Privacy Policy

Last updated: June 2026 · vppbox.com · operated under EU law (GDPR)
01 — Data & Privacy

Privacy Choices

VppBox is built around a single principle: we cannot give what we do not have. Our architecture is designed to minimise data collection at every level. VppBox is designed to make you reachable in private — anyone can write to you, no one can see what they wrote. It is not designed to make the postbox owner invisible. Your address is public. Your inbox is not.

What we collect

  • Box number — randomly assigned at creation, retained for the duration of the subscription.
  • Box type and status — Small, Medium, or Large, and whether the box is active, suspended, or closed.
  • Creation timestamp — the date and time your postbox was created, retained for the duration of the subscription.
  • Sender fingerprint (per letter) — a one-way hash derived from the sender's browser characteristics (user agent, timezone, language, screen resolution). Stored with the letter for abuse prevention. Automatically deleted when the letter is destroyed. If you block a sender, their fingerprint is retained in your block list until you remove it.
  • Sender IP (per letter) — recorded at the time of sending for abuse detection. Automatically deleted when the letter is destroyed.
  • Encrypted verification blob — a cryptographic token derived from your keys, used solely to verify your identity at login. We cannot read your keys or reverse this blob.
  • Encrypted private key — stored in encrypted form. We cannot decrypt it.
  • Subscription and payment metadata — retained for billing and legal compliance. Payment processing is handled entirely by our payment processing provider; we do not store card numbers or full payment details. Your payment provider knows who paid; we know only that a valid subscription exists. This distinction is intentional: VppBox is designed to be reached anonymously — your postbox address is public — not to make the postbox owner anonymous. Postbox owners are visible by choice.
  • Stamp balance — retained for the duration of the subscription to deliver the service.
  • Encrypted letter content — stored as an opaque encrypted blob for a maximum of 24 hours (or up to 7 days if Waiting Mode is enabled at your explicit request). Permanently overwritten thereafter.
  • Setup code — generated at payment, deleted immediately upon setup completion or after 7 days if unused.

What we collect at signup (postbox owners only)

  • Your email address — collected once at signup for one-time verification. We do not use your email for marketing, newsletters, or any communication beyond the initial verification code.
  • Your IP address and browser fingerprint at signup — retained for accountability. This helps us respond to legal requests regarding misuse of postboxes.
  • Display name (optional) — only if you choose to provide one.

What we never collect

  • Login times, session history, or access patterns.
  • Who writes to you, when, or how often.
  • Message content — encryption happens on your device before anything is sent. We receive only ciphertext and have no means to decrypt it.
  • Location data.
  • Your keys — they are never transmitted to our servers.
  • Images, files, or attachments of any kind — VppBox is a text-only service. Image and file upload is technically impossible and will never be added.
  • Sender identity — those who write to your postbox remain anonymous. We do not collect their email or any personal identifier (only an opaque device fingerprint, used solely for your block list).

Your controls

  • Waiting Mode — off by default. If enabled, incoming letters are held encrypted on our servers at your explicit request. You acknowledge this and accept responsibility.
  • Anonymous Sender Block — off by default. If enabled, only registered VppBox users can write to you. Anonymous senders see a message that your postbox is restricted.
  • Block Sender — when reading a letter, you may block the sender. Their fingerprint is added to your personal block list. Future letters from the same sender are silently dropped — the sender sees “delivered” and is not notified. Your block list is stored on our servers and deleted when your postbox is closed.
  • Box closure — you may close your postbox at any time. All associated data is permanently and irreversibly destroyed. Unused stamps are forfeited.

Cookies and local storage

VppBox does not use cookies for authentication. Your session is stored entirely in your browser's sessionStorage (cleared when you close the tab). Some essential technical cookies may be set by Cloudflare (DDoS protection, bot challenge) for security purposes — these are not used for tracking, analytics, or advertising. No cookie consent banner is required.

02 — Privacy Policy

Privacy Policy

This policy applies to vppbox.com and all VppBox services. VppBox operates under EU law and is subject to the General Data Protection Regulation (GDPR).

Data controller

Vppbox is operated by FEAD Mühendislik Ltd. Şti., a company registered in Türkiye. Legal and data protection inquiries: hello@vppbox.com

Design philosophy: reachable, not hidden

VppBox is designed for a specific purpose: to allow anyone to reach you privately, without knowing who they are. The postbox owner is visible — you share your address publicly, put it in your bio, print it on a card. What remains private is who writes to you, what they say, and when. This is the core promise of VppBox.

VppBox protects the identity of the sender, not the postbox owner. If you need to conceal your own identity from everyone including VppBox, this service is not designed for that purpose.

Transit architecture

Letters are encrypted on your device using AES-256-GCM before transmission. The server receives only an encrypted blob and has no means to decrypt it. Letters are automatically overwritten with random data and destroyed within 24 hours of delivery or 24 hours after opening — whichever comes first. This is not a policy choice; it is a technical constraint.

