Privacy Policy

Last updated: March 3, 2026

1. Scope

The privacy of our website visitors and users is very important to us, and we are committed to protecting it. This policy explains what we do with your personal information when you use dialobox ("we", "our", or "us") at dialobox.io, create an account, use our form-to-inbox and reply dashboard services, or interact with forms powered by dialobox.

This policy describes how we process personal data. Where consent is required (e.g. for certain cookies or marketing), we will request it separately. You may consent to our use of cookies via the cookie banner as described in our Cookie Policy. If you do not agree with these practices, please do not use our services.

2. Collection of personal information

Before you disclose to us personal information about another person (e.g. when configuring form recipients or including third-party data in messages), you must obtain that person's consent to both disclose and process that personal information in accordance with this policy.

The following types of personal information may be collected, stored, and used:

  • Information about your device: Including your IP address, geographic location (where available), browser type and version, and operating system.
  • Information about your visits and use of the Platform: Including the referring source, length of visit, page views, and navigation paths.
  • Account information: Such as your email address, name, and any other information you provide when you register or update your account.
  • Form and conversation data: Information that you or end users enter when using our services, including messages submitted through your dialobox forms, replies you send from the dashboard, form configurations, and metadata (e.g. form ID, timestamps) necessary to provide the service.
  • Usage information: Information generated while using our site, including when, how often, and under what circumstances you use it.
  • Communications: Information contained in communications you send to us by email or through our website (e.g. contact form), including their content and metadata.
  • Payment-related information: Payment details are processed securely through Stripe. We do not store your full payment card information on our servers; see section 13 (Payment processing) below.
  • Any other personal information that you provide to us.

3. Use of your personal information

Without your express consent, we will not provide your personal information to third parties for their direct marketing, or that of other third parties.

Personal information provided to us through our website or the Service will be used for the purposes described in this policy or on the relevant pages of the site. We may use your personal information to:

  • Administer our website and our business
  • Customize our website and dashboard for you
  • Enable your use of the services offered on our website
  • Provide you with the services you have purchased or subscribed to
  • Deliver form submissions to your dashboard and send replies to submitters
  • Send you statements, invoices, and payment reminders, and collect payments
  • Send you non-marketing commercial communications (e.g. service notices)
  • Send you email notifications that you have expressly requested
  • Send you our newsletter or marketing communications, if you have requested or consented (you may opt out at any time)
  • Provide statistical information about our users to third parties (without those third parties being able to identify an individual user)
  • Deal with requests and complaints made by or relating to you
  • Maintain the security of our website and prevent fraud
  • Verify compliance with the terms and conditions that govern the use of our website

Message content submitted through your forms is used solely to deliver conversations to your dashboard and to send replies to submitters. We do not use form submissions for marketing or advertising to third parties.

4. Data processing roles (Controller vs Processor)

Our role under data protection law

For account and platform usage we act as data controller. For form submissions and conversation data we act as data processor; the customer who creates the form is the data controller. Under the GDPR, the distinction is essential. For our Service, the roles are as follows:

dialobox as Data Controller — We act as data controller for:

  • Account data (email, name, login credentials, billing information)
  • Website and dashboard analytics relating to your use of our platform
  • Marketing and commercial communications (where you have consented)
  • Data we collect when you visit our marketing site or contact us

dialobox as Data Processor — We act as data processor for:

  • Contact form submissions (messages sent by end users through forms you create)
  • Conversation data (the thread of messages between you and those end users, including replies you send from the dashboard)

For such processing, you are the data controller. You are responsible for ensuring you have a valid legal basis (e.g. consent, legitimate interest) for collecting and processing the personal data of end users who submit your forms, and for providing them with any required notices (e.g. privacy notice at point of collection). We process that data only on your documented instructions and in accordance with our Data Processing Agreement (DPA) and this Privacy Policy. Our DPA is incorporated by reference in our Terms of Service and is available on request or as set out there.

