, "you", or "your") of the inboxmonster.com website, app.inboxmonster.com platform, and its related social media accounts (collectively, the "Services").
What Information Is Covered By This Policy?
At times, and to allow Inbox Monster to do its job, Inbox Monster may receive Personal Data (defined below) for those purposes outlined in its agreements with Users. Those agreements between Inbox Monster and its Users, in addition to applicable provisions of this Privacy Policy, govern what Inbox Monster does with User Data.
"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person or household as defined under applicable global privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR).
Categories of Data We Collect
The types of User Data (i.e., data collected from visitors to Inbox Monster’s website) we collect for Inbox Monster’s own business purposes, and how it is used or shared depends on the reason(s) why it was collected. The purpose, however, is always to facilitate communication with businesses and people who utilize, or may become a future User of, Inbox Monster’s website. To that end, Inbox Monster collects the following categories of User Data on this Site:
Identifiable information, and anonymous information, through technologies such as “cookies” collected when you visit and interact with the Site.
Identifiable personal information you voluntarily give us (such as your name, address,telephone number, email address, or other information requested) so that we can communicate with prospective Users, current Users, former Users, and visitors further about our services, offerings, as well as in the course of providing services to Inbox Monster Users, whether or not collected through the Site, or otherwise.
User also grants Inbox Monster broad rights to use de-identified data, including de-identifiedUser Data collected by us through your use of the Inbox Monster Platform and Services, which rights continue even after an Agreement ends. Except for our limited rights to use the User Data, we acquire no right, title or interest from you or your Users, including any intellectual property rights therein.
Personally Identifiable Information (PII)
We may collect PII from Users in a variety of ways, including, but not limited to, when Users visit our site, fill out a form, respond to a survey, and in connection with other activities, services, features or resources we make available on our Site or outside or the Site. By way of example, Users may be asked for, as appropriate, name, email address, mailing address, phone number. We will collect PII from Users only if they voluntarily submit such information to us through the Site or otherwise. Users can always refuse to supply PII, except that it may prevent them from engaging in certain Site related activities or obtaining services from Inbox Monster for which it is necessary to first obtain such information.
Web Browser Cookies, Pixels, and Tracking Technologies
Our Site may use “Cookies” to enhance User experience. A User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. This type of information is collected to make the Site more useful to you and to tailor the experience with us to meet your special interests and needs. A User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.
We, our partners, our advertisers, and third-party advertising networks use various technologies to collect information, including but not limited to cookies, pixels, scripts, and device identifiers. Cookies are small text files that are sent by your computer when you access our services through a browser. We, our partners, our advertisers, and third-party advertising networks may use session cookies (which expire when you close your browser), persistent cookies (which only expire when you choose to clear them from your browser), pixels, scripts, and other identifiers to collect information from your browser or device that helps us do things such as understand how you use our services and other services; personalize your experience; measure, manage, and display advertising on the Services or on other services; understand your usage of the Services and other services in order to serve customized ads; and remember that you are logged into the Services. Our partners, advertisers, and third-party advertising networks may use these technologies to collect information about your online activity over time and across different websites or online services. By using your browser settings, you may block cookies or adjust settings for notifications when a cookie is set. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
Your browser can alert you when cookies are placed on your device, and how you can stop or disable them via your browser settings. Please note, however, that without cookies all of the features of our online services may not work properly. If you use a mobile device, you can manage how your device and browser share certain device data by changing the privacy and security settings on your mobile device. You can learn more about cookies and how to manage your preferences by visiting http://www.allaboutcookies.org.
For further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, you can also visit https://youradchoices.com/ and www.youronlinechoices.eu for EU visitors.
Third-Party Analytics and Service Providers
We use other companies as service providers to help us analyze our site, track metrics, and advertise to you. These service providers generally promised us under contract to keep data private but have their own privacy policies that you should be aware of.
We may use third-party analytics service providers to help us with our online services, such as Google Analytics, Intuit, Salesforce, and Twitter. The analytics providers that administer these services use technologies such as cookies, web beacons, and web server logs to help us analyze how you use our online services. We may disclose your site-use information (including IP address) to these analytics providers, and other service providers who use the information to help us figure out how you and others use our online services.
To learn more about how Google Analytics uses your data, please visit https://policies.google.com/technologies/partner-sites?hl=en-US.
To learn more about how Intuit uses your data, please visit
https://www.intuit.com/privacy/.
To learn more about how Salesforce uses your data, please visit https://www.salesforce.com/company/privacy/.
To learn more about how X uses your data, please visit https://privacy.x.com/en.
How We Use Collected Information
Inbox Monster may collect and use Users personal information for the following purposes: To run and operate our Site we may need your information to display content on the Site correctly. To improve customer service, information you provide helps us respond to your customer service requests and support needs more efficiently. To personalize user experience, we may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Site. To run a promotion, contest, survey or other Site feature. To send Users information they agreed to receive about topics we think will be of interest to them. To send periodic emails for account and/or marketing purposes. To respond to inquiries, questions, and/or other requests.
