Privacy Policy — Stax Inbox

This Privacy Policy describes how F1v3 Group LLC ("we", "us", "our") collects, uses, and protects information in connection with Stax Inbox ("the App", "the Service"), available at staxinbox.com and on iOS, Android, macOS, Windows, and web platforms.

By using Stax Inbox you agree to this policy. If you do not agree, do not use the Service.

1. Who We Are

Stax Inbox is an email client developed and operated by F1v3 Group LLC. Our primary purpose is to let you add all your email accounts once and have them automatically available on every device you own, protected by zero-knowledge encryption.

2. Our Core Privacy Commitment

Your email content never passes through our servers. Stax Inbox connects directly from your device to your mail provider (Gmail, Outlook, Fastmail, MXRoute, etc.) using IMAP and SMTP. We never see, store, or process the contents of your emails, attachments, or contacts.

Your email passwords are encrypted on your device before they ever leave it. We use AES-256-GCM encryption with a 256-bit key derived from your master password using Argon2/PBKDF2. Our servers store only encrypted blobs — we cannot decrypt them. We do not know and cannot recover your email passwords.

3. What Data We Collect

3.1 Account Data (Required)

To create a Stax Inbox master account we collect:

Your email address (used as your login identifier and for account recovery)
A bcrypt hash of your master password (we never store the plaintext)
Account creation timestamp
Device identifiers for session management (JWT tokens)

3.2 Encrypted Email Account Configuration (Required for Sync)

When you add an email account, the following non-sensitive configuration is stored in plain text on our servers:

Email address for the account
Display name or label you assign
IMAP host, port, and security settings
SMTP host, port, and security settings
IMAP and SMTP usernames

The following sensitive credentials are encrypted on your device before being sent to us and are stored encrypted on our servers:

Field	Encryption	Can We Read It?
IMAP password	AES-256-GCM	No
SMTP password	AES-256-GCM	No
OAuth refresh token (Gmail, Outlook)	AES-256-GCM	No

3.3 Usage and Technical Data

We may collect limited technical data to operate and improve the Service:

API request logs (timestamps, endpoints accessed, HTTP status codes — no request bodies containing email content)
Crash reports and error logs (if you opt in)
App version and platform (iOS, Android, macOS, Windows, web)

We do not use third-party analytics SDKs that track behavior within the app.

3.4 Early Access Waitlist

If you submit your email address to join our early access waitlist, we collect only that email address. It is used solely to notify you when the app launches and for no other purpose. You can request removal at any time by emailing privacy@staxinbox.com.

3.5 What We Do Not Collect

Email message content, subject lines, or body text
Email attachments
Contact lists or address books
Your decrypted email passwords or OAuth tokens
Your master password or encryption key
Behavioral tracking, advertising identifiers, or browsing history

4. How We Protect Your Data — Encryption in Detail

We are deliberately transparent about our cryptographic implementation because security should not depend on secrecy of method.

4.1 Zero-Knowledge Model

The server never possesses the plaintext of your email credentials. Encryption and decryption happen exclusively on your device. Here is exactly what happens:

You create a master account with an email address and master password.
Your device uses Argon2 or PBKDF2 (a slow, salted key derivation function) to derive a 256-bit AES encryption key from your master password. This key is never transmitted — it exists only in memory on your device.
Our server stores a bcrypt hash of your master password for login authentication only.
When you add an email account, the IMAP/SMTP passwords and OAuth tokens are encrypted with AES-256-GCM using your device-local key before being sent to our API.
Our server stores only the encrypted blob. It cannot be decrypted without the key, which never left your device.
When you sign in on a new device, it downloads the encrypted blobs and derives the same key (same password + same salt = same key) locally to decrypt them. No key exchange occurs.

4.2 Why the Same Password Works on Every Device

Key derivation functions (Argon2/PBKDF2) are deterministic: the same master password combined with the same salt always produces the same 256-bit key, on any device, without any network transmission. This is how cross-device sync works without ever sending your key over the wire.

4.3 Master Password Change

When you change your master password:

Your current device derives the old encryption key from your old password.
It decrypts all existing credential blobs using the old key.
It derives a new encryption key from your new password.
It re-encrypts all blobs with the new key.
The new bcrypt hash and new encrypted blobs are sent to our server in one atomic transaction.