5. Legal basis for processing

We process your personal data on the following legal bases:

  • Consent: Where you have given consent (e.g. for marketing communications, optional features, or cookies where required).
  • Performance of a contract: Subscription management, access to the dashboard and to form and reply features, and delivery of the Service.
  • Legal obligation: Retention of data for tax, accounting, or other legal purposes.
  • Legitimate interest: Improving the platform, fraud detection, security, and anonymized or aggregated statistics.

6. Disclosure of your personal information

We do not sell your personal information. We may disclose your personal information to our employees, officers, insurers, professional advisers, agents, suppliers, or contractors to the extent reasonably necessary for the purposes set out in this policy.

We may disclose your personal information to any member of our group of companies (subsidiaries, ultimate holding company and its subsidiaries) to the extent reasonably necessary for the purposes set out in this policy.

Except as otherwise provided in this policy, we will not pass your personal information to third parties. We may disclose your personal information:

  • To the extent that we are required to do so by law
  • In connection with any ongoing or prospective legal proceedings
  • To establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)
  • To the buyer (or potential buyer) of any business or asset that we are (or are considering) selling
  • To any person whom we reasonably believe to be a court or other authority with jurisdiction to require disclosure of such information

7. Subprocessors

We use carefully selected subprocessors to operate the Service (e.g. hosting, database, email delivery, analytics, payment processing, error monitoring). Under Article 28 GDPR, we ensure that each subprocessor is bound by contract to protect personal data and, where applicable, we use Standard Contractual Clauses (SCCs) or other approved safeguards for transfers outside the EEA.

Current subprocessors (company names, purposes, countries, and safeguards) are listed at /legal/subprocessors and updated there. We will inform you of material changes where required by the DPA.

8. Retention of your personal information

We do not keep personal information longer than necessary for the purposes for which it is processed. We apply the following retention logic:

  • Account data: Retained for the duration of your contract (account) and, after account deletion, for the duration of applicable limitation periods (e.g. contractual and commercial claims under Belgian law) or where required for legal compliance, dispute resolution, or legitimate business purposes (e.g. fraud prevention). After that, data is deleted or anonymized.
  • Billing and payment records: Retained for seven (7) years from the end of the financial year in which the transaction occurred, in line with Belgian accounting and tax obligations (or the applicable jurisdiction). Payment details are held by Stripe in accordance with their retention policy.
  • Form and conversation data (processor data): Retained until you delete the data or close your account, or in accordance with your plan (e.g. history limits). After account termination, we retain such data only for the grace period allowed for export (see Terms of Service), then delete or anonymize unless a longer retention is required by law.
  • Backups: Backup copies may be retained for a limited period (e.g. up to 30 days) for disaster recovery. Data in backups is deleted or overwritten in line with our backup cycle.
  • Browsing data (cookies): As set out in our Cookie Policy (per-cookie duration as stated in the cookie list).
  • Logs (login, security, access): Retained for up to six (6) months for security and operational purposes, unless a longer period is required by law.

We may retain documents containing personal data for longer where required by law, for ongoing or prospective legal proceedings, or to establish, exercise, or defend our legal rights.

9. Security of your personal information

We implement industry-standard encryption and security measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction, in line with Article 32 GDPR (security of processing). We do not guarantee absolute security; our commitment is to reasonable and appropriate technical and organizational measures.

In particular:

  • Encryption in transit: Data is encrypted in transit using HTTPS/TLS between your device and our servers.
  • Encryption at rest: Stored message content (form submissions and replies) and other sensitive data are encrypted at rest. Backups are encrypted; we do not store raw message content in application logs.
  • Access restricted: Access to personal data is restricted to authorized personnel who need it for their role, with access controls and authentication protections in place.

We also apply logical separation of customer data, rate limiting on sensitive endpoints (e.g. reply submission, data request), audit logging where appropriate, secure development practices, and backup and recovery procedures. We do not disclose encryption algorithms, key management, or internal architecture in our public documentation.

No method of transmission or storage over the internet is 100% secure. You are responsible for the confidentiality of your password and account credentials. We will not ask you for your password except when you log in.

