Privacy Policy
Last updated: March 23, 2026
InboxShield ("we", "our", "us") is a spam filtering application available on WordPress, Shopify, Wix, and Webflow that helps site owners reduce unwanted contact form spam. This Privacy Policy explains what data we collect, how we use it, how long we keep it, and your rights. This policy complies with Shopify's privacy requirements, Wix's app requirements, and the General Data Protection Regulation (GDPR).
1. Data We Collect
From Site Owners
- Site identifier — your domain, shop URL, or site instance ID, used to identify your site within our system.
- Authentication data — OAuth tokens (Shopify, Webflow), app installation data (Wix), or WordPress plugin credentials, managed through each platform's standard authorization flow.
- App settings and preferences — your chosen filtering level, custom keywords, business profile, and allowed sender lists.
- Subscription/billing plan status — to determine which features are available to your site.
From Site Visitors (Contact Form Submitters)
- Email address — used to check against disposable email domain lists and sender reputation rules.
- Email domain — extracted from the email address for domain-level spam checks.
- IP address — used to detect repeat submissions and suspicious activity patterns.
- Message preview — the first 100 characters only of the submitted message, used for spam scoring. The full message body is never stored by InboxShield.
- Spam score and classification — the calculated score, classification decision, lead quality, and which rules triggered, stored for the site owner's review.
Personal data never sent to AI: Names, email addresses, phone numbers, and physical addresses are never sent to any AI service. When AI classification is enabled (WordPress only), only the message content and business context are used — all personally identifiable information is stripped before processing.
We do not collect payment information, passwords, or other sensitive personal data. We do not access products, orders, or customer lists from your store or site.
2. How We Use Data
All data collected from site visitors is used exclusively for spam filtering and lead classification:
- Email, IP, and message preview are scored against rule-based checks: URL detection, keyword matching, short message detection, number-heavy content, suspicious email patterns, honeypot field verification, timing checks, and repeat submission detection.
- AI classification (WordPress only, optional): When enabled by the site owner, uncertain messages are sent to Anthropic (Claude) for context-aware classification. Personal data (name, email, phone, address) is never included — only the message content and business context.
- Shopify: Clean messages are forwarded to Shopify's native contact form handler and delivered to the merchant's inbox.
- Wix: InboxShield operates as a Form Submission Validation service plugin, evaluating submissions in real-time.
- WordPress: InboxShield hooks into supported form plugins (Contact Form 7, WPForms, Gravity Forms, Ninja Forms, Fluent Forms, Formidable Forms, SureForms, Elementor Forms, Divi Contact Forms) and processes submissions locally on your server.
- Webflow: InboxShield connects via OAuth and evaluates form submissions through the Webflow API.
- Blocked or quarantined messages are logged in the site owner's InboxShield dashboard for review.
3. Data Storage and Retention
- Cloud-hosted platforms (Shopify, Wix, Webflow): Data is stored in PostgreSQL (hosted on Neon, US-West region).
- WordPress: The rule engine runs entirely on your WordPress server. Data is stored in your WordPress database. When AI classification is enabled, only message content (without PII) is sent to Anthropic for classification.
- Message previews are truncated to 100 characters — the full message body is never persisted.
- Data is stored until the site owner deletes it or uninstalls the app.
- Site owners can delete all data at any time from Settings → Data → Delete All My Data, or by exporting via CSV first.
4. Data Deletion on Uninstall
When a site owner uninstalls InboxShield, all associated data is permanently deleted from our systems. This includes:
- All submission logs, spam scores, and classifications
- All app settings, custom keywords, business profiles, and allowed sender lists
- All stored email addresses, IP addresses, and message previews
- All learned sender reputation, domain memory, topic memory, and pattern memory
- Session tokens and site configuration
On Shopify, deletion is triggered automatically via the mandatory app uninstall webhook. On Wix and Webflow, uninstalling the app triggers the same deletion. On WordPress, deactivating and deleting the plugin removes all data from your database.
5. Data Sharing
We do not sell, rent, share, or transfer personal data to any third parties for marketing, advertising, or any other purpose.