We may identify you from your Personal Data and merge or co-mingle Personal Data and Non-Personal Data, for any lawful business purpose. Except as otherwise stated, we may use information we collect from you for the legitimate business purpose of providing our Services to you, including, but not limited to:
to respond to your requests and provide user support;
to evaluate and improve the content of our Services;
to customize the Services to your preferences;
to establish accounts to use the Services;
to communicate information and promotional materials to you (where you have not expressed a preference otherwise);
to check on your account status and maintain record of activities in connection with your use of the Site;
to notify you of any changes to relevant agreements or policies;
to enforce our agreements, terms, conditions, and policies;
to work with our service providers who perform certain business functions or services on our behalf and who are bound by contractual obligations consistent with this Privacy Policy;
to prevent or investigate fraud (or for risk management purposes), or to comply with a legal obligation, court order, or in order to exercise our legal claims or to defend against legal claims;
to comply with a legal obligation, a court order, or in order to exercise our legal claims, or to defend against legal claims;
to describe our Services to current and prospective business partners and to other third parties for other lawful purposes; and
for other purposes identified to you and as requested by you.
If you have agreed to our Terms of Use, or other terms of service, and you have created an account or initiated a purchase through our Services, we may also use your information:
to establish your account to use the Services;
to charge your credit card or bank account for Services;
to validate your username, email, password, and/or other login credentials;
to respond to your requests;
to fulfill your purchase(s);
to send you email and postal mail supplying you with the most recent service information or to send you information;
to notify you of any changes to relevant agreements or policies; and
to process your Non-Personal Data as outlined as described throughout this Privacy Policy.
Purpose and Legal Basis for Processing Data
If you are a resident of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, our legal basis for collecting and using your Personal Data depend on the context and specific purpose, which include:
Purpose for Processing
Legal Basis (GDPR / UK GDPR)
To operate and provide the Services: Displaying content, establishing accounts, validating credentials, processing transactions.
Performance of a Contract: Necessary to fulfill our obligations under our Terms of Service or User agreements.
To improve our Services: Customizing user experience, analyzing usage metrics, conducting surveys.
Legitimate Interests: Our legitimate business interest in optimization, innovation, and service security.
Customer Support: Responding to your inquiries, technical issues, or complaints.
Performance of a Contract / Legitimate Interests
Marketing Communications: Sending promotional materials, newsletters, and periodic updates.
Consent / Legitimate Interests: Based on your explicit consent or our legitimate interest where permitted by law (with an opt-out always available).
Legal Compliance: Preventing fraud, defending legal claims, complying with court orders or regulatory audits.
Legal Obligation / Defense of Legal Claims
Sharing and Disclosing Your Personal Information
Inbox Monster does not sell or rent your Personal Data to marketers or unaffiliated third parties. We do not "Share" your data for cross-context behavioral advertising unless you have permitted tracking cookies. We disclose Personal Data to the following categories of recipients:
- Corporate Affiliates: Parents, subsidiaries, and joint ventures under common control, who must adhere to this policy.
- Service Providers (Processors): Contracted vendors helping us operate our business (e.g., hosting, customer support, email delivery). They are contractually obligated to maintain confidentiality, security, and data integrity.
- Business Transfers: Third parties involved in a merger, acquisition, reorganization, or sale of assets, where the data will remain subject to similar privacy commitments.
- Legal Compliance and Safety: Courts, law enforcement, regulatory bodies, or other public authorities when required by law, including to meet national security or law enforcement requirements, to enforce our agreements, or to protect the safety and rights of Inbox Monster, our Users, or the public.
- With Your Consent: To any other third party with your explicit, prior approval.
Data Retention
We retain the Personal Information we collect where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). This means that we retain different categories of data for different periods of time depending on the category of user to whom the data relates, the type of data, and the purposes for which we collected the data. When we have no ongoing legitimate business need to process your Personal Information, we will either delete or aggregate it. At any time, users may request deletion of their account data immediately by sending an email to privacy@inboxmonster.com. When we delete your account, it cannot be recovered.We may collect, use, and disclose certain Personal Data about you when acting as service provider to an organization that uses or provides our Site or Services. These organizations are responsible for ensuring that your privacy rights are respected, and should include information to help you understand how third parties collect and use your Personal Data. To the extent that we are acting as a data processor, we will process your Personal Data according to the terms of our agreement with the respective organization and its lawful instructions.
We currently use third-party subprocessors to provide infrastructure services (Amazon Web Services), to help us provide customer support (Intercom), for email communication purposes (Google Workspace and Customer.io), for CRM purposes (Salesforce), and for scheduling purposes (Calendly). Prior to engaging any third-party subprocessor, we perform due diligence to evaluate their privacy, security, and confidentiality practices.
