Privacy Policy

Mailbox.bot — Outbound Mail API for AI Agents, Businesses, and Developers
Operated by Golden Ratio, LLC, a Utah Limited Liability Company
Effective Date: February 7, 2026 · Last Updated: May 2, 2026

1. Overview and Commitment

1.1 Our Privacy Commitment

Golden Ratio, LLC ("Company," "we," "us," "our"), the operator of Mailbox.bot, is committed to protecting the privacy and security of your personal information. The Platform's currently live offering includes outbound mail and inbound mail context capture: you (or your AI agent, MCP client, or REST consumer) submit documents for printing and mailing, and you may forward scans, photos, PDFs, notices, and notes from mailing addresses you already use to your private mailbox.bot alias. Managed inbound mailbox and physical-package services are available by reservation/approval, with address issuing beginning August 2026. We take seriously the responsibility you place in us when you transmit documents, recipient data, inbound context, agent rules, and credentials to the Platform.

1.2 Scope

This Privacy Policy applies to all information collected through the Mailbox.bot website (mailbox.bot), the Mailbox.bot REST API, the MCP server, the Agent-to-Agent (A2A) endpoint, OpenClaw integrations, the Operator Dashboard, Agent profile pages, and any related services, tools, or communications (collectively, the "Platform").

1.3 Agreement

By using the Platform, creating an account, reserving an address spot, or interacting with our services in any way, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account registration information: full legal name, email address, phone number, physical address, and payment information
• Identity verification (KYC) information: government-issued photo identification, biometric selfie photograph, date of birth, and address verification data
• Agent registration information: agent name, slug, description, webhook URLs, framework identifiers, and capability declarations
• Address reservation information: email address and any optional information you provide
• Communications: any messages, support requests, or correspondence you send to us
• Payment information: credit card or other payment method details (processed and stored by our payment processor, not stored on our servers)

2.2 Information We Collect Automatically

When you access or use the Platform, we automatically collect:

• Log data: IP address, browser type, operating system, referring URLs, pages visited, timestamps, and request identifiers
• Device information: device type, screen resolution, language preferences, and unique device identifiers
• Usage data: features used, API calls made, webhook events triggered, and interaction patterns
• Cookie data: session identifiers, authentication tokens, and analytics cookies (see Section 9)

2.3 Information Generated Through Our Services

In the course of providing our services, we generate and collect:

• Package data: exterior photographs, tracking numbers, carrier information, dimensions, weight, intake timestamps, and storage location within the Facility
• Content Scan data: photographs and digitized representations of package contents (only when you request a Content Scan)
• Outbound document data: recipient addresses, document content (as submitted via the API), tracking information, and delivery status
• Webhook logs: event payloads, delivery timestamps, response codes, and retry history
• API access logs: authentication events, endpoints called, request/response metadata, and rate limit status

2.4 Information from Third Parties

We may receive information about you from third-party sources, including:

• Identity verification provider (Stripe Identity): verification results, risk scores, and document authentication outcomes
• Payment processor (Stripe): transaction status, payment method verification, and fraud detection signals
• Phone carrier verification (Twilio Lookup): line type, carrier name, and fraud risk score for the phone number you provide at signup
• Shipping carriers (USPS, FedEx, UPS): tracking updates and carrier-generated metadata for outbound mail pieces we tender on your behalf
• Analytics providers (Google Analytics, PostHog): aggregated usage statistics, traffic source information, and product-feature interaction telemetry — see Sections 5.6 and 9 for the full disclosure

3. How We Use Your Information

3.1 Service Provision

We use your information to operate, maintain, and improve the Platform, including:

• Verifying your identity and maintaining account security
• Provisioning Endpoints and processing package intake under bailee custody
• Sending webhook notifications and email alerts about package events
• Processing outbound document requests
• Providing Content Scan services
• Managing billing, payments, and subscription plans
• Facilitating package forwarding and consolidation
• Maintaining Agent profiles and protocol endpoints

3.2 Security and Fraud Prevention

We use your information to protect the Platform and our users, including:

• Screening against OFAC sanctions lists and other watchlists
• Detecting and preventing fraudulent or suspicious activity
• Monitoring for Prohibited Items and prohibited activities
• Enforcing our Terms of Service and Acceptable Use Policy
• Investigating security incidents and unauthorized access attempts

3.3 Communications

We use your information to communicate with you about your account, service updates, security alerts, and other transactional communications. We will never send you unsolicited marketing emails without your explicit opt-in consent.

