InboxMate InboxMate
How it works Features Pricing FAQ Log in Start Free Trial

Privacy Policy (Datenschutzerklärung)

Last updated: March 8, 2026

1. Introduction

psquared GmbH ("we", "us", "our"), located at Petzoldstraße 33, 4020 Linz, Austria, operates the InboxMate service (the "Service"). InboxMate is a product built on the psquared AgentHub platform, developed and operated by psquared GmbH.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service, in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Austrian Data Protection Act (Datenschutzgesetz, DSG), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).

2. Data Controller

The data controller responsible for your personal data is:

psquared GmbH
Petzoldstraße 33, 4020 Linz, Austria
FN 647249m, Landesgericht Linz
Email: office@psquared.dev

3. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, and password (hashed) when you register for an account.
  • Payment data: Billing name, address, and payment method details. Credit card information is processed and stored exclusively by our payment provider Stripe (see Section 8). We do not store credit card numbers on our servers.
  • Usage data: Information about how you use the Service, including chatbot configurations, page views, feature usage, and login timestamps.
  • Website content: Content scraped from your website to train your AI chatbot, as directed and initiated by you.
  • Uploaded documents: PDFs and other files you upload to expand your chatbot's knowledge base.
  • Chat data: Conversations between your website visitors and your InboxMate chatbot, including message content, timestamps, and visitor metadata (browser language, referrer URL).
  • Technical data: IP addresses, browser type and version, operating system, device type, and referrer URLs. Collected via server logs and for security purposes.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Providing the Service: Operating your AI chatbot, delivering responses to your visitors, managing your knowledge base, and running the InboxMate dashboard.
  • AI training: Training your custom AI chatbot exclusively on your business content. Your data is used only for your chatbot — never to train models for other customers.
  • Payment processing: Handling subscription billing, invoicing, and refunds through Stripe.
  • Service communications: Sending transactional emails (account confirmation, password reset, usage alerts, subscription changes).
  • Service improvement: Analyzing aggregated, anonymized usage patterns to improve performance, reliability, and features.
  • Security: Detecting and preventing fraud, abuse, and unauthorized access.
  • Legal compliance: Fulfilling legal obligations under Austrian and EU law, including tax and accounting requirements.

5. Legal Basis for Processing (Art. 6 GDPR)

We process your data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you registered for, including account management, chatbot operation, and support.
  • Legitimate interest (Art. 6(1)(f)): Service improvement through anonymized analytics, fraud prevention, and security monitoring. Our legitimate interest does not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Compliance with Austrian tax law (BAO), commercial law (UGB), and other applicable regulations requiring data retention.

6. Your Role as Data Controller

When your website visitors interact with your InboxMate chatbot, you are the data controller for that visitor data, and psquared GmbH acts as your data processor under Art. 28 GDPR. You are responsible for informing your visitors about the chatbot's data collection (e.g., through your own privacy policy) and obtaining any necessary consents.

We provide a Data Processing Agreement (DPA) to all customers on request. Contact us at office@psquared.dev to receive a signed copy.

7. Data Storage and Hosting

All data is processed and stored within the European Union. We use Supabase (EU region, hosted on AWS eu-central-1, Frankfurt, Germany) as our primary database and storage provider.

Your data does not leave the EU. We do not transfer personal data to third countries unless explicitly requested by you and with appropriate safeguards in place (e.g., Standard Contractual Clauses under Art. 46(2)(c) GDPR).

8. Sub-Processors

We use the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements:

Provider Purpose Data Location
Supabase Inc. Database, authentication, file storage EU (Frankfurt, Germany)
Stripe Inc. Payment processing, subscription billing EU (Ireland)
Anthropic PBC AI language model for chatbot responses EU (via EU API endpoint)
Hetzner Online GmbH Application server hosting EU (Germany)
Vercel Inc. Landing page and static asset hosting EU (Frankfurt, Germany)
OpenAI Inc. Alternative AI language model provider EU (via EU API endpoint)
Firecrawl (Mendable Inc.) Website content scraping for knowledge base EU

EU data processing guarantee: All primary data storage and processing takes place within the European Union. With the Advanced Compliance option (available on Pro and Business plans), you can ensure that all data processing — including AI inference — is restricted to EU-based infrastructure only.