Inbox Monster as a Data Processor
We may collect, use, and disclose certain Personal Data about you when acting as service provider toan organization that uses or provides our Site or Services. These organizationsare responsible for ensuring that your privacy rights are respected, and shouldinclude information to help you understand how third parties collect and use your Personal Data. To the extent that we are acting as a data processor, we will process your Personal Data according to the terms of our agreement withthe respective organization and its lawful instructions.
Third Parties:
Amazon Web Services Security and Privacy Information
Intercom Security and Privacy Information
Google Security and Privacy Information
Salesforce Security and Privacy Information
Customer.io Security and Compliance
Calendly Security and Compliance
Core Data Security Principles
We implement a "Security by Design and by Default" framework. To safeguard the Personal Data entrusted to us, Inbox Monster adheres to the following foundational data security principles:
A. Data Minimization and Purpose Limitation
We only collect, process, and retain Personal Data that is strictly adequate, relevant, and limited to what is necessary to fulfill the specific business purposes outlined in this policy. We do not process this data for incompatible purposes without your explicit consent.
B. Technical and Organizational Measures (TOMs)
We maintain a comprehensive, written information security program containing appropriate administrative, technical, and physical safeguards designed to ensure the confidentiality, integrity, and availability of Personal Data. These measures include:
- Encryption: Personal Data is encrypted at rest (using industry-standard algorithms such as AES-256) and in transit over public networks (using secure protocols such as TLS 1.3).
- Access Controls: We enforce the Principle of Least Privilege. Access to systems containing Personal Data is strictly restricted to authorized personnel who require it to perform their specific job duties, secured by Multi-Factor Authentication (MFA) and continuous logging.
- Vulnerability Management: We conduct regular vulnerability scanning, automated code analysis, and periodic independent third-party penetration testing to proactively identify and remediate security flaws.
C. Accountability and Governance
We maintain detailed internal documentation of our processing activities, conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities, and continuously train our workforce on data privacy and information security best practices.
International Data Transfers
Inbox Monster is headquartered in the United States. Personal Data we collect may be transferred to, and processed in, the United States or other countries where our subprocessors operate. These countries may have data protection laws that differ from those of your home country.
Whenever we transfer Personal Data across international borders (such as out of the EEA, UK, or Switzerland), we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and our certifications to the Swiss-U.S. DPF and EU-U.S. DPF with its UK extension to ensure your data receives an equivalent level of protection.
Data Privacy Framework (DPF) Notice
Project Bordeaux, Inc. d/b/a Inbox Monster complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Inbox Monster is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Inbox Monster has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Inbox Monster has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Inbox Monster may receive and process personal data from the European Union, United Kingdom, and Switzerland in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. The types of personal data we may process include business contact information, website visitor information, prospective customer information, customer account information, platform user information, support and communications data, billing-related information, and information processed through our Services on behalf of our customers.
We process this personal data to provide, operate, support, secure, improve, and market our Services; manage customer accounts and business relationships; respond to inquiries and support requests; process billing and account administration; analyze use of our website and Services; comply with legal obligations; enforce our agreements; and carry out other purposes described in this Privacy Policy or our agreements with customers.
For personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, Inbox Monster may disclose personal data to third parties that support our business and Services, including hosting and infrastructure providers, customer support providers, email and communications providers, analytics providers, CRM and sales tools, billing and payment providers, security providers, legal and compliance advisors, corporate affiliates, and parties involved in a business transfer. These third parties process personal data for purposes such as hosting the Services, providing customer support, sending communications, analyzing website and platform usage, managing customer relationships, processing billing, maintaining security, complying with legal obligations, and supporting ordinary business operations.
Inbox Monster remains liable under the DPF Principles if a third-party agent processes personal data received in reliance on the DPF in a manner inconsistent with the DPF Principles, unless Inbox Monster proves that it is not responsible for the event giving rise to the damage.
Regional Privacy Rights & ChoicesD
Depending on your geographic location (including the EU, UK, and US states like California,Virginia, Colorado, Connecticut, Utah, Texas, etc.), you are entitled tospecific legal rights regarding your Personal Data. Inbox Monster complies with GDPR, CCPA, and other domestic/international regulations.
A. European Union, United Kingdom, and Switzerland (GDPR/UK GDPR Rights)
If you are located in the EEA or UK, you have the following rights:
- Right of Access & Portability: Request a copy of your Personal Data in a machine-readable format.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal exceptions.
- Right to Restrict or Object to Processing: Object to direct marketing or request that we limit how we process your data.
- Right to Withdraw Consent: If we process data based on your consent, you can withdraw it at any time.
