Security & DSGVO — InboxMate

EU infrastructure, not as an add-on

Database and storage in Frankfurt (AWS eu-central-1 via Supabase), application servers in the EU, email infrastructure in Frankfurt. AI inference runs on EU endpoints in Sweden — your data does not cross the Atlantic for a chat reply.

Encryption where it matters

OAuth tokens for your Outlook or Shopify connection are encrypted at rest with AES-256-GCM and decrypted only in memory for the API call at hand. Credit card data never touches our servers — payment processing stays with the payment provider.

AVV / DPA ready to sign

A complete Auftragsverarbeitungsvertrag (data processing agreement) with the full subprocessor list is part of every paid plan. Read the DPA — no enterprise tier required.

No black box — decisions show their work

Every routing decision is traceable: which rule matched, which actions ran, which tools the AI called before drafting a reply. Drafts wait for human review by default — auto-send is something you switch on per category, after you trust it.

Data minimisation by design

We never copy your whole mailbox — only the threads needed to act, from the addresses you connect. The chat widget sets no cookies and does no tracking. Server logs are deleted after 90 days.

An Austrian company you can call

InboxMate is built by psquared GmbH in Linz. Your data protection questions are answered by the people who built the system — in German or English — not by a ticket queue in another timezone.

Where your data lives

The short version — the full privacy policy has every subprocessor and legal basis.

What	Where	Provider
Database & file storage	Frankfurt, Germany	Supabase (AWS eu-central-1)
AI inference	Sweden (EU endpoint)	OpenAI EU
Application servers	EU (Ireland / Frankfurt)	Heroku / Hetzner
Email infrastructure	Frankfurt, Germany	AWS SES
Product analytics	EU instance, pseudonymous	PostHog (no message content, IPs anonymised)

For subprocessors incorporated outside the EU, processing is contractually restricted to EU infrastructure under Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-US Data Privacy Framework.

What we never do

Copy your entire mailbox — we sync only what's needed to act on each thread, from the addresses you connect.
Store credit card data on our servers — payment details live exclusively with the payment provider.
Track your website visitors through the chat widget — it sets no cookies and sends no tracking events.
Send message content or personal data to analytics tools — product analytics see pseudonymous event names, nothing more.
Auto-send replies before you've earned trust in them — review-first is the default, auto-send is your explicit choice per category.

Your customers' emails are sensitive.
We treat them that way.

EU infrastructure, not as an add-on

Encryption where it matters

AVV / DPA ready to sign

No black box — decisions show their work

Data minimisation by design

An Austrian company you can call

Where your data lives

What we never do

The paperwork, ready when you are

Questions your DPO wants answered?

Your customers' emails are sensitive. We treat them that way.

EU infrastructure, not as an add-on

Encryption where it matters

AVV / DPA ready to sign

No black box — decisions show their work

Data minimisation by design

An Austrian company you can call

Where your data lives

What we never do

The paperwork, ready when you are

Questions your DPO wants answered?

Your customers' emails are sensitive.
We treat them that way.