GDPR notice

Inboxd is the data controller for personal data collected via this website and in the course of providing services. Inboxd is the trading name of TouchBasePro (Pty) Ltd, registration number 2012/181952/07. Our designated contact for data protection matters is Greg Phillips. Contact: legal@inboxd.agency.

We collect the following categories of personal data:

• Contact and enquiry data: name, work email address, company name, and the free-text message you submit via our contact or subscribe forms.
• Technical data: IP address, browser user-agent, and timestamp - collected automatically in server logs for security and abuse prevention.
• Analytics data: pages visited, session duration, referral source, and device/browser type - collected via Google Analytics 4 and Microsoft Clarity only if you have consented. IP addresses are anonymised before storage.

We do not collect special category data (such as health, biometric or political data), and we do not knowingly collect data from individuals under 16.

We rely on the following lawful bases under Article 6 UK/EU GDPR:

• Consent (Art. 6(1)(a)): Analytics cookies (GA4, Microsoft Clarity). You may withdraw consent at any time via the Cookie settings link in the footer.
• Legitimate interests (Art. 6(1)(f)): Server security logs (fraud and abuse prevention); responding to unsolicited enquiries; direct marketing to existing business contacts where a legitimate interest assessment supports it.
• Contract performance (Art. 6(1)(b)): Processing necessary to deliver services to clients who have engaged Inboxd under a Master Services Agreement.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose data by applicable law.

We use the following sub-processors to operate our services. Where these involve transfers of personal data outside the UK or EEA, we rely on UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs):

• Microsoft Azure (EU West Europe): website hosting and infrastructure.
• Google Ireland Ltd / Google LLC: Google Analytics 4 - analytics, with anonymised IPs and consent-gating. Transfers to US covered by EU SCCs.
• Microsoft Corporation: Microsoft Clarity - session analytics, consent-gated. Transfers to US covered by EU SCCs.

We do not transfer personal data to any other third party without your knowledge, except where required by law.

Under UK/EU GDPR Articles 15-22, you have the following rights:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17): Ask us to delete your data where there is no compelling reason to continue processing.
• Restriction (Art. 18): Ask us to restrict processing in certain circumstances.
• Portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
• Object (Art. 21): Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.
• Withdraw consent: Where processing is based on consent, you may withdraw at any time. This does not affect the lawfulness of processing before withdrawal.
• Automated decisions (Art. 22): We do not use your personal data for solely automated decision-making that produces legal or significant effects.

To exercise any right, email legal@inboxd.agency. We will respond within one calendar month as required by Art. 12.

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EEA, you may contact your local Data Protection Authority. We would, however, appreciate the opportunity to address your concern directly first.

Enquiry and contact data is retained for 24 months from last contact. Server security logs are retained for 90 days. Analytics data is retained in accordance with our GA4 and Clarity data retention settings (13 months). Client-engagement data is governed by the relevant DPA, typically for the duration of the engagement plus 12 months.