Our legal position: “We cannot provide what we do not have.” We do not store message content. We cannot read it, hand it over, or delete it on request — because it does not exist on our servers in readable form.

Legal basis for processing

We process most personal data under Article 6(1)(b) GDPR — performance of a contract — to deliver the postbox service. Signup IP, browser fingerprint, and email retention beyond verification are processed under Article 6(1)(f) — legitimate interest — to detect and respond to misuse, and to comply with applicable law.

Data retention

  • Box number, type, status, creation timestamp: retained for the duration of the subscription. Deleted 12 months after the postbox is closed.
  • Postbox owner email address: retained for the duration of the subscription, used only for the initial verification. Deleted 12 months after the postbox is closed. Previous email addresses (if changed) are archived for the same retention period to support legal accountability.
  • Display name (if provided): retained for the duration of the subscription. Deleted 12 months after the postbox is closed.
  • Signup IP address and browser fingerprint: retained for the duration of the subscription, used to detect and respond to misuse. Deleted 12 months after the postbox is closed.
  • Sender fingerprint and sender IP per letter: retained only for the lifetime of the letter (maximum 24 hours, or 7 days in Waiting Mode). Automatically deleted when the letter is destroyed. Exception: if you block a sender, their fingerprint is retained in your block list until your postbox is closed.
  • Encrypted verification blob and encrypted private key: retained for the duration of the subscription. We cannot read either of these. Deleted 12 months after the postbox is closed.
  • Encrypted letter content: maximum 24 hours after delivery or opening. Maximum 7 days if Waiting Mode is active at your explicit request.
  • Setup codes and verification codes: setup codes deleted immediately after use or after 7 days if unused. Email verification codes expire after 5 minutes and are invalidated immediately upon use.
  • Stamp balance: retained for the duration of the subscription.
  • Payment and subscription metadata: retained for the duration required by applicable law and our payment processing provider's terms. Our payment provider processes and retains payment details on their infrastructure under their own privacy policy. We retain only what is necessary to confirm a valid, active subscription.

The 12-month grace period after postbox closure exists to satisfy legal record-keeping obligations and to allow response to legitimate legal requests. After this period, all data is permanently and irreversibly deleted.

Data breach notification

In the event of a breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Because message content is encrypted and unreadable to us, a breach of our servers does not constitute a breach of your message content.

Third-party processors

  • Payment processing provider — handles all payment transactions. Retains payment details (including card information and billing identity) under their own privacy policy. If you require full payment anonymity, consult their policy or use a payment method that does not link to your identity. VppBox receives only confirmation that a subscription is active — we do not receive or store card numbers.
  • Cloudflare — provides DDoS protection and CDN services. Processes encrypted traffic; cannot access message content.
  • Supabase — database hosted in Frankfurt, EU. Stores metadata and encrypted blobs only.
  • Vercel — application hosting. Processes requests but has no access to encryption keys or message content.
  • Resend — transactional email delivery, used solely to send the one-time verification code at signup or email change. Receives your email address and the verification code. No marketing, no newsletters.

Your rights under GDPR

You have the right to access, rectify, or erase your personal data; to restrict or object to processing; and to data portability. To exercise these rights, contact: hello@vppbox.com. Provide your box number and verified email address to identify your account.

Reporting illegal content (DSA Article 16)

Under the EU Digital Services Act Article 16 (Notice and Action), anyone may report a postbox being used for illegal activity — including impersonation, harassment, fraud, CSAM, spam, or other illegal use. Use our public reporting form: vppbox.com/abuse. We review every report and take action under our Usage Policy and applicable law. Decisions are recorded for audit and transparency purposes.

Law enforcement requests

VppBox cooperates with valid legal requests from competent authorities. Requests are evaluated against EU law, the GDPR, and the law of the requesting jurisdiction.

How to submit: Send to hello@vppbox.com with valid legal process — subpoena, court order, MLAT request, or equivalent. Informal requests without legal process will be declined.

What we can disclose: Postbox metadata (box number, type, status, timestamps), postbox owner email and signup IP/user-agent/fingerprint, email change history, and payment/subscription metadata held by us. We disclose only the minimum data described in the request and required by law.

What we cannot disclose: Letter content. Letters are encrypted on the user's device with keys we never receive; we cannot read, decrypt, or hand over message content. We cannot provide what we do not have.

User notification: Where lawful, we notify the affected postbox owner of the request and the data disclosed at least 14 days before disclosure, unless we are legally prohibited from doing so (e.g. gag order, ongoing criminal investigation). After any non-disclosure period expires, we notify the user of the past request.

Emergency disclosure: In good-faith belief that disclosure is necessary to prevent imminent risk of death or serious physical harm, or to address active CSAM coordination, we may disclose relevant data without prior user notification. Such disclosures are documented and reviewed.

Transparency report: We publish an annual transparency report listing the number of requests received, the jurisdictions, the categories of data disclosed, and the rejection rate. The report contains no user-identifying information.