Technical and organizational measures (when we act as Processor)

Where we process personal data on your behalf (e.g. form submissions and conversation data), we implement the following technical and organizational measures in line with our DPA and Article 32 GDPR:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for stored message content and other sensitive data
  • Logical separation of tenant (customer) data
  • Access control mechanisms; access limited to authorized personnel
  • Authentication protections for systems that process personal data
  • Backup and recovery procedures (see retention section for backup retention)

10. Data processing and international transfers

Storage location: Where we host application and database infrastructure within the European Economic Area (EEA), we process and store your data within the EEA. Where we or our subprocessors process data outside the EEA (e.g. in the United States), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with subprocessors where required for transfers outside the EEA.
  • EU–US Data Privacy Framework (DPF): Where a subprocessor participates in the EU–US Data Privacy Framework (or equivalent), we rely on that framework where applicable.
  • Other transfer mechanisms permitted by applicable law (e.g. adequacy decisions, binding corporate rules).

We ensure appropriate safeguards (e.g. Standard Contractual Clauses) are in place with subprocessors where required. You may request more detail on the safeguards applicable to your data by contacting us. If we use profiling or automated decision-making that produces decisions with legal or similarly significant effects on you, we will inform you and, where required by law, ensure appropriate safeguards or your right to obtain human intervention.

Data controller: The data controller for the personal data described in this policy (where we act as controller) is Antoine Depuydt, the operator of dialobox. For requests or questions, please use our contact page.

11. Your rights

In accordance with applicable data protection law (including the GDPR where it applies), you may have the following rights:

  • Right of access: Obtain a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure (right to be forgotten): Request deletion of your personal data in certain circumstances
  • Right to restrict processing: Request that we limit how we process your data in certain circumstances
  • Right to object: Object to processing, in particular to processing for direct marketing purposes
  • Right to data portability: Receive your data in a structured, commonly used format and, where feasible, transfer it to another provider
  • Right to withdraw consent: Withdraw your consent at any time where processing is based on consent
  • Right to lodge a complaint: Lodge a complaint with a supervisory authority (e.g. in Belgium, the Data Protection Authority at autoriteprotectiondonnees.be; in your country of residence if different)

To exercise any of these rights, please contact us via our contact page. We will respond within the time limits required by applicable law (e.g. generally within one month under the GDPR). California residents may have additional rights under the CCPA.

12. Cookies and tracking technologies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your preferences through the cookie consent banner or your browser settings.

13. Payment processing

We use Stripe, a third-party payment processor, to handle transactions and payments on our website. Stripe processes your payment information securely and in accordance with its own privacy policy (Stripe Privacy Policy).

When you purchase a subscription or make a payment, the following information may be shared with Stripe to process your payment: name, billing address, email address, and payment details (e.g. card number, expiration date). Stripe may collect and store personal information for the purposes of processing payments and may share your information with other third parties as necessary to complete the transaction.

We do not store your full payment card details on our servers. All payment information is securely handled and processed by Stripe. We retain only the minimum necessary information to comply with our legal obligations, manage subscriptions, and provide customer support. By using our service and purchasing a subscription, you agree to Stripe's processing of your payment information in accordance with its privacy policy.

14. Third party websites

Our website may contain links to third party websites. We have no control over those sites and are not responsible for their privacy policies or practices. We encourage you to read the privacy policies of any third party sites you visit.

15. Updating information

Please let us know if the personal information we hold about you needs to be corrected or updated. You can often update your account details in your account settings; for other requests, please use our contact page.

16. Amendments

We may update this policy from time to time by posting a new version on our website. You should check this page periodically to ensure you are aware of any changes. We may notify you of changes to this policy by email or through a notice on our website. The "Last updated" date at the top of this page indicates the latest revision. Your continued use of our services after changes constitutes your acceptance of the updated policy.

17. Contact and data controller identity

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us via our contact page. For data protection requests or to exercise your rights, please include sufficient information to verify your identity (e.g. "Privacy Request" in the subject line).

Privacy Policy - dialobox