We will notify you before adding or replacing sub-processors. You may object to changes within 30 days.

9. Google API Data Usage

InboxMate may request access to certain Google APIs (e.g., Gmail API) to enable email channel integration. When you connect your Google account:

  • Limited use: InboxMate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Scope of access: We only request the minimum permissions necessary to provide the email integration feature (reading and sending emails on your behalf within InboxMate).
  • No secondary use: Google user data is used exclusively to provide the InboxMate email channel feature. We do not use Google data for advertising, market research, or to train AI models.
  • No sharing: Google user data is not shared with third parties, except as necessary to provide the Service (e.g., displaying emails in your InboxMate inbox) or as required by law.
  • Revocation: You can revoke InboxMate's access to your Google account at any time through your Google Account permissions or through your InboxMate dashboard settings.

10. AI-Specific Data Processing and EU AI Act Compliance

InboxMate uses large language models (LLMs) to generate chatbot responses. Important details about how AI processes your data:

  • No cross-customer training: Your business data, knowledge base, and conversation data are never used to train AI models for other customers or for general model improvement.
  • Prompt isolation: Each chatbot request is processed in isolation. Your data is sent to the LLM provider only at the moment of generating a response and is not retained by the provider beyond the request.
  • EU processing: We use EU API endpoints where available to ensure data stays within the EU during AI processing.
  • No automated decision-making: InboxMate does not make automated decisions with legal or similarly significant effects on individuals as defined by Art. 22 GDPR. AI-generated responses are informational only.

EU AI Act compliance: InboxMate is classified as a limited-risk AI system under the EU AI Act (Regulation (EU) 2024/1689). We comply with the transparency obligations of Art. 50 by clearly disclosing that chatbot responses are AI-generated. The chat widget includes a visible "Powered by AI" indicator, and we do not use AI to manipulate, deceive, or exploit users. InboxMate does not perform biometric identification, social scoring, or any practices prohibited under Art. 5 of the AI Act.

11. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

  • Sub-processors: As listed in Section 8, strictly for operating the Service.
  • Legal requirements: When required by law, court order, or regulatory authority (e.g., Austrian tax authorities).
  • Protection of rights: To enforce our Terms of Service or protect the safety of our users, if legally permitted.

Your business data, chatbot training data, and conversation logs are never shared with third parties for their own purposes.

12. Cookies and Tracking

We use the following types of cookies:

  • Strictly necessary cookies: Required for the Service to function (authentication session, CSRF protection, language preference). These do not require consent under Art. 5(3) of the ePrivacy Directive.
  • Analytics cookies: Optional. Help us understand how visitors use our website. Only set with your explicit consent. We currently do not use third-party analytics on the InboxMate landing page.

The InboxMate chat widget placed on your website uses a session identifier stored in the visitor's browser (localStorage) to maintain conversation continuity. No tracking cookies are set by the widget.

13. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to object (Art. 21): Object to processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3)): Withdraw any previously given consent. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at office@psquared.dev. We will respond within 30 days as required by Art. 12(3) GDPR. We may request identity verification before processing your request.

14. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Conversation data: Retained for the duration of your account, unless you configure shorter retention periods (available on Pro and Business plans).
  • Knowledge base: Deleted within 30 days of account deletion or when you manually remove content.
  • Payment records: Retained for 7 years as required by Austrian tax law (§ 132 BAO).
  • Server logs: Automatically deleted after 90 days.

15. Data Security

We implement appropriate technical and organizational measures (Art. 32 GDPR) to protect your personal data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security in our database ensuring strict data isolation between accounts
  • Role-based access control for all team members
  • Secure password hashing (bcrypt)
  • Regular security reviews and dependency updates
  • Two-factor authentication support

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority within 72 hours (Art. 33 GDPR) and affected individuals without undue delay (Art. 34 GDPR).

17. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at this URL. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Contact

For any questions about this Privacy Policy, data processing, or to exercise your rights, contact us at:

psquared GmbH
Petzoldstraße 33, 4020 Linz, Austria
Email: office@psquared.dev