GDPR & Privacy Policy

1. Data Controller

The controller of mBox.pl and the data processed in connection with its operation is:

2. Important Note: Personal Data Processing

We do not process your personal data in the traditional sense. All messages and files you send through mBox.pl are encrypted end-to-end using AES-256-GCM before they are stored on our servers. We have no technical ability to access or read your content.

3. Zero-Knowledge Architecture

mBox.pl is built on a Zero-Knowledge architecture, which means:

• No access to your content: All messages and files are encrypted in your browser using AES-256-GCM before being sent to our servers.
• The key remains yours: The decryption key exists only in the unique link (URL fragment after #), which is never transmitted to our servers.
• No ability to view: As administrators, we have no technical means to read your message content because we don't possess the decryption key.

4. What Data Do We Collect?

We collect only the minimum necessary data:

• Technical logs: To ensure security (e.g., protection against DDoS attacks or abuse), we may process temporary server logs, including IP address and request time. These are automatically deleted within 24 hours.
• Contact data: If you contact us by email, we process your data solely to respond to your inquiry.

5. Infrastructure Security & Data Location

• Hosted on AWS EU: mBox.pl infrastructure is hosted on Amazon Web Services servers located in the European Union, ensuring compliance with data residency requirements.
• End-to-End Encryption: All data in transit is protected by TLS 1.3 encryption protocol. Communication between your browser and our servers is secured by SSL/TLS certificates.
• At-Rest Encryption: Encrypted messages are stored as incomprehensible ciphertexts. Even if our servers were compromised, attackers would only find encrypted data without decryption keys.
• Regular Security Updates: Our infrastructure receives regular security patches and updates to protect against known vulnerabilities.

6. Message Retention (Auto-Destruction)

Your messages are stored according to your chosen expiration settings:

• Burn after reading: The message is automatically deleted from our database immediately after the recipient opens it.
• TTL (Time To Live): If not read, messages are permanently deleted after your chosen time (e.g., 1 hour, 24 hours, or up to 90 days).
• No backups: We do not create backup copies of message content. Once deleted, recovery is impossible.

7. Your Rights Under GDPR

Under GDPR, you have the right to:

• Request access to any personal data we hold about you (separate from encrypted message content, which we cannot access)
• Request correction of inaccurate data
• Request deletion of your data
• Lodge a complaint with the supervisory authority (in Poland: President of the Personal Data Protection Office (UODO))

To exercise these rights, contact us at rafal.lorenc@itss.com.pl

8. Cookies

mBox.pl does not use tracking, marketing, or analytical cookies (such as Google Analytics). We use only essential technical cookies required for the proper functioning of the service.

9. Contact & Support

For questions about this Privacy Policy or our data protection practices: