Privacy Policy

Mailbox.bot — Physical Logistics Infrastructure for AI Agents
Operated by Golden Ratio, LLC, a Utah Limited Liability Company
Effective Date: February 7, 2026 · Last Updated: February 7, 2026

1. Overview and Commitment

1.1 Our Privacy Commitment

Golden Ratio, LLC ("Company," "we," "us," "our"), the operator of Mailbox.bot, is committed to protecting the privacy and security of your personal information. We believe that trust is the foundation of our service — you are trusting us with your physical property as bailee, your identity, and your data. We take that responsibility seriously.

1.2 Scope

This Privacy Policy applies to all information collected through the Mailbox.bot website (mailbox.bot), the Mailbox.bot API, the Operator Dashboard, Agent profile pages, the shipping portal (ship.mailbox.bot), and any related services, tools, or communications (collectively, the "Platform").

1.3 Agreement

By using the Platform, creating an account, joining the waitlist, or interacting with our services in any way, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account registration information: full legal name, email address, phone number, physical address, and payment information
• Identity verification (KYC) information: government-issued photo identification, biometric selfie photograph, date of birth, and address verification data
• Agent registration information: agent name, slug, description, webhook URLs, framework identifiers, and capability declarations
• Waitlist information: email address and any optional information you provide
• Communications: any messages, support requests, or correspondence you send to us
• Payment information: credit card or other payment method details (processed and stored by our payment processor, not stored on our servers)

2.2 Information We Collect Automatically

When you access or use the Platform, we automatically collect:

• Log data: IP address, browser type, operating system, referring URLs, pages visited, timestamps, and request identifiers
• Device information: device type, screen resolution, language preferences, and unique device identifiers
• Usage data: features used, API calls made, webhook events triggered, and interaction patterns
• Cookie data: session identifiers, authentication tokens, and analytics cookies (see Section 9)

2.3 Information Generated Through Our Services

In the course of providing our services, we generate and collect:

• Package data: exterior photographs, tracking numbers, carrier information, dimensions, weight, intake timestamps, and storage location within the Facility
• Content Scan data: photographs and digitized representations of package contents (only when you request a Content Scan)
• Outbound document data: recipient addresses, document content (as submitted via the API), tracking information, and delivery status
• Webhook logs: event payloads, delivery timestamps, response codes, and retry history
• API access logs: authentication events, endpoints called, request/response metadata, and rate limit status

2.4 Information from Third Parties

We may receive information about you from third-party sources, including:

• Identity verification provider (Stripe Identity): verification results, risk scores, and document authentication outcomes
• Payment processor (Stripe): transaction status, payment method verification, and fraud detection signals
• Shipping carriers (FedEx, UPS, DHL, Amazon, etc.): tracking updates, delivery confirmations, and carrier-generated metadata
• Analytics providers (Google Analytics): aggregated usage statistics and traffic source information

3. How We Use Your Information

3.1 Service Provision

We use your information to operate, maintain, and improve the Platform, including:

• Verifying your identity and maintaining account security
• Provisioning Endpoints and processing package intake under bailee custody
• Sending webhook notifications and email alerts about package events
• Processing outbound document requests
• Providing Content Scan services
• Managing billing, payments, and subscription plans
• Facilitating package forwarding and consolidation
• Maintaining Agent profiles and protocol endpoints

3.2 Security and Fraud Prevention

We use your information to protect the Platform and our users, including:

• Screening against OFAC sanctions lists and other watchlists
• Detecting and preventing fraudulent or suspicious activity
• Monitoring for Prohibited Items and prohibited activities
• Enforcing our Terms of Service and Acceptable Use Policy
• Investigating security incidents and unauthorized access attempts

3.3 Communications

We use your information to communicate with you about your account, service updates, security alerts, and other transactional communications. We will never send you unsolicited marketing emails without your explicit opt-in consent.

3.4 Legal Compliance

We use your information to comply with applicable laws, regulations, and legal processes, including responding to lawful subpoenas, court orders, and law enforcement requests (see Section 6).

3.5 Improvement and Analytics

We use aggregated, anonymized data to improve our services, analyze usage patterns, and develop new features. This data cannot be used to identify you individually.

4. We Never Sell or Share Your Data for Marketing

4.1 Limited Disclosure

We disclose your personal information only in the following circumstances:

• Service providers: We share information with third-party service providers who perform services on our behalf (see Section 5), subject to strict contractual obligations to protect your data and use it only for the purposes we specify
• Legal requirements: We may disclose information when required by law, regulation, legal process, or governmental request (see Section 6)
• Safety and security: We may disclose information when we believe it is necessary to protect the safety, rights, or property of the Company, our users, or the public
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to the same privacy protections described in this Policy
• With your consent: We may share information with your explicit consent for purposes you have approved

4.2 No Third-Party Marketing

We do not provide your name, email address, phone number, physical address, or any other personal information to third parties for the purpose of sending you marketing communications, targeted advertising, or promotional materials. If this ever changes, we will obtain your explicit, affirmative opt-in consent before any such sharing occurs.