Other signed-in devices are force-logged out and must re-authenticate, at which point they derive the new key and decrypt the new blobs normally.

4.4 Master Password Reset (Forgotten Password)

If you forget your master password, we verify your identity via an email verification code, then wipe all encrypted blobs from our servers. Because the blobs are unrecoverable without the key (which only your device held), there is no recovery path for the stored credentials. We do not maintain any recovery key or backdoor. After reset:

Non-sensitive settings (IMAP/SMTP hosts, ports, usernames, display names) are preserved.
Only the encrypted passwords are lost.
You re-enter each email password once on one device and the new encrypted sync resumes.

4.5 Email Traffic

IMAP and SMTP connections are made directly from your device to your mail provider over TLS. Stax Inbox's servers are not in the path of your email traffic. The one exception is the web platform, where browsers cannot open raw TCP connections: in that case a minimal WebSocket-to-IMAP proxy on our server is required. This proxy handles only the connection bridging — message content is still protected by TLS to your mail provider and we do not store, log, or process any message data.

5. OAuth Access (Gmail, Outlook)

For Gmail and Outlook accounts that use OAuth 2.0:

We request only the minimum scopes required for IMAP access (reading and sending email on your behalf).
OAuth refresh tokens are encrypted on your device with AES-256-GCM before storage on our servers (same zero-knowledge model as passwords).
We do not use OAuth tokens to access your email outside of your explicit in-app actions.
We do not share OAuth tokens with any third party.
You can revoke our OAuth access at any time through your Google or Microsoft account security settings.

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

6. How We Use Your Data

We use the data we collect only for the following purposes:

To operate the Service — authenticate your account, sync your encrypted configuration, and provide support.
To improve the Service — diagnose crashes and errors using opt-in reports.
To communicate with you — send transactional emails (password change confirmations, security notices). We do not send marketing email without your explicit consent.
To comply with legal obligations — respond to lawful requests where required.

We do not sell your data. We do not use your data for advertising. We do not build behavioral profiles.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Infrastructure providers — our servers run on AWS (Amazon Web Services). AWS processes data only as instructed by us and under contractual data protection obligations.
Legal requirements — we may disclose data if required by a valid court order or legal process. Where permitted, we will notify you before disclosure.
Business transfers — if F1v3 Group LLC is acquired or merged, user data would transfer to the successor entity under the same privacy protections described here, and you will be notified.

We do not use third-party advertising networks, analytics platforms, or tracking SDKs in the Stax Inbox app or website.

8. Data Retention

Active accounts — data is retained for as long as your account exists.
Account deletion — when you delete your account, all account data and encrypted credential blobs are permanently deleted from our servers within 30 days.
API logs — request logs are retained for up to 90 days for security monitoring, then deleted.
Waitlist emails — retained until we launch or until you request removal.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the data we hold about you.
Correction — request correction of inaccurate data.
Deletion — request deletion of your account and all associated data.
Portability — request your data in a machine-readable format.
Objection / restriction — object to or request restriction of certain processing.

To exercise any of these rights, contact us at privacy@staxinbox.com. We will respond within 30 days.

We do not discriminate against users who exercise their privacy rights.

10. Children's Privacy

Stax Inbox is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at privacy@staxinbox.com and we will delete it promptly.

11. Security

We take reasonable technical and organizational measures to protect your data:

All data in transit is encrypted via HTTPS/TLS.
Sensitive credentials are encrypted at rest using AES-256-GCM before reaching our servers.
Our API uses JWT authentication with token expiry and refresh.
Database access is restricted to application services and authorized personnel.
We do not have access to your decrypted email passwords or encryption key.

No system is perfectly secure. In the event of a data breach affecting your information, we will notify you and relevant authorities as required by applicable law.

12. Cookies and Tracking

The staxinbox.com website uses no advertising cookies and no third-party tracking scripts. We may use a single session cookie strictly necessary for form submission (e.g., the early access waitlist). We do not use cookies to track you across other websites.

13. International Users

Stax Inbox is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service you consent to this transfer. We apply the data protection practices described in this policy regardless of where you are located.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify users by email or in-app notice. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

Email: privacy@staxinbox.com
General support: support@staxinbox.com
Company: F1v3 Group LLC
Website: staxinbox.com