Privacy Policy
1. Who we are
InboxDrop ("we", "us", "our") provides a free disposable email service at inbox-drop.com. For data protection queries contact: privacy@inbox-drop.com.
InboxDrop is engineered so that the operator processes no personal data. All email addresses and inbox contents exist only in your browser's memory and are never transmitted to our servers. Because we do not collect, store, or otherwise process personal data, ICO registration under the Data Protection (Charges and Information) Regulations 2018 is not currently required. Should a real mail-processing backend be added in future, ICO registration will be obtained before that feature launches.
2. What data we process
The operator processes no personal data. Specifically:
- Temporary email addresses are generated randomly in your browser and held only in browser memory. They are never transmitted to or stored on our servers.
- Inbox contents exist solely in your browser session and are never persisted server-side.
- Analytics cookies — Google Analytics sets
_gaand_ga_*cookies in your browser to distinguish sessions and measure usage (pages visited, device type, country). No personal data is linked to these measurements. IP anonymisation is enabled. Vercel Analytics operates without cookies. See Section 4 for details and opt-out instructions. - Server access logs - when your browser loads this page it connects to our hosting provider's infrastructure. The hosting provider may record standard access log data (IP address, user-agent, timestamp) independently for their own operational and security purposes. The operator does not access, control, or retain these logs. See Section 9 for details.
3. Legal basis (UK GDPR, Art. 6)
InboxDrop itself stores no personal data. Third-party services (Google Analytics, Google Fonts, Vercel Analytics) process limited data as independent data controllers. Our legal basis for loading these services is our legitimate interest (UK GDPR Art. 6(1)(f)) in measuring and improving the service. You may object to analytics processing at any time — see Section 4 for opt-out options.
For full guidance on legal bases under UK GDPR, see the ICO guide to lawful basis.
4. Third-party services
Google Fonts - This site loads typefaces (Orbitron, DM Mono, Figtree) from Google's font CDN (fonts.googleapis.com / fonts.gstatic.com). When your browser fetches these files it transmits your IP address and browser user-agent to Google. This constitutes a transfer of personal data to Google LLC, a US-based entity. Google's Privacy Policy governs that processing; Google relies on Standard Contractual Clauses for UK-to-US data transfers.
The legal basis we rely on for this transfer is our legitimate interest (UK GDPR Art. 6(1)(f)) in providing a consistently-rendered interface. If you object to this transfer, you may: (a) use a browser extension that blocks Google CDN requests; or (b) use a privacy-respecting DNS resolver that blocks fonts.googleapis.com. After the first page load, fonts are cached locally by your browser and no further requests are made until the cache expires.
We are evaluating self-hosting these fonts to eliminate this third-party transfer entirely.
Vercel Analytics - This site uses Vercel Analytics to collect anonymised, aggregated usage data (pages visited, interaction events, device type, country). Data is processed by Vercel Inc. No cookies are set; no IP address is retained in the analytics dashboard. Vercel's Privacy Policy governs that processing.
Google Analytics - This site uses Google Analytics (Google LLC) to collect anonymised usage statistics with IP anonymisation enabled (anonymize_ip). Google may set cookies in your browser. Google's Privacy Policy governs that processing. You may opt out via the Google Analytics Opt-out Browser Add-on.
5. Data retention
All in-browser session data is automatically purged when your inbox expires (max 2 hours) or when you close the browser tab. The operator retains no data beyond this. Any server access logs held by the hosting provider are subject to that provider's own retention policy, over which the operator has no control.
6. International transfers
Google Fonts CDN requests may be processed on Google's servers outside the UK. Such transfers are covered by Google's adequacy decisions and Standard Contractual Clauses.
7. Your rights under UK GDPR
Because the operator holds no personal data about you, your UK GDPR rights (access, rectification, erasure, restriction, objection, portability) are automatically satisfied - there is simply nothing for us to provide, correct, or delete. If you believe we hold personal data about you contrary to this policy, contact privacy@inbox-drop.com and we will investigate promptly.
8. Complaints
You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113.
9. Hosting and infrastructure
This website is served via Vercel. When your browser requests a page, Vercel's servers handle the connection and may log standard access data (IP address, user-agent, timestamp) as an independent data controller for their own operational and security purposes — not on behalf of InboxDrop. The operator has no access to or control over this logging. Please refer to Vercel's privacy policy for details.
10. Changes to this policy
We may update this policy. Material changes will be indicated by an updated date above. Continued use of the service constitutes acceptance of the revised policy.
11. Service provider information (Electronic Commerce Regulations 2002)
In accordance with Regulation 6 of the Electronic Commerce (EC Directive) Regulations 2002, the following information is provided:
- Service name: InboxDrop
- Operator legal name: [Full legal name — to be inserted prior to launch]
- Registered / correspondence address: [Geographic address — to be inserted prior to launch]
- Contact email: privacy@inbox-drop.com
- Company registration number: [Insert if incorporated at Companies House]
- VAT number: [Insert if VAT-registered; otherwise state "Not VAT registered"]
This information is required by law to be easily, directly and permanently accessible. It must be completed before the service is made publicly available.