InboxMate InboxMate
How it works Features Pricing FAQ Log in Start Free Trial

Privacy Policy (Datenschutzerklärung)

Last updated: April 19, 2026

1. Introduction

psquared GmbH ("we", "us", "our"), located at Dametzstraße 2-4, 4020 Linz, Austria, operates the InboxMate service (the "Service"). InboxMate is a product built on the psquared AgentHub platform, developed and operated by psquared GmbH.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service, in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Austrian Data Protection Act (Datenschutzgesetz, DSG), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).

2. Data Controller

The data controller responsible for your personal data is:

psquared GmbH
Dametzstraße 2-4, 4020 Linz, Austria
FN 647249m, Landesgericht Linz
Email: office@psquared.dev

3. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, and password (hashed) when you register for an account.
  • Payment data: Billing name, address, and payment method details. Credit card information is processed and stored exclusively by our payment provider Stripe (see Section 8). We do not store credit card numbers on our servers.
  • Usage data: Information about how you use the Service, including chatbot configurations, page views, feature usage, and login timestamps.
  • Website content: Content scraped from your website to train your AI chatbot, as directed and initiated by you.
  • Uploaded documents: PDFs and other files you upload to expand your chatbot's knowledge base.
  • Chat data: Conversations between your website visitors and your InboxMate chatbot, including message content, timestamps, and visitor metadata (browser language, referrer URL).
  • Technical data: IP addresses, browser type and version, operating system, device type, and referrer URLs. Collected via server logs and for security purposes.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Providing the Service: Operating your AI chatbot, delivering responses to your visitors, managing your knowledge base, and running the InboxMate dashboard.
  • AI training: Training your custom AI chatbot exclusively on your business content. Your data is used only for your chatbot — never to train models for other customers.
  • Payment processing: Handling subscription billing, invoicing, and refunds through Stripe.
  • Service communications: Sending transactional emails (account confirmation, password reset, usage alerts, subscription changes).
  • Service improvement: Analyzing aggregated, anonymized usage patterns to improve performance, reliability, and features.
  • Security: Detecting and preventing fraud, abuse, and unauthorized access.
  • Legal compliance: Fulfilling legal obligations under Austrian and EU law, including tax and accounting requirements.

5. Legal Basis for Processing (Art. 6 GDPR)

We process your data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you registered for, including account management, chatbot operation, and support.
  • Legitimate interest (Art. 6(1)(f)): Service improvement through anonymized analytics, fraud prevention, and security monitoring. Our legitimate interest does not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Compliance with Austrian tax law (BAO), commercial law (UGB), and other applicable regulations requiring data retention.

5a. Widget Data Collection

The embedded InboxMate chat widget collects the following data from your website visitors:

  • Session ID: A unique session identifier stored in the visitor's browser via localStorage to maintain conversation continuity.
  • Chat messages: The content of messages exchanged between the visitor and the chatbot.
  • Browser language: The visitor's browser language setting.
  • Referrer URL: The page from which the visitor accessed the chat widget.
  • Email address (optional): Only if the visitor voluntarily provides it during the conversation.

The widget does not set cookies and does not perform any tracking. IP addresses are processed in server logs for security purposes but are not stored beyond 90 days.

6. Your Role as Data Controller

When your website visitors interact with your InboxMate chatbot, you are the data controller for that visitor data, and psquared GmbH acts as your data processor under Art. 28 GDPR. You are responsible for informing your visitors about the chatbot's data collection (e.g., through your own privacy policy) and obtaining any necessary consents.

A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR is automatically included as part of these terms and applies to all customers. The DPA is available for download at inboxmate.psquared.dev/dpa.

When you use the human handover feature, your team members may access and respond to visitor conversations. This constitutes an additional processing activity that you should disclose in your own privacy policy.

7. Data Storage and Hosting

All data is processed and stored within the European Union. We use Supabase (EU region, hosted on AWS eu-central-1, Frankfurt, Germany) as our primary database and storage provider.

All primary data storage and processing takes place within the European Union. Our database (Supabase), email infrastructure (AWS SES), and application servers (Heroku) are located in the EU. AI inference uses EU endpoints (OpenAI Sweden). For sub-processors incorporated outside the EU (such as Supabase Inc., Stripe Inc., and AlphaAI Technologies Inc./Tavily), data processing is contractually restricted to EU infrastructure, and transfers are governed by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR or the EU-US Data Privacy Framework adequacy decision.