- Right to Complain: You have the right to lodge a complaint with a local Data Protection Authority.
B. California Residents (CCPA / CPRA Notice at Collection& Rights)
This section supplements our policy for California residents pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
- No Sale or Sharing of Personal Information: Inbox Monster does not "sell" your Personal Data for monetary value. We do not "share" your Personal Data for cross-context behavioral advertising unless you consent to targeting cookies.
- No Sensitive Personal Information Processing: We do not collect or process "Sensitive Personal Information" (as defined under CPRA) to infer characteristics about you.
- Your CPRA Rights:
- Right to Know/Access: Request the categories of data collected, specific pieces of data collected, sources of collection, and categories of third parties to whom data is disclosed.
- Right to Delete: Request deletion of your Personal Information.
- Right to Correct: Request correction of inaccurate Personal Information.
- Right to Opt-Out of Sale/Sharing: Request to opt out of the sale or sharing of your data (via cookie banners or GPC signals).
- Right to Non-Discrimination: We will not discriminate against you (e.g., deny services or charge different rates) for exercising your privacy rights.
C. Other US State Privacy Rights (VA, CO, CT, UT, TX, etc.)
Residents of US states with comprehensive privacy regulations have similar rights to Access, Delete, Correct, Port, and Opt-Out of targeted advertising or profiling. If we deny a privacy request, you have the right to appeal our decision by contacting us using the information below.
How to Exercise Your Rights
To exercise any of these rights, please submit a verifiable request to privacy@inboxmonster.com. We will verify your identity (or your authorized agent's identity) before fulfilling the request to ensure security. We respond to all legitimate requests within required statutory timelines (typically 30 days for GDPR, 45 days for US state laws).
Children’s Privacy
We do not market or sell products or services to anyone under the age of sixteen (16), and we do not knowingly collect or solicit Personal Data from children. In accordance with the Children’s Online Privacy Protection Act (“COPPA”) and the CPRA, if we discover that we have inadvertently collected Personal Data from a child under sixteen (16) without verifiable parental consent, we will delete that information from our systems immediately.
Reporting Security Incidents
For the protection of our clients and our own systems, Inbox Monster does not publicly disclose or discuss security vulnerabilities until our internal research is complete and any necessary updates are deployed. If you believe you have discovered a security incident or vulnerability, please contact support@inboxmonster.com. We are committed to collaborating swiftly with security researchers to resolve issues.
Dispute and Complaint Resolution Mechanisms
We take your privacy seriously and aim to resolve any concerns or disputes swiftly and transparently. If you believe your data privacy rights have been infringed, the following avenues of resolution are available to you:
A. Internal Resolution (First Point of Contact)
We encourage you to first direct any complaints, inquiries, or grievances regarding our data handling practices directly to our Privacy Team at privacy@inboxmonster.com. Our Chief Privacy Officer will investigate your concern and respond to you within thirty (30) days of receipt, providing a clear roadmap of any corrective actions taken.
B. Alternative Dispute Resolution (ADR) for US and International Users
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Inbox Monster commits to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF to JAMS, an alternative dispute resolution provider based in the United States.
If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
- Under certain conditions, EU, UK, and Swiss individuals may invoke binding arbitration for complaints regarding DPF compliance not resolved by other DPF mechanisms. For more information, please refer to Annex I of the DPF Principles.
C. European, UK, and Swiss Supervisory Authorities
If you are a resident of the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the statutory right to bypass internal mechanisms entirely and lodge a formal complaint with a competent Data Protection Authority (DPA).
- In the EU: You may file a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. A complete list of EU DPAs can be found at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
- In the UK: You may contact the Information Commissioner’s Office (ICO) directly at ico.org.uk.
- In Switzerland: You may contact the Federal Data Protection and Information Commissioner.
D. US State Regulatory Appeals
For residents of US states with comprehensive privacy laws (such as California, Virginia, Colorado, Connecticut, Utah, and Texas), if we decline to take action on a privacy rights request (e.g., a request to delete or access data), you have a legal right to appeal our decision.
- To initiate an appeal, email privacy@inboxmonster.com with the subject line "Privacy Request Appeal."
- If your appeal is denied and you still believe your rights were violated, you may submit a formal complaint to your state’s Attorney General or the dedicated privacy enforcement agency (such as the California Privacy Protection Agency - CPPA).
Changes To This Privacy Policy
Inbox Monster has the discretion to update this privacy policy at any time. When we do, we will post a notification on the main page of our Site. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.
Contacting Us
If you have any questions, concerns, or complaints regarding this Privacy Policy, our data compliance, or to exercise your privacy rights, please contact our Chief Privacy Officer:
Chief Privacy Officer: Project Bordeaux, Inc. (Inbox Monster)
Email: privacy@inboxmonster.com
Address: 9935-D Rea Road, #234, Charlotte, NC 28277