3.4 Legal Compliance

We use your information to comply with applicable laws, regulations, and legal processes, including responding to lawful subpoenas, court orders, and law enforcement requests (see Section 6).

3.5 Improvement and Analytics

We use aggregated, anonymized data to improve our services, analyze usage patterns, and develop new features. This data cannot be used to identify you individually.

4. We Never Sell or Share Your Data for Marketing

4.1 Limited Disclosure

We disclose your personal information only in the following circumstances:

• Service providers: We share information with third-party service providers who perform services on our behalf (see Section 5), subject to strict contractual obligations to protect your data and use it only for the purposes we specify
• Legal requirements: We may disclose information when required by law, regulation, legal process, or governmental request (see Section 6)
• Safety and security: We may disclose information when we believe it is necessary to protect the safety, rights, or property of the Company, our users, or the public
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to the same privacy protections described in this Policy
• With your consent: We may share information with your explicit consent for purposes you have approved

4.2 No Third-Party Marketing

We do not provide your name, email address, phone number, physical address, or any other personal information to third parties for the purpose of sending you marketing communications, targeted advertising, or promotional materials. If this ever changes, we will obtain your explicit, affirmative opt-in consent before any such sharing occurs.

5. Third-Party Service Providers

5.1 Service Providers We Use

We work with the following categories of third-party service providers to operate the Platform:

5.2 Identity Verification

Stripe Identity — We use Stripe Identity for KYC identity verification. When you verify your identity, Stripe processes your government-issued ID and biometric selfie. Stripe's handling of this data is governed by Stripe's Privacy Policy. We receive only the verification result (verified/rejected), a session identifier, and extracted identity fields. We do not store copies of your identity documents on our servers after verification is complete.

5.3 Payment Processing

Stripe Payments — All payment processing is handled by Stripe. Your credit card number, CVV, and full payment details are transmitted directly to Stripe and are never stored on our servers. We receive only a tokenized reference, last four digits, expiration date, and transaction status. Stripe is PCI DSS Level 1 certified.

5.4 Outbound Mail Fulfillment

Outbound mail is fulfilled directly through facilities operated by or contracted with the Company. The PDF you submit, the recipient address, the return address, and any agent-supplied metadata are transmitted to the assigned facility's production system, where the piece is printed, enveloped, weighed, postage-applied, and tendered to the selected carrier (USPS, FedEx, or UPS at published retail rates). We do not transmit the contents of your document to any third-party print-and-mail service such as Lob, PostGrid, or any similar SaaS print broker.

Carrier-generated tracking numbers and delivery scans are received from the carrier and surfaced to you via the dashboard, REST API, MCP, and webhooks. Once a mail piece has been handed off to USPS or another carrier, the carrier's privacy practices govern the in-transit handling of the piece and its tracking events.

5.5 File-Format Conversion

If you submit a non-PDF document (DOCX, XLSX, RTF, image formats, etc.) and the Outbound Mail cloud-conversion feature is enabled for your account, the file is transmitted to CloudConvert for conversion to PDF prior to printing. CloudConvert deletes uploaded files automatically per its privacy policy. Submissions in PDF, JPG, PNG, or TXT format are converted locally on our infrastructure and are never sent to a third-party converter.

5.6 Database and Infrastructure

Supabase — Our application database is hosted on Supabase, which provides PostgreSQL with row-level security, encryption at rest, and SOC 2 Type II compliance. Data is stored in secure, access-controlled environments.

Upstash — We use Upstash Redis for rate limiting and Upstash QStash for asynchronous job processing (webhook delivery, outbound mail dispatch, billing sweeps, notifications). QStash signs every job with our signing keys and never receives the contents of your documents.