8. Sub-Processors

We use the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements:

Provider Purpose Data Location
Supabase Inc. Database, authentication, file storage EU (Frankfurt, Germany)
Stripe Inc. Payment processing, subscription billing EU (Ireland)
Salesforce Inc. (Heroku) Application server hosting EU (Ireland/Frankfurt)
Hetzner Online GmbH Infrastructure & ancillary services EU (Germany)
OpenAI Inc. Alternative AI language model provider EU (Sweden, via EU API endpoint)
Amazon Web Services EMEA SARL Transactional email delivery (SES) EU (Frankfurt, Germany)
Tavily (AlphaAI Technologies Inc.) Web search for AI tool calls US (SCCs in place)
Shopify International Ltd. App Store distribution, subscription billing, read-only store content sync (Shopify-installed merchants only) EU / Canada (SCCs in place)
PostHog Inc. Product analytics — pseudonymous events for funnel and onboarding insights. IP anonymised, no session replay, no PII. EU instance only. EU (Frankfurt, Germany)

EU data processing guarantee: All primary data storage and processing takes place within the European Union. With the Advanced Compliance option (available on Pro and Business plans), you can ensure that all data processing — including AI inference — is restricted to EU-based infrastructure only.

We will notify you before adding or replacing sub-processors. You may object to changes within 30 days.

Data Protection Officer

We have not appointed a Data Protection Officer as we are not required to do so under Art. 37 GDPR. For all data protection inquiries, contact office@psquared.dev.

9. Google API Data Usage

InboxMate may request access to certain Google APIs (e.g., Gmail API) to enable email channel integration. When you connect your Google account:

  • Limited use: InboxMate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Scope of access: We only request the minimum permissions necessary to provide the email integration feature (reading and sending emails on your behalf within InboxMate).
  • No secondary use: Google user data is used exclusively to provide the InboxMate email channel feature. We do not use Google data for advertising, market research, or to train AI models.
  • No sharing: Google user data is not shared with third parties, except as necessary to provide the Service (e.g., displaying emails in your InboxMate inbox) or as required by law.
  • Revocation: You can revoke InboxMate's access to your Google account at any time through your Google Account permissions or through your InboxMate dashboard settings.

9a. Shopify Integration and Shopify App Store

If you install InboxMate from the Shopify App Store or connect your Shopify store from within the InboxMate dashboard, the following additional processing applies:

OAuth and access tokens. When you install InboxMate, Shopify issues an OAuth access token scoped to the following read-only Admin API permissions: read_products, read_content, read_online_store_pages, read_themes, read_locales, and read_shipping. We do not request write access. Access tokens are encrypted at rest using AES-256-GCM with a server-side key, and decrypted only in memory when required for API calls.

Data we read from your shop. Using these read-only scopes, we pull the following content into a per-shop knowledge bucket used exclusively by your InboxMate agent:

  • Shop policies (return, shipping, refund, privacy, Terms of Service policies published in your storefront)
  • Online store pages (About, FAQ, and other merchant-authored pages)
  • Products and collections metadata (titles, descriptions, handles)
  • Store locales and shipping zone settings, used to keep chatbot answers accurate

We do not read customer, order, checkout, or financial data from Shopify. The knowledge bucket is isolated per shop and never shared with other merchants.

Webhooks we receive. Your Shopify store sends the following webhooks to InboxMate:

  • app/uninstalled — triggered when a merchant removes InboxMate. We soft-delete the integration and revoke the stored access token.
  • app_subscriptions/update — billing-status changes (approved, cancelled, frozen, expired) that we mirror onto your InboxMate account.
  • customers/data_request — Shopify's mandatory GDPR data-access webhook (see below).
  • customers/redact — Shopify's mandatory GDPR customer-erasure webhook (see below).
  • shop/redact — Shopify's mandatory GDPR shop-erasure webhook, sent 48 hours after uninstall (see below).

Shopify billing. For subscriptions started from the Shopify App Store, Shopify Inc. acts as the payment processor and controller for billing data. We receive a subscription identifier and status via the app_subscriptions/update webhook but do not receive or store card numbers or other payment instrument details. Shopify's own privacy policy governs your payment data. See our Terms of Service, Section 6a for details on Shopify billing and the 7-day free trial.

Mandatory GDPR webhook handling. As required by Shopify, we implement all three GDPR webhooks:

  • customers/data_request: When a shop customer requests a copy of their data via the merchant's Shopify admin, Shopify forwards the request to us. Because InboxMate does not ingest Shopify customer records, we typically hold no personal data about the individual customer. We forward the request and our response to the merchant so they can fulfill their controller obligations under Art. 15 GDPR. If a customer's email address happens to appear in a chatbot conversation stored on InboxMate, that record is included in the response.
  • customers/redact: Triggered 10 days after a shop customer requests deletion. We search the merchant's InboxMate data for any records matching the customer identifier (e.g., email address in chat transcripts) and permanently delete them.
  • shop/redact: Triggered 48 hours after a merchant uninstalls InboxMate, if the shop does not reinstall. We permanently purge the shop integration, the encrypted access token, the per-shop knowledge bucket (policies, pages, product content), and all knowledge items associated with the shop. This is irreversible.