5. Third-Party Service Providers

5.1 Service Providers We Use

We work with the following categories of third-party service providers to operate the Platform:

5.2 Identity Verification

Stripe Identity — We use Stripe Identity for KYC identity verification. When you verify your identity, Stripe processes your government-issued ID and biometric selfie. Stripe's handling of this data is governed by Stripe's Privacy Policy. We receive only the verification result (verified/rejected), a session identifier, and extracted identity fields. We do not store copies of your identity documents on our servers after verification is complete.

5.3 Payment Processing

Stripe Payments — All payment processing is handled by Stripe. Your credit card number, CVV, and full payment details are transmitted directly to Stripe and are never stored on our servers. We receive only a tokenized reference, last four digits, expiration date, and transaction status. Stripe is PCI DSS Level 1 certified.

5.4 Outbound Mail

Lob / PostGrid — When you send outbound documents through the Platform, the document content and recipient address are transmitted to our document fulfillment provider for printing and delivery. This data is subject to the provider's privacy policy and data handling practices.

5.5 Database and Infrastructure

Supabase — Our database is hosted on Supabase, which provides PostgreSQL database services with row-level security, encryption at rest, and SOC 2 Type II compliance. Data is stored in secure, access-controlled environments.

5.6 Analytics

Google Analytics — We use Google Analytics to collect aggregated, anonymized usage data about how visitors interact with our website. Google Analytics uses cookies to track page views, session duration, and traffic sources. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

5.7 Hosting and CDN

Vercel — Our website is hosted on Vercel's infrastructure. Vercel may process request logs including IP addresses and user agent strings in the course of serving web pages.

5.8 Bot Protection

Cloudflare Turnstile — We use Cloudflare Turnstile to protect forms from automated abuse. Turnstile may collect device and browser signals to distinguish human users from bots. This data is processed by Cloudflare in accordance with their privacy policy.

5.9 Contractual Protections

All third-party service providers are bound by contractual obligations to: process your data only for the purposes we specify; maintain appropriate security measures; not sell, share, or use your data for their own purposes; notify us promptly of any security incidents; and delete your data upon termination of our agreement with them or upon our instruction.

6. Law Enforcement and Legal Disclosures

6.1 What We May Disclose

In response to valid legal process, we may disclose:

• Member identity verification records and KYC results
• Account registration information and contact details
• Agent registration information and configuration data
• Package intake logs, photographs, and Content Scan images
• API access logs and webhook event logs
• Payment and billing records
• Communication records between you and the Company
• Any other information in our possession responsive to a lawful request

6.2 Voluntary Reporting

We may voluntarily report to law enforcement any activity that we suspect involves fraud, money laundering, terrorism financing, Prohibited Items, or other criminal conduct, without prior notice to you. This is consistent with our commitment to operating a safe, lawful platform.

6.3 Preservation Requests

We honor lawful preservation requests from law enforcement and will preserve relevant records for the period specified, or 180 days if no period is specified.

7. Data Security

7.1 Encryption

We implement strong encryption to protect your data:

• Encryption in transit: All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher (HTTPS). All API communications require HTTPS. Unencrypted HTTP requests are automatically redirected to HTTPS.
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption. This includes your personal information, package data, photographs, and all associated metadata.
• Key management: Encryption keys are managed through industry-standard key management practices with regular rotation and strict access controls.

7.2 Access Controls

We maintain strict access controls to protect your data:

• Role-based access control (RBAC): Access to Member data is restricted to authorized personnel on a need-to-know basis
• Row-level security: Our database enforces row-level security policies ensuring that Members can only access their own data through the API
• API authentication: All API access requires valid authentication credentials (API keys or session tokens) scoped to specific permissions
• Multi-factor authentication: Administrative access to our systems requires multi-factor authentication
• Principle of least privilege: Employees and systems are granted the minimum access necessary to perform their functions

7.3 Infrastructure Security

• Our infrastructure is hosted on SOC 2 Type II compliant platforms
• We conduct regular security assessments and vulnerability scanning
• We maintain security monitoring and alerting for suspicious activity
• Database backups are encrypted and stored in geographically separate locations
• We maintain an incident response plan for security events

7.4 Facility Security

Our physical Facilities where packages are received and stored employ security measures including restricted access, security monitoring, and inventory tracking. Only authorized personnel are permitted to handle packages.

7.5 Security Limitations

While we implement commercially reasonable security measures, no system is 100% secure. We cannot guarantee the absolute security of your data. In the event of a security breach that affects your personal information, we will notify you in accordance with applicable law.