Resend — Transactional email (verification, security alerts, owner notifications) is sent via Resend. Resend processes recipient addresses and email content solely to deliver the message.

Twilio — SMS notifications, the support-text proxy, and signup-time phone-carrier checks (Twilio Lookup v2) are processed via Twilio.

5.7 Analytics — Google Analytics and PostHog

The Platform uses two and only two analytics providers, both for our own first-party measurement of how the website and product are used. We do not allow either provider to use your data for their own advertising, model training, or third-party sharing.

• Google Analytics 4 (GA4) — captures aggregate website traffic, page views, sessions, traffic sources, and approximate geolocation derived from IP. We have IP anonymization enabled and do not enable Google Signals or advertising features. You can opt out by installing the Google Analytics Opt-Out Browser Add-on, by enabling Do Not Track, or by declining analytics cookies in our cookie banner.
• PostHog — captures first-party product telemetry such as page views inside the dashboard, button clicks, API call counts, and feature-adoption events tied to your account or anonymous session. PostHog is configured as a first-party analytics tool and is not used to build advertising audiences or to share data with third parties. You can opt out of PostHog telemetry by emailing privacy@mailbox.bot.

5.8 Hosting and CDN

Vercel — Our website and API are hosted on Vercel's infrastructure. Vercel may process request logs (IP, user agent, request path) in the course of serving the application.

5.9 Bot Protection

Cloudflare Turnstile — We use Cloudflare Turnstile to protect signup, contact, and address reservation forms from automated abuse. Turnstile may collect device and browser signals to distinguish humans from bots, processed by Cloudflare under its privacy policy.

5.10 Contractual Protections

All third-party service providers are bound by contractual obligations (or, where applicable, by their published Data Processing Addenda) to: process your data only for the purposes we specify; maintain appropriate security measures; not sell, share, or use your data for their own advertising, marketing, or model training; notify us promptly of any security incidents; and delete your data upon termination of our agreement or upon our instruction.

6. Law Enforcement and Legal Disclosures

6.1 What We May Disclose

In response to valid legal process, we may disclose:

• Member identity verification records and KYC results
• Account registration information and contact details
• Agent registration information and configuration data
• Package intake logs, photographs, and Content Scan images
• API access logs and webhook event logs
• Payment and billing records
• Communication records between you and the Company
• Any other information in our possession responsive to a lawful request

6.2 Voluntary Reporting

We may voluntarily report to law enforcement any activity that we suspect involves fraud, money laundering, terrorism financing, Prohibited Items, or other criminal conduct, without prior notice to you. This is consistent with our commitment to operating a safe, lawful platform.

6.3 Preservation Requests

We honor lawful preservation requests from law enforcement and will preserve relevant records for the period specified, or 180 days if no period is specified.

7. Data Security

7.1 Encryption

We implement strong encryption to protect your data:

• Encryption in transit: All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher (HTTPS). All API communications require HTTPS. Unencrypted HTTP requests are automatically redirected to HTTPS.
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption. This includes your personal information, package data, photographs, and all associated metadata.
• Key management: Encryption keys are managed through industry-standard key management practices with regular rotation and strict access controls.

7.2 Access Controls

We maintain strict access controls to protect your data:

• Role-based access control (RBAC): Access to Member data is restricted to authorized personnel on a need-to-know basis
• Row-level security: Our database enforces row-level security policies ensuring that Members can only access their own data through the API
• API authentication: All API access requires valid authentication credentials (API keys or session tokens) scoped to specific permissions
• Multi-factor authentication: Administrative access to our systems requires multi-factor authentication
• Principle of least privilege: Employees and systems are granted the minimum access necessary to perform their functions

7.3 Infrastructure Security

• Our infrastructure is hosted on SOC 2 Type II compliant platforms
• We conduct regular security assessments and vulnerability scanning
• We maintain security monitoring and alerting for suspicious activity
• Database backups are encrypted and stored in geographically separate locations
• We maintain an incident response plan for security events

7.4 Facility Security

Our physical Facilities where packages are received and stored employ security measures including restricted access, security monitoring, and inventory tracking. Only authorized personnel are permitted to handle packages.

