Privacy Policy

1. Introduction

Everinbox Serviços de Email Ltda. ("Everinbox," "we," "our," or "us") is a company incorporated under the laws of Brazil. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with our cloud-based email sending platform and related services (the "Services").

This Policy applies to all users of the Services, including account holders, senders, and individuals whose data is processed through our platform. By accessing or using the Services, you acknowledge that you have read and understood this Policy.

2. Data We Collect

We collect the following categories of personal data:

• Account information: Name, email address, company name, billing address, and payment method details provided at registration or during account management.
• Sending data: Email addresses of recipients you send to, message content, campaign metadata, delivery status, open and click events, bounce records, and unsubscribe requests.
• Technical data: IP addresses, device type, browser or client information, operating system, access timestamps, and activity logs generated by your use of the platform.
• Cookies and similar technologies: Session identifiers, preference tokens, and analytics identifiers. See Section 8 for details.
• Support communications: Content of messages, tickets, and correspondence you send to our team.

We do not intentionally collect sensitive personal data as defined under LGPD (such as health, biometric, or financial account data) unless you explicitly provide it in support communications or email content.

3. How We Use Your Data

We use collected data for the following purposes:

• Service delivery: Provisioning and operating your account, processing email sends, managing DNS authentication records, and providing deliverability tools.
• Billing and payments: Processing subscription fees, generating invoices, and managing payment disputes.
• Anti-abuse and platform integrity: Detecting spam, phishing, malware distribution, and other policy violations. Sharing sending reputation data with industry anti-abuse networks.
• Analytics and improvement: Aggregated, anonymized analysis of platform usage to improve features and performance. We do not sell individual-level usage data.
• Communications: Sending transactional notifications (account alerts, invoices, suspension notices) and, with your consent, marketing communications about new features.
• Legal obligations: Retaining records and responding to lawful requests from courts, regulators, or law enforcement authorities in Brazil or other applicable jurisdictions.

4. Legal Basis (LGPD)

Under Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018), we process personal data on the following legal bases:

• Contract performance (Art. 7, V): Processing necessary to deliver the Services under your subscription agreement, including account management, sending operations, and billing.
• Legitimate interest (Art. 7, IX): Anti-abuse monitoring, fraud prevention, platform security, and product analytics, where such interests are not overridden by your rights.
• Legal obligation (Art. 7, II): Retention and disclosure of records required by Brazilian law, including the Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet).
• Consent (Art. 7, I): Marketing communications and non-essential analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

For recipients whose data is processed through email campaigns you send via Everinbox, you are the data controller and are solely responsible for ensuring a lawful basis for processing under applicable law.

5. Data Sharing

We share personal data only in the circumstances described below:

• Infrastructure providers: Cloud hosting, CDN, database, and monitoring providers who process data on our behalf under data processing agreements with adequate protection guarantees.
• Payment processors: Your billing data is processed by PCI-DSS compliant payment processors. We do not store full card numbers.
• Anti-spam and deliverability networks: Sending reputation data and confirmed abuse indicators may be shared with industry organizations including Spamhaus, Abusix, and ISP feedback loop programs to protect the broader email ecosystem.
• Legal requests: We may disclose data in response to court orders, subpoenas, or lawful requests from government authorities when required by applicable law. Where permitted, we will notify you before complying.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.

We do not sell personal data to third parties for marketing purposes.

6. Data Retention

We retain personal data for the following periods:

• Account data: For the duration of the contractual relationship plus 5 years following termination, to satisfy legal and audit obligations.
• Access and activity logs: 12 months from the date of generation, as required by the Marco Civil da Internet (Law 12.965/2014).
• Backup snapshots: 90 days, after which they are purged from our backup infrastructure.
• Support communications: 3 years from the date of the last interaction.
• Billing records: 10 years, as required by Brazilian fiscal law.

Following the applicable retention period, data is securely deleted or anonymized.

7. Your Rights (LGPD / GDPR)

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Access: Request confirmation of whether we process your data and obtain a copy of the data we hold.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data, subject to our legal retention obligations.
• Portability: Receive your data in a structured, machine-readable format and transmit it to another service provider.
• Objection: Object to processing based on legitimate interest, including profiling.
• Restriction: Request restriction of processing in certain circumstances, such as while a dispute is resolved.
• Withdrawal of consent: Withdraw consent for processing activities based on consent at any time, without affecting prior lawful processing.
• Complaint: Lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) or your local supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 15 days as required by LGPD.

8. Cookies

We use cookies and similar technologies as follows:

• Essential cookies: Required for authentication, session management, and platform security. These cannot be disabled without affecting core functionality.
• Analytics cookies: Aggregated usage analytics to understand how the platform is used and where to improve. These are opt-in only. You may decline analytics cookies without affecting your ability to use the Services.

We do not use advertising or third-party behavioral tracking cookies. You can manage cookie preferences through your browser settings or the cookie consent banner displayed on your first visit.

9. International Transfers

Your data is primarily processed and stored on infrastructure located in Brazil. When we engage third-party service providers located outside Brazil, we ensure adequate protection through one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs) as recognized by the ANPD or European Commission
• Adequacy decisions applicable to the destination country
• Binding corporate rules where applicable

A list of our current sub-processors and their locations is available upon request at [email protected].

10. Contact and DPO

For privacy-related inquiries, data subject requests, or complaints, contact us at:

• General privacy inquiries: [email protected]
• Data Protection Officer (DPO): [email protected]
• Postal address: Everinbox Serviços de Email Ltda., Brazil

Our DPO is responsible for overseeing compliance with this Policy and applicable data protection law.

11. Updates to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days notice before the changes take effect, either by email to your registered address or by a prominent notice within the platform. The "Last updated" date at the top of this page reflects the date of the most recent revision.

Your continued use of the Services after the effective date of a material update constitutes acceptance of the revised Policy.