privacy policy · v0.1 · placeholder pending legal review

How we handle data.

iGamingInbox is a competitive email intelligence platform. We collect promotional emails sent by gambling operators to honeypot accounts that we (or our partners) control. This page describes what we collect, how we redact personal information, where we store it, and your rights.

Last updated: May 2026 · Status: Draft. Awaiting UK SaaS / privacy lawyer review before paid launch.

Who we are

iGamingInbox is operated by an individual founder based in London, United Kingdom. A legal entity will be incorporated before the first paying customer is onboarded.

Contact: hello@igaminginbox.com

What we collect — and what we don't

From honeypot inboxes (the emails we monitor)

We capture:

  • The email subject line
  • The email body (text + HTML), after PII redaction (see below)
  • The sender address (operator domain)
  • The send timestamp
  • The Message-ID header (for de-duplication)

We do not store:

  • The honeypot Gmail address itself (replaced with `[honeypot]` token)
  • Player greeting names (Alex, Mr Chow, etc. — replaced with `[Player]`)
  • Personalised bonus codes (replaced with `[CODE]`)
  • Tracking-pixel URLs or session-token query strings (replaced with `[redacted]`)
  • Account balances or personal financial data (regex-stripped from body)
  • Phone numbers (replaced with `[phone]`)
  • The IMAP password for any honeypot Gmail (stored as Vercel environment variables, never written to DB)

From you (our customers and prospects)

If you sign up for the beta, request a demo, or apply for a pilot:

We do not currently use cookies or web analytics on the beta product. If we add analytics in the future, we will use a privacy-respecting provider (e.g. Plausible or Fathom) that does not track individual users.

How redaction works

All email content passes through a redaction function at the moment of ingestion, before any data is written to our database. The unredacted version exists only in transit (Gmail IMAP → our serverless function) and is discarded after parsing.

The redaction covers:

We preserve all the competitive intel value — bonus amounts, wagering requirements, game names, operator names, campaign copy, CTA destinations (minus tracking) — without the personal data.

Where we store it

Email data, operator records, and customer accounts are stored in a managed PostgreSQL database hosted by Supabase in their London (eu-west-2) region. This ensures all data remains in the UK / EEA.

Our serverless functions and static pages are hosted on Vercel. Vercel's edge network includes UK PoPs; data at rest remains in our Supabase instance.

Honeypot IMAP credentials are stored as encrypted environment variables on Vercel, accessible only to the scraper function. They are never written to the database, never exposed to the frontend, and never logged.

How long we keep it

Redacted promotional emails are retained indefinitely for the purpose of building a historical competitive intelligence archive. This is the core utility of the product — historical depth matters for trend analysis.

Customer account data is retained for the duration of your subscription plus 12 months (to allow re-activation). On verified deletion request, your account data is deleted within 30 days.

Operator-side data (emails captured from honeypots) is not associated with any individual customer and is not subject to individual-deletion requests from operators.

Your rights (under UK GDPR)

As a UK / EEA resident, you have the right to:

To exercise any of these rights, email hello@igaminginbox.com. We respond within 30 days.

Changes to this policy

We will update this page when our practices change. The version number and date at the top of this page reflect the most recent revision. Material changes will be communicated to active customers via email.

A note on this draft

This Privacy Policy is a working draft pending review by a UK SaaS / privacy lawyer before our first paying customer is onboarded. The principles outlined here (redact-on-ingest, no PII stored, EU-resident data, GDPR rights respected) are foundational and will not change in subsequent revisions — but legal phrasing may be tightened.

If you have any concerns about our data handling, please contact us directly. We are open to scrutiny on this — the whole product is built around the principle that competitive intel should never come at the cost of personal data leakage.