7.5 Security Limitations

While we implement commercially reasonable security measures, no system is 100% secure. We cannot guarantee the absolute security of your data. In the event of a security breach that affects your personal information, we will notify you in accordance with applicable law.

8. Data Retention

8.1 Retention Periods

We retain your information for the following periods:

• Account information: For the duration of your account plus five (5) years after account closure
• KYC records: Minimum of five (5) years after account closure, as required for compliance purposes
• Package records and photographs: For the duration of your account plus five (5) years after account closure
• Content Scan images: For the duration of your account plus five (5) years after account closure
• API access logs: Rolling twelve (12) month retention
• Webhook delivery logs: Rolling twelve (12) month retention
• Payment records: Seven (7) years for tax and accounting compliance
• Address reservation data: Until you request removal or your account is created
• Analytics data: Aggregated analytics data is retained indefinitely; raw analytics data is retained for twenty-six (26) months per Google Analytics default settings

8.2 Extended Retention

We may retain information beyond the standard retention periods if required by law, regulation, or legal process; subject to a pending or anticipated legal hold or litigation; necessary for the investigation of fraud or security incidents; or subject to a law enforcement preservation request.

8.3 Deletion

When data reaches the end of its retention period and no exception applies, it is permanently deleted or irreversibly anonymized. Deletion is performed through secure deletion procedures that render the data unrecoverable.

9. Cookies and Tracking Technologies

9.1 What Cookies We Use

We use the following categories of cookies:

• Essential cookies: Required for the Platform to function, including session management and authentication. These cookies cannot be disabled.
• Analytics cookies: Google Analytics cookies (_ga, _gid) and PostHog cookies (used for first-party product telemetry). These can be declined in our cookie banner. See Section 5.7.
• Security cookies: Cloudflare Turnstile cookies used for bot protection on signup, contact, and address reservation forms.
• Preference cookies: Cookies that store your preferences, such as cookie consent status.

9.2 Cookie Consent

When you first visit our website, we present a cookie consent banner. You may accept or decline non-essential cookies. Your preference is stored and respected across sessions. You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site.

9.3 Do Not Track

We respect Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics tracking for that session.

9.4 No Cross-Site Tracking

We do not engage in cross-site tracking. We do not use advertising cookies, retargeting pixels, or any technology that tracks your activity across other websites. We do not participate in ad networks or behavioral advertising programs.

10. Your Rights

10.1 Access

You have the right to request access to the personal information we hold about you. We will provide a copy of your data in a structured, machine-readable format within thirty (30) days of a verified request.

10.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through the Operator Dashboard or by contacting us.

10.3 Deletion

You have the right to request deletion of your personal information, subject to the following exceptions:

• KYC records that we are legally required to retain for five (5) years
• Records subject to a legal hold, pending litigation, or law enforcement request
• Information necessary to complete a pending transaction or fulfill a contractual obligation
• Records required for tax, accounting, or regulatory compliance

To request deletion, email with the subject "Data Deletion Request." We will process your request within thirty (30) days and confirm deletion in writing.

10.4 Portability

You have the right to receive your personal data in a portable, machine-readable format (JSON or CSV). This includes your account information, Agent configurations, package records, and API logs.

10.5 Restriction of Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of your data or when processing is no longer necessary but you need the data for legal claims.

10.6 Objection

You have the right to object to our processing of your personal information for analytics and improvement purposes. To exercise this right, email .

10.7 Withdrawal of Consent

Where our processing of your information is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

10.8 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing for making a privacy request.

10.9 Exercising Your Rights

To exercise any of these rights, contact us at . We will verify your identity before processing any request to protect against unauthorized access. We will respond to all verified requests within thirty (30) days.