- Anthropic (AI provider): When AI classification is enabled (WordPress only), message content (without personal data) is sent to Anthropic's Claude API for classification. Anthropic does not store or train on this data. See Anthropic's Privacy Policy.
- Resend (email provider): Email notifications are sent via Resend from
notifications@inboxshield.acrosoft.tech. Only the recipient email and notification content are shared.
- Platform-native forwarding (Shopify contact endpoint, Wix Forms pipeline, Webflow form handling) is standard platform behavior, not a third-party transfer.
- No third-party analytics, tracking pixels, advertising SDKs, or data brokers are used in the app.
6. GDPR Compliance
InboxShield is designed to be fully compliant with the General Data Protection Regulation (GDPR).
Shopify GDPR Webhooks
We handle all three of Shopify's mandatory GDPR webhooks:
- Customer Data Request — we export all stored data associated with a specific customer email address.
- Customer Data Deletion — we delete all submissions and associated data for a specific customer email.
- Shop Data Deletion — all shop data is fully and permanently deleted upon request or app uninstall.
All Platforms
- Data deletion requests can be initiated through the app dashboard (Settings → Data → Delete All My Data) or by contacting us directly.
- CSV export is available for data portability (right of access).
- We process all GDPR requests within 30 days.
GDPR Principles
- Lawful basis: We process data based on the site owner's legitimate interest in preventing spam on their contact forms.
- Data minimization: We collect only the minimum data necessary — email, 100-character message preview, and IP address. Personal data is never sent to AI.
- Purpose limitation: Data is used exclusively for spam filtering, lead classification, and dashboard reporting.
- Right to erasure: Data is deleted upon request, uninstall, or via the dashboard.
- Right of access: Site owners can view all collected data through their InboxShield dashboard.
- Data portability: Site owners can export their submission data via CSV from the dashboard.
If you are a site visitor whose data was processed by InboxShield and wish to exercise your GDPR rights, please contact the site owner directly, or reach out to us using the contact information below.
7. Site Owner Controls
Site owners have full control over InboxShield's behavior and their data:
- Enable or disable spam filtering at any time.
- View and manage the complete message log, including spam scores, classifications, and triggered rules.
- Delete individual submissions or all data at once.
- Configure trusted senders to bypass filtering.
- Adjust filtering strictness and rules.
- Enable or disable AI classification (WordPress only).
- Export all data via CSV.
- Uninstall the app at any time to trigger permanent data deletion.
8. Platform API Access
WordPress
The InboxShield plugin runs locally on your WordPress installation. It hooks into supported form plugins to intercept submissions. No WordPress API credentials are sent to our servers unless AI classification is enabled.
Shopify
InboxShield requests the minimum Shopify API scopes necessary to function:
read_themes — used only to check whether the InboxShield theme app embed is active.
We do not read or modify store content, products, orders, customer lists, or any other Shopify data.
Wix
InboxShield accesses only the permissions required to function as a Form Submission Validation service plugin. We do not access site content, member lists, or any data beyond form submissions.
Webflow
InboxShield connects via Webflow OAuth and accesses only form submission data. We do not access or modify site content, CMS collections, or design data.
9. Cookies and Tracking
- InboxShield does not set any cookies on site visitors' browsers.
- No tracking pixels, browser fingerprinting, or analytics scripts are loaded on any site.
- The app only activates when a contact form is submitted — it does not monitor browsing behavior.
The Crisp chat widget on this marketing website (inboxshield.acrosoft.tech) may set its own cookies — refer to Crisp's Privacy Policy for details. This does not affect any customer site.
10. Data Security
We use industry-standard security measures to protect all data we process:
- All data transmission is encrypted via HTTPS/TLS.
- Database access is restricted and authenticated.
- OAuth tokens are stored securely and scoped to minimum required permissions.
- Cloud infrastructure is hosted on Neon (database) with built-in security controls.
- WordPress plugin data is stored in your own database under your control.
11. Children's Privacy
InboxShield is a B2B service for website owners. We do not knowingly collect data from children under the age of 13. If you believe a child has submitted data through a contact form protected by InboxShield, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of InboxShield after changes constitutes acceptance of the revised policy.
13. Contact Us
If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, you can reach us through: