1. Who we are
Inbox Hop is the controller for personal data processed for website administration, account management, billing, fraud prevention, security, audit logging, and platform operations. Company number 16779388. Registered office: Skymod Technologies LTD
71-75 Shelton Street,
Covent Garden,
London,
WC2H 9JQ
The United Kingdom.
If you have privacy questions or want to exercise your rights, contact us at legal@skymodtechnologies.com.
2. What personal data we collect
- Account and profile data: name, company name, email address, hashed password, role, and account status.
- Project and operational data: project names, mailbox mappings, migration settings, run history, event logs, audit trails, and service usage records.
- Billing data: credit purchases, billing totals, promo code usage, Stripe checkout session references, and transaction status information.
- Support and communications data: emails, reset requests, system notices, and any information you send to us for support or onboarding.
- Connection and credential data: API credentials, service account keys, client secrets, certificates, and similar connection material that you choose to store for migration use. These are encrypted at rest.
- Migration content: when you run a migration, the service reads mail, calendar, contact, directory, and related metadata from source systems and writes to destination systems on your instructions. That content may contain personal data, including sensitive or confidential data, depending on your source systems.
- Technical data: IP address, browser and device details, session state, security logs, and website or application preference data needed to operate the service.
3. How and why we use personal data
Under the UK GDPR and Data Protection Act 2018, we use personal data only where we have a lawful basis.
| Purpose | Lawful basis |
|---|
| Providing accounts, projects, migrations, billing, and support | Performance of a contract or steps at your request before entering a contract |
| Service security, fraud prevention, abuse monitoring, logging, and troubleshooting | Legitimate interests in operating a secure and reliable service |
| Keeping statutory records, financial records, and audit evidence | Compliance with legal obligations |
| Handling payment transactions through Stripe | Performance of a contract and legitimate interests in receiving payment |
| Sending service notices, onboarding information, and support responses | Performance of a contract and legitimate interests in administering the service |
| Optional marketing or promotional communications, where used | Consent, or legitimate interests where PECR and other applicable rules allow |
For customer migration content, we generally act on your instructions as a processor or service provider. For our own website, account, billing, security, and compliance data, we act as controller.
4. Where we obtain personal data
- Directly from you when you create an account, configure connections, purchase credits, contact us, or use the platform.
- From your organisation or administrators where they create or manage your access.
- From the source and destination platforms you connect to the service, including Microsoft 365, Google Workspace, Exchange, and related APIs.
- From Stripe and payment-related systems when a checkout or billing event occurs.
5. Sharing, processors, and international transfers
We share personal data only where it is necessary to operate the service, comply with law, or protect legitimate business interests.
- Infrastructure and hosting providers used to run the platform and store operational data.
- Stripe for payment processing and payment event handling.
- Microsoft, Google, and Exchange-connected systems where needed to authenticate and perform migrations on your instructions.
- Professional advisers, insurers, auditors, and regulators where reasonably necessary.
- Courts, law enforcement, and public authorities where disclosure is required or reasonably necessary to establish, exercise, or defend legal claims.
Some providers we use may process data outside the UK. Where that happens, we rely on recognised transfer safeguards, such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
6. Retention
We keep personal data only for as long as reasonably necessary for the purposes set out in this notice.
- Account and project records: for as long as your account remains active and for a limited period afterwards where needed for support, dispute handling, security, or reactivation.
- Billing, tax, and financial records: usually for up to 6 years after the end of the relevant accounting period or longer where the law requires.
- Audit, security, and technical logs: for operational periods reasonably necessary for troubleshooting, fraud prevention, and legal claims.
- Migration content: processed during migration and not intentionally retained in the platform beyond what is technically required for execution, retry handling, integrity checks, and non-content operational metadata.
7. Security
We use technical and organisational measures designed to protect personal data, including access controls, encrypted storage for secrets, role segregation, audit logging, and security checks around connection setup and runtime access. No internet-connected system is perfectly secure, but we take reasonable steps appropriate to the nature of the service and the risks involved.
8. Cookies, local storage, and third-party web resources
- Essential session cookies: the site uses essential cookies to manage sessions, authentication state, CSRF protection, and basic security. These are necessary for the service to operate.
- Local storage: the application uses limited browser local storage for operational preferences, such as remembering certain user-interface choices.
- No non-essential analytics cookies at present: we do not currently rely on public-site analytics, advertising, or tracking cookies to run the service. If that changes, we will update this notice and any consent mechanisms required under PECR.
- Third-party content delivery: the public site currently loads Google Fonts and Font Awesome from external content delivery networks. When those resources load, the relevant provider may receive your IP address, browser details, and standard request metadata.
9. Your rights
Subject to the conditions and limits in data protection law, you may have the right to:
- request access to your personal data;
- request rectification of inaccurate data;
- request erasure of personal data in some circumstances;
- request restriction of processing;
- object to processing carried out on legitimate interests grounds;
- request portability of data you provided to us where the law applies;
- withdraw consent where we rely on consent.
You also have the right to complain to the Information Commissioner's Office (ICO). See ico.org.uk for more information.
10. Changes to this notice
We may update this Privacy Notice from time to time to reflect legal, technical, operational, or product changes. The latest version will always appear on this page with its last updated date.
This notice is intended to meet UK data protection requirements, including the UK GDPR, Data Protection Act 2018, and, where relevant, the Privacy and Electronic Communications Regulations.
