identity of the controller
The service is operated by Jonathan M., acting in an individual capacity from the territory of the French Republic, who acts as data controller within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation). The full identification of the operator is set out in the imprint. Any question relating to the processing of personal data, any request for access or export, and any request for erasure may be addressed in writing to koren@pukogames.com. We undertake to respond to any such request within thirty (30) days, in accordance with the statutory period set by the General Data Protection Regulation.
Reports of misuse of the infrastructure (unsolicited mail, phishing, malware, or any other abuse) should be addressed to abuse@adbtd.com. Technical correspondence concerning the mail exchange mail.adbtd.com (delivery problems, deferral notices, reputation enquiries, feedback-loop submissions) should be addressed to postmaster@adbtd.com, in accordance with the recommendations of RFC 2142.
categories of data processed
account data
- the email address and the password (in hashed form) used for authentication purposes;
- the name of the workspace, the billing currency selected, and the customer identifier assigned by Stripe;
- the order history, comprising the number of mailboxes provisioned, the domains associated, the dedicated IP addresses allocated, and the prices applied.
billing data
Payment transactions are handled exclusively by Stripe. We neither receive nor retain the customer’s payment card number. We retain only the customer identifier, the subscription identifier, and the metadata associated with each invoice, for the purposes of presenting the customer’s billing history and of processing any refund. Value-added tax and sales tax are calculated by Stripe Tax on our behalf, which entails the transmission to Stripe of the customer’s billing country and, where applicable, of any tax identification number.
email content and operational logs
The mailboxes provisioned by us remain the property of the customer. Such mailboxes contain whatever data the customer chooses to send and receive, including sender/recipient headers, subject lines, message bodies, and attachments. For the purposes of message delivery and infrastructure security, we retain the following:
- maildir storage on disk, retained for as long as the corresponding mailbox is active;
- SMTP and IMAP transaction logs (recording connection, authentication, delivery, and failure events) for a period of ninety (90) days;
- bounce, complaint, and reputation signals, retained over the long term, given that deliverability necessarily depends upon the existence of a sending history;
- DKIM cryptographic keys, used to sign outbound messages.
We do not read the content of customer messages. Such content is not provided as input to any artificial-intelligence model, whether operated by us or by any third party. Such content is neither sold nor otherwise disclosed to third parties.
operational telemetry
We retain standard server access logs (recording the originating IP address, the timestamp, the route accessed, and the response code) for security and diagnostic purposes, for a period of thirty (30) days. Error reports may include a stack trace and a request identifier. The marketing site does not currently embed any third-party tracker, advertising pixel, or analytics software development kit.
purposes and legal bases of the processing
- performance of a contract — the processing of account, billing, and email data is necessary for the operation of the mailboxes and dedicated IP addresses ordered by the customer;
- compliance with a legal obligation — the retention of invoices for the period prescribed by tax law and the response to lawful requests from competent authorities;
- legitimate interests — the prevention of fraud, the handling of abuse, and the protection of deliverability (which justify the retention of operational logs and reputation history).
location of the data
All servers operated by us are located within the European Union, and more specifically within the territory of the French Republic. Stripe operates on a global basis and may transfer personal data outside the European Union in accordance with the transfer mechanisms it has published. We do not currently rely upon any analytics, hosting, or artificial-intelligence processor established in the United States.
recipients and processors
The personal data processed by us is disclosed only to the processors and recipients whose involvement is necessary for the operation of the service:
- Stripe, for the processing of payments, the issuance of invoices, and the calculation of taxes;
- infrastructure providers, for the hosting of the servers, IP addresses, and DNS resources required for message delivery. Such providers do not have access to message content in decrypted form beyond that which transits a single physical machine;
- recipients of outbound messages, who, by the very nature of electronic mail, receive the content of the messages dispatched by the customer.
We do not sell personal data and we do not share it with advertisers. Should the addition of any new processor become necessary, the present policy shall be updated accordingly, and account holders shall be notified by electronic mail prior to the entry into force of such addition.
retention periods
Account data and the content of mailboxes are retained for as long as the customer continues to operate the corresponding workspace. Upon deletion, such data is removed from our live systems, and the corresponding entries are purged from our backups upon the next backup rotation. SMTP and IMAP transaction logs are retained for a period of ninety (90) days and are subsequently deleted. Bounce and complaint history is retained for the duration of the workspace, on the ground that such history is necessary for the protection of the customer’s deliverability, and is anonymised upon closure of the workspace. Invoices are retained for the period prescribed by French tax law, currently set at ten (10) years.
rights of the data subject
Pursuant to the General Data Protection Regulation, the data subject is entitled to exercise the following rights:
- the right of access, that is, the right to obtain a copy of the personal data held concerning the data subject;
- the right of rectification of any inaccurate or incomplete data;
- the right of erasure of the account and of the personal data associated with it;
- the right to data portability, that is, the right to receive account data and mailbox content in a structured, commonly used, and machine-readable format;
- the right to restrict, or to object to, specific processing operations.
Any such request may be addressed to koren@pukogames.com and shall receive a response within thirty (30) days. The data subject is further entitled to lodge a complaint with the Commission nationale de l’informatique et des libertés (CNIL), the French data-protection authority, at cnil.fr.
cookies
We use a single cookie, namely the session cookie required to maintain the customer’s authenticated session. That cookie is set with the HttpOnly, Secure, and SameSite=Lax attributes. We do not deploy any analytics or marketing cookie.
security measures
Mailbox tenants are isolated on a per-workspace basis. Passwords are stored in the form of cryptographic hashes generated by means of a modern key-derivation function. OAuth tokens and provider credentials are encrypted at rest using the AES-256-GCM algorithm. Data in transit is protected by Transport Layer Security version 1.2 or higher. Access to the production environment is restricted and subject to audit. In the event of a personal data breach affecting the customer, we shall notify the customer within seventy-two (72) hours of becoming aware of the breach, in accordance with the General Data Protection Regulation.
amendments
Should the present policy be amended in a manner that materially affects the processing of the customer’s personal data, account holders shall be notified by electronic mail prior to the entry into force of the amendment. The effective date appearing at the head of the present document corresponds to the version currently in force.