8. Data Retention

8.1 Retention Periods

We retain your information for the following periods:

• Account information: For the duration of your account plus five (5) years after account closure
• KYC records: Minimum of five (5) years after account closure, as required for compliance purposes
• Package records and photographs: For the duration of your account plus five (5) years after account closure
• Content Scan images: For the duration of your account plus five (5) years after account closure
• API access logs: Rolling twelve (12) month retention
• Webhook delivery logs: Rolling twelve (12) month retention
• Payment records: Seven (7) years for tax and accounting compliance
• Waitlist data: Until you request removal or your account is created
• Analytics data: Aggregated analytics data is retained indefinitely; raw analytics data is retained for twenty-six (26) months per Google Analytics default settings

8.2 Extended Retention

We may retain information beyond the standard retention periods if required by law, regulation, or legal process; subject to a pending or anticipated legal hold or litigation; necessary for the investigation of fraud or security incidents; or subject to a law enforcement preservation request.

8.3 Deletion

When data reaches the end of its retention period and no exception applies, it is permanently deleted or irreversibly anonymized. Deletion is performed through secure deletion procedures that render the data unrecoverable.

9. Cookies and Tracking Technologies

9.1 What Cookies We Use

We use the following categories of cookies:

• Essential cookies: Required for the Platform to function, including session management and authentication. These cookies cannot be disabled.
• Analytics cookies: Google Analytics cookies (_ga, _gid) that help us understand how visitors use our website. These can be opted out of (see Section 5.6).
• Security cookies: Cloudflare Turnstile cookies used for bot protection on forms.
• Preference cookies: Cookies that store your preferences, such as cookie consent status.

9.2 Cookie Consent

When you first visit our website, we present a cookie consent banner. You may accept or decline non-essential cookies. Your preference is stored and respected across sessions. You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site.

9.3 Do Not Track

We respect Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics tracking for that session.

9.4 No Cross-Site Tracking

We do not engage in cross-site tracking. We do not use advertising cookies, retargeting pixels, or any technology that tracks your activity across other websites. We do not participate in ad networks or behavioral advertising programs.

10. Your Rights

10.1 Access

You have the right to request access to the personal information we hold about you. We will provide a copy of your data in a structured, machine-readable format within thirty (30) days of a verified request.

10.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through the Operator Dashboard or by contacting us.

10.3 Deletion

You have the right to request deletion of your personal information, subject to the following exceptions:

• KYC records that we are legally required to retain for five (5) years
• Records subject to a legal hold, pending litigation, or law enforcement request
• Information necessary to complete a pending transaction or fulfill a contractual obligation
• Records required for tax, accounting, or regulatory compliance

To request deletion, email with the subject "Data Deletion Request." We will process your request within thirty (30) days and confirm deletion in writing.

10.4 Portability

You have the right to receive your personal data in a portable, machine-readable format (JSON or CSV). This includes your account information, Agent configurations, package records, and API logs.

10.5 Restriction of Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of your data or when processing is no longer necessary but you need the data for legal claims.

10.6 Objection

You have the right to object to our processing of your personal information for analytics and improvement purposes. To exercise this right, email .

10.7 Withdrawal of Consent

Where our processing of your information is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

10.8 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing for making a privacy request.

10.9 Exercising Your Rights

To exercise any of these rights, contact us at . We will verify your identity before processing any request to protect against unauthorized access. We will respond to all verified requests within thirty (30) days.

11. California Privacy Rights (CCPA/CPRA)

11.1 Categories of Personal Information

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information. In the preceding twelve (12) months, we have collected the following categories of personal information:

• Identifiers: name, email address, phone number, physical address, IP address, account name
• Personal information under Cal. Civ. Code 1798.80(e): name, address, phone number, financial information (payment method)
• Biometric information: facial geometry data (processed by Stripe Identity for KYC verification only, not stored by us after verification)
• Internet or electronic network activity: browsing history on our site, API usage logs, interaction with the Platform
• Geolocation data: approximate location derived from IP address
• Professional or employment-related information: only if voluntarily provided during registration

11.2 Your California Rights

As a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell (we sell none)
• Delete your personal information (subject to legal exceptions)
• Opt out of the sale of your personal information (we do not sell personal information, so no opt-out is necessary, but you may still submit a request)
• Opt out of sharing for cross-context behavioral advertising (we do not share for this purpose)
• Correct inaccurate personal information
• Limit use and disclosure of sensitive personal information to what is necessary for the services
• Non-discrimination for exercising your CCPA/CPRA rights

11.3 Authorized Agents

California residents may designate an authorized agent to submit privacy requests on their behalf. Authorized agents must provide written authorization from the consumer and verify their own identity. We may deny requests from agents who cannot provide adequate proof of authorization.