Retention on uninstall. On receipt of app/uninstalled, we immediately revoke and delete the encrypted access token and soft-delete the Shopify integration. Your remaining InboxMate account data (agent configuration, non-Shopify knowledge, conversation logs) follows the retention schedule in Section 14. If Shopify subsequently sends shop/redact, all shop-linked knowledge is fully purged as described above.

Shopify as a sub-processor. Shopify Inc. (and its affiliates) acts as our sub-processor for the distribution and billing path and as an independent controller for your use of the Shopify platform itself. Shopify's data processing is governed by its own Data Processing Addendum, available at shopify.com/legal/dpa.

10. AI-Specific Data Processing and EU AI Act Compliance

InboxMate uses large language models (LLMs) to generate chatbot responses. Important details about how AI processes your data:

  • No cross-customer training: Your business data, knowledge base, and conversation data are never used to train AI models for other customers or for general model improvement.
  • Prompt isolation: Each chatbot request is processed in isolation. Your data is sent to the LLM provider only at the moment of generating a response and is not retained by the provider beyond the request.
  • EU processing: We use EU API endpoints where available to ensure data stays within the EU during AI processing.
  • No automated decision-making: InboxMate does not make automated decisions with legal or similarly significant effects on individuals as defined by Art. 22 GDPR. AI-generated responses are informational only.

We conduct Data Protection Impact Assessments (DPIAs) under Art. 35 GDPR where appropriate, particularly for new AI processing activities.

EU AI Act compliance: InboxMate is classified as a limited-risk AI system under the EU AI Act (Regulation (EU) 2024/1689). We comply with the transparency obligations of Art. 50 by clearly disclosing that chatbot responses are AI-generated. The chat widget includes a visible "Powered by AI" indicator, and we do not use AI to manipulate, deceive, or exploit users. InboxMate does not perform biometric identification, social scoring, or any practices prohibited under Art. 5 of the AI Act.

11. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

  • Sub-processors: As listed in Section 8, strictly for operating the Service.
  • Legal requirements: When required by law, court order, or regulatory authority (e.g., Austrian tax authorities).
  • Protection of rights: To enforce our Terms of Service or protect the safety of our users, if legally permitted.

Your business data, chatbot training data, and conversation logs are never shared with third parties for their own purposes.

12. Cookies and Tracking

We use the following types of cookies:

  • Strictly necessary cookies: Required for the Service to function (authentication session, CSRF protection, language preference). These do not require consent under Art. 5(3) of the ePrivacy Directive.
  • Analytics cookies: Optional. Help us understand how visitors use our website. Only set with your explicit consent. We currently do not use third-party analytics on the InboxMate landing page.

The InboxMate chat widget placed on your website uses a session identifier stored in the visitor's browser (localStorage) to maintain conversation continuity. No tracking cookies are set by the widget.

Product analytics inside the InboxMate operator app: we use PostHog (EU instance) to capture pseudonymous product events such as signup, onboarding step completion, and agent publication. IP addresses are anonymised and session replay is disabled. On login we send the operator's account email and display name as person properties so we can identify which account an event belongs to in our analytics dashboard; event payloads themselves contain only opaque identifiers (no message content). These events are processed under our legitimate interest (Art. 6(1)(f) GDPR) to improve the product. You can opt out via your browser's Do Not Track signal, which we honour.

13. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to object (Art. 21): Object to processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3)): Withdraw any previously given consent. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at office@psquared.dev. We will respond within 30 days as required by Art. 12(3) GDPR. We may request identity verification before processing your request.

14. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Conversation data: Retained for the duration of your account, unless you configure shorter retention periods (available on Pro and Business plans).
  • Knowledge base: Deleted within 30 days of account deletion or when you manually remove content.
  • Payment records: Retained for 7 years as required by Austrian tax law (§ 132 BAO).
  • Server logs: Automatically deleted after 90 days.

15. Data Security

We implement appropriate technical and organizational measures (Art. 32 GDPR) to protect your personal data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security in our database ensuring strict data isolation between accounts
  • Role-based access control for all team members
  • Secure password hashing (bcrypt)
  • Regular security reviews and dependency updates
  • Two-factor authentication support

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority within 72 hours (Art. 33 GDPR) and affected individuals without undue delay (Art. 34 GDPR).

17. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at this URL. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Contact

For any questions about this Privacy Policy, data processing, or to exercise your rights, contact us at:

psquared GmbH
Dametzstraße 2-4, 4020 Linz, Austria
Email: office@psquared.dev