11. California Privacy Rights (CCPA/CPRA)

11.1 Categories of Personal Information

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information. In the preceding twelve (12) months, we have collected the following categories of personal information:

• Identifiers: name, email address, phone number, physical address, IP address, account name
• Personal information under Cal. Civ. Code 1798.80(e): name, address, phone number, financial information (payment method)
• Biometric information: facial geometry data (processed by Stripe Identity for KYC verification only, not stored by us after verification)
• Internet or electronic network activity: browsing history on our site, API usage logs, interaction with the Platform
• Geolocation data: approximate location derived from IP address
• Professional or employment-related information: only if voluntarily provided during registration

11.2 Your California Rights

As a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell (we sell none)
• Delete your personal information (subject to legal exceptions)
• Opt out of the sale of your personal information (we do not sell personal information, so no opt-out is necessary, but you may still submit a request)
• Opt out of sharing for cross-context behavioral advertising (we do not share for this purpose)
• Correct inaccurate personal information
• Limit use and disclosure of sensitive personal information to what is necessary for the services
• Non-discrimination for exercising your CCPA/CPRA rights

11.3 Authorized Agents

California residents may designate an authorized agent to submit privacy requests on their behalf. Authorized agents must provide written authorization from the consumer and verify their own identity. We may deny requests from agents who cannot provide adequate proof of authorization.

11.4 California Consumer Complaint

Pursuant to California Civil Code §1789.3, California residents may contact the Complaint Assistance Unit of the Division of Consumer Services at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

11.5 Shine the Light

Under California Civil Code §1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated in this Policy, we do not disclose personal information to third parties for their direct marketing purposes.

12. International Users

12.1 Data Location

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

12.2 GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal basis: We process your personal data based on contractual necessity (to provide the services you requested), legitimate interests (security, fraud prevention, service improvement), legal obligations (KYC, sanctions screening, law enforcement cooperation), and consent (where applicable, such as for analytics cookies)
• Data transfers: Transfers of personal data from the EEA to the United States are conducted in compliance with applicable data transfer mechanisms
• Data Protection Officer: For GDPR-related inquiries, contact
• Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority

13. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at .

14. Data Breach Notification

14.1 Our Commitment

In the event of a data breach that compromises your personal information, we will:

• Notify affected individuals via email within seventy-two (72) hours of discovering the breach, or as soon as reasonably practicable
• Notify applicable regulatory authorities as required by law
• Provide a clear description of what happened, what information was involved, what we are doing to address it, and what steps you can take to protect yourself
• Offer appropriate remediation, which may include credit monitoring services for breaches involving sensitive personal information

14.2 Incident Response

We maintain a documented incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. Our response team is trained and prepared to act swiftly in the event of a breach.

15. Aggregated and Anonymized Data

15.1 Use of Aggregated Data

We may create aggregated, anonymized, or de-identified data from your personal information. This data cannot reasonably be used to identify you. We may use aggregated data for:

• Service improvement and feature development
• Industry reports and benchmarking (e.g., average package volumes, carrier distribution statistics)
• Training and improving AI models used in the Platform
• Marketing and promotional materials (only aggregate statistics, never individual data)

15.2 Opt-Out of Aggregated Data Use

You may opt out of having your data included in aggregated datasets by emailing with the subject "Opt-Out: Aggregated Data." We will honor your request within thirty (30) days.

16. Agent, API, MCP, and A2A Data

The Platform exposes its outbound mail capabilities to AI agents and developers via REST API, MCP (Model Context Protocol), A2A (Agent-to-Agent), and OpenClaw. This section describes the data we collect and retain in connection with those programmatic interfaces.

16.1 Agent Profile Data

Agent profiles hosted at [agent-slug].mailbox.bot may be publicly accessible. Information you include in an Agent's profile (name, description, capabilities, protocol endpoints) is visible to anyone who accesses the profile URL. Do not include sensitive personal information in Agent profiles.

16.2 API, MCP, and A2A Request Data

Data transmitted through the REST API, MCP server, A2A endpoint, or OpenClaw integration (including outbound mail submissions, recipient addresses, document files, agent metadata, and webhook payloads) is encrypted in transit (TLS 1.2+) and at rest (AES-256). We log request/response metadata (endpoint, status code, latency, IP, user agent, agent identifier, idempotency key) to operate, secure, and bill the Platform. API access logs are retained for twelve (12) months. We do not read or analyze the body of your document submissions beyond what is necessary to print, address, weigh, postage, and dispatch the piece.