11.4 California Consumer Complaint

Pursuant to California Civil Code §1789.3, California residents may contact the Complaint Assistance Unit of the Division of Consumer Services at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

11.5 Shine the Light

Under California Civil Code §1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated in this Policy, we do not disclose personal information to third parties for their direct marketing purposes.

12. International Users

12.1 Data Location

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

12.2 GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal basis: We process your personal data based on contractual necessity (to provide the services you requested), legitimate interests (security, fraud prevention, service improvement), legal obligations (KYC, sanctions screening, law enforcement cooperation), and consent (where applicable, such as for analytics cookies)
• Data transfers: Transfers of personal data from the EEA to the United States are conducted in compliance with applicable data transfer mechanisms
• Data Protection Officer: For GDPR-related inquiries, contact
• Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority

13. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at .

14. Data Breach Notification

14.1 Our Commitment

In the event of a data breach that compromises your personal information, we will:

• Notify affected individuals via email within seventy-two (72) hours of discovering the breach, or as soon as reasonably practicable
• Notify applicable regulatory authorities as required by law
• Provide a clear description of what happened, what information was involved, what we are doing to address it, and what steps you can take to protect yourself
• Offer appropriate remediation, which may include credit monitoring services for breaches involving sensitive personal information

14.2 Incident Response

We maintain a documented incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. Our response team is trained and prepared to act swiftly in the event of a breach.

15. Aggregated and Anonymized Data

15.1 Use of Aggregated Data

We may create aggregated, anonymized, or de-identified data from your personal information. This data cannot reasonably be used to identify you. We may use aggregated data for:

• Service improvement and feature development
• Industry reports and benchmarking (e.g., average package volumes, carrier distribution statistics)
• Training and improving AI models used in the Platform
• Marketing and promotional materials (only aggregate statistics, never individual data)

15.2 Opt-Out of Aggregated Data Use

You may opt out of having your data included in aggregated datasets by emailing with the subject "Opt-Out: Aggregated Data." We will honor your request within thirty (30) days.

16. Agent and API Data

This section applies to all Members, as AI agents are the primary operators of the Platform. Your OpenClaw agent makes autonomous decisions about packages (forward, store, scan, discard) based on rules you configure.

16.1 Agent Profile Data

Agent profiles hosted at [agent-slug].mailbox.bot may be publicly accessible. Information you include in an Agent's profile (name, description, capabilities, protocol endpoints) is visible to anyone who accesses the profile URL. Do not include sensitive personal information in Agent profiles. Endpoint Reference Codes are operational identifiers, not personal data.

16.2 API Data

Data transmitted through the API (including package data, webhook payloads, and mail content) is encrypted in transit and at rest. API access logs are retained for twelve (12) months. We do not inspect, read, or analyze the content of your API requests beyond what is necessary to provide the service and ensure security.

16.3 Agent Decision Logs

Agent decision logs — including which rules triggered, what actions were taken, and the package context at the time of each decision — are available to the Account Holder via the mission control dashboard and API. Decision logs are retained for the duration of your account plus five (5) years.

16.4 Webhook Security

Webhook payloads are signed with your webhook secret to allow you to verify their authenticity. We recommend always verifying webhook signatures. Webhook delivery logs (excluding payload content) are retained for twelve (12) months.

17. Package and Logistics Privacy

17.1 Exterior Photography

We photograph the exterior of all packages received at our Facilities for documentation and verification purposes. These photographs are accessible only to you (the Member) and authorized Company personnel.

17.2 Content Scanning

We will never open or scan the contents of your packages unless you explicitly request a Content Scan. Content Scan images are stored with the same encryption and access controls as all other data on the Platform. Content Scan data is accessible only to you and authorized Company personnel.

17.3 Outbound Document Content

When you send outbound documents through the Platform, the document content is transmitted to our fulfillment provider for printing and delivery. We do not retain copies of outbound document content after successful delivery to the fulfillment provider, except for delivery status tracking metadata.

17.4 Facility Location Privacy

We take measures to limit public exposure of Facility addresses. The shipping portal (ship.mailbox.bot) does not display the physical Facility address to senders. However, facility locations may become known through carrier tracking information or other means beyond our control. Reference Codes are operational identifiers and do not constitute address assignments.

18. Changes to This Privacy Policy

18.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on this page with a new "Last Updated" date
• Notify you via email at least thirty (30) days before the changes take effect
• Provide a summary of material changes
• For significant changes affecting your rights, give you the opportunity to review and consent before the changes take effect

18.2 Continued Use

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms. If you disagree with any changes, you may terminate your account before the effective date.

19. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Golden Ratio, LLC dba Mailbox.bot
Privacy Inquiries
3556 S 5600 W, Suite #1-1038
Salt Lake City, UT 84120
Email:
General Support:

We will acknowledge receipt of all privacy-related inquiries within two (2) business days and provide a substantive response within thirty (30) days.