adbtd
log inget started

legal

privacy policy

effective 2026-05-03

adbtd is email infrastructure. To run that infrastructure for you, we have to handle some personal data — yours as the account holder, and whatever flows through the mailboxes you order. This page describes exactly what, why, and for how long, in plain language.

who we are

adbtd is operated by an individual sole trader based in France. For any privacy question, data export, or deletion request, write to koren@pukogames.com. We will reply within 30 days, which is the GDPR statutory limit.

what we collect

account data

  • email address and password hash, used to sign in
  • workspace name, billing currency, and Stripe customer id
  • order history (mailbox count, domains, dedicated IPs, prices)

billing data

Payments go through Stripe. We never see or store your card number. We keep the Stripe customer id, subscription id, and invoice metadata so we can show your billing history and process refunds. Stripe Tax computes VAT and sales tax on our behalf, so your billing country and (where required) tax id reach Stripe.

email content and logs

The mailboxes we provision belong to you. They contain whatever you send and receive: From / To / Subject headers, message bodies, attachments. To deliver and secure those mailboxes we keep:

  • maildir storage on disk for as long as the mailbox exists
  • SMTP and IMAP transaction logs (connect, auth, deliver, fail) for 90 days
  • bounce, complaint, and reputation signals long-term, because deliverability requires history
  • DKIM keys, which sign your outbound mail

We do not read your messages. We do not feed them to any AI model, ours or anyone else's. We do not sell or share them.

operational telemetry

Standard server access logs (IP, timestamp, route, response) for security and debugging, kept 30 days. Error reports may include a stack trace and a request id. No third-party trackers, no advertising pixels, no analytics SDKs on the marketing site at this time.

why we collect it

  • contract performance — to actually run the mailboxes and IPs you ordered (account, billing, mail data)
  • legal obligation — to keep invoices for the period required by tax law, and to respond to lawful requests from authorities
  • legitimate interest — fraud prevention, abuse handling, deliverability protection (logs, reputation history)

where the data lives

All servers are in the European Union (France). Stripe processes payments globally and may transfer data outside the EU under its own published transfer mechanisms. We do not currently use US-based analytics, hosting, or AI processors.

who we share with

Only the processors we need to run the service:

  • Stripe — payments, invoicing, tax
  • infrastructure providers — to host the servers, IPs, and DNS that deliver your mail. They never see decrypted message content beyond what transits a single physical box.
  • recipients of your outbound mail — by definition, anything you send leaves our systems and reaches them

We do not sell personal data. We do not share it with advertisers. If we ever bring on a new processor that touches your data, we will list it here and email account holders before it goes live.

how long we keep it

Your account and your mailbox content stay with us until you delete them — once you do, they are removed from our live systems and from backups on the next backup rotation. SMTP and IMAP transaction logs are kept for 90 days, then dropped. Bounce and complaint history is kept for as long as your workspace exists because we need it to protect your deliverability, and is anonymised when the workspace is closed. Invoices are retained for the period required by French tax law (currently 10 years).

your rights

Under GDPR you can ask us to:

  • show you the data we hold about you
  • correct anything inaccurate
  • delete your account and the data tied to it
  • export your account data and mailbox content in a machine-readable form
  • restrict or object to specific processing

Email koren@pukogames.com. We respond within 30 days. If we get something wrong you can complain to the CNIL (the French data protection authority) at cnil.fr.

cookies

One cookie: the session cookie that keeps you signed in. It is HttpOnly, Secure, and SameSite=Lax. No analytics or marketing cookies.

security

Mailbox tenants are isolated per workspace. Passwords are hashed with a modern KDF. OAuth and provider credentials are encrypted at rest with AES-256-GCM. TLS 1.2+ in transit. Production access is restricted and audited. We will publish any breach that affects you within 72 hours of discovery, as GDPR requires.

changes

If we change this policy in a way that affects what we do with your data, we will email account holders before the change takes effect. The effective date at the top reflects the latest version.