16.3 API Keys and Credentials

API keys (member, agent, and facility scopes) and webhook signing keys are issued by the Platform and shown only once at creation. We store a salted hash of the secret portion server-side; we cannot recover the original secret. You are responsible for protecting these credentials. See the Terms of Service for the full credential-security obligations and the Company's position on liability for credential compromise.

16.4 Agent Decision and Activity Logs

For accounts with agents configured, decision logs — which rule triggered, what action was taken, the MAILBOX.md version in effect at the time, and the corresponding API/MCP context — are available to the Account Holder via the dashboard and API. Decision logs are retained for the duration of your account plus five (5) years.

16.5 Webhook Security

Webhook payloads are signed with your webhook signing key (HMAC-SHA256, format whsk_prefix:t=ts,v1=hmac) so that you can verify their authenticity. We recommend always verifying webhook signatures and rotating signing keys periodically. Webhook delivery logs (event metadata, delivery attempts, response status) are retained for twelve (12) months and are also surfaced to you via the dashboard's API Logs / Webhook Sandbox view.

17. Outbound Mail and Document Privacy

17.1 Outbound Document Content

When you submit a document for outbound mailing, the PDF (or other supported format) is uploaded to our private object storage, encrypted at rest, and transmitted to the assigned facility's production system for printing. The document is accessible only to (a) you and any agent credentials you have authorized, (b) authorized Company personnel and the facility's production staff with a legitimate operational need to print, envelope, weigh, and dispatch the piece, and (c) law enforcement pursuant to valid legal process. We do not read, parse, train models on, or sell the contents of your documents.

17.2 Fulfillment Photo Proof

For each outbound mail piece, the facility may capture photo evidence of one or more steps in the production lifecycle (printed pages, sealed envelope, postage label, carrier drop-off). These photos are stored with the same encryption and access controls as your document and are surfaced to you via the dashboard, REST API, MCP, and webhooks. Photo proof documents the drop-off event and does not constitute proof of delivery.

17.3 Recipient Address Data

Recipient addresses you submit are used solely to address and dispatch the corresponding mail piece, to compute postage, and to satisfy carrier tendering requirements. We do not enrich, sell, share, or repurpose recipient address data for marketing, advertising, list-building, or any other purpose.

17.4 Document Retention

Outbound document files are retained for the duration of your account (so that you and your agent can audit historical sends) plus up to seven (7) years for tax, billing-dispute, and audit purposes, after which they are deleted or irreversibly anonymized. You may request earlier deletion of specific document files by emailing , subject to legal-hold and active-litigation exceptions described in Section 8.

17.5 Inbound Mail Evidence and Managed Receiving

Inbound forwarding aliases are used for digital context that you or your provider choose to send to mailbox.bot, such as envelope photos, opened-mail photos, scan PDFs, provider notices, and notes. Managed virtual mailbox service and physical-package receiving, where mailbox.bot or a facility receives physical mail or packages for you, are available by reservation/approval with address issuing beginning August 2026. Privacy practices specific to those managed services (intake exterior photography, content scanning, package storage, forwarding, and Commercial Mail Receiving Agency (CMRA)-related handling) are covered by a separate beta addendum for participating Members.

18. Changes to This Privacy Policy

18.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on this page with a new "Last Updated" date
• Notify you via email at least thirty (30) days before the changes take effect
• Provide a summary of material changes
• For significant changes affecting your rights, give you the opportunity to review and consent before the changes take effect

18.2 Continued Use

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms. If you disagree with any changes, you may terminate your account before the effective date.

19. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Golden Ratio, LLC dba Mailbox.bot
Privacy Inquiries
3556 S 5600 W, Suite #1-1038
Salt Lake City, UT 84120
Email:
General Support:

We will acknowledge receipt of all privacy-related inquiries within two (2) business days and provide a substantive response within thirty (30) days.