chobitmail

Privacy Policy

This English text is a convenience translation. The Japanese version is the official text and prevails in case of any conflict.

nanabit Inc. (“we”, “us”, or “our”) sets this Privacy Policy (this “Policy”) for how we handle user information in the email inbox service “chobitmail” (the “Service”).

Article 1 (Information we collect)

We collect the following information to provide the Service:

  1. Account information: On registration via GitHub we obtain the GitHub numeric user ID and login name. Wedo not obtain the email address, name, or other profile data stored on GitHub.
  2. API key information: We store hashes of issued API keys, identifiers, issue times, and status (active/disabled). We do not store plaintext keys.
  3. Received data: Contents of mail received by one-time addresses we issue (sender, subject, body, extracted links/codes, attachment metadata), retained only for the short period described below.
  4. Usage logs and metadata: Identifiers and expiry of one-time addresses, receive times, sender domains, API key ids, access times, etc.We do not log message bodies or authentication codes (OTP).
  5. Cookies: Session cookies for dashboard login, a language preference cookie, and short-lived cookies used during GitHub authentication (Article 7).

Article 2 (Purposes of use)

We use collected information for:

  1. Providing and operating the Service and authenticating users
  2. Enforcing quotas and billing management (if paid plans are offered)
  3. Detecting and investigating abuse and enforcing suspensions under the Terms of Service
  4. Debugging, improving the Service, and statistical analysis of usage
  5. Complying with law

We do not use information beyond what is necessary for these purposes. Because we do not obtain user email addresses, we do not (and cannot) contact you for advertising or marketing.

Article 3 (Received data)

By nature of the Service, received data may include personal information of users or third parties. We handle it as follows:

  1. Received data is deleted when the one-time address expires (typically within a few minutes; the exact cap is in the API reference) or when you delete it.
  2. We do not back up received data; deleted data cannot be restored.
  3. We do not view or use received data except to provide the Service (returning it to you via API and mechanical link/code extraction), unless investigating abuse or required by law.
  4. Attachment bodies are not stored; only metadata such as name and size is kept.
  5. We do not manually analyze received data or use it for advertising or other secondary purposes.

Article 4 (Sharing with third parties)

We do not provide collected information to third parties except:

  1. With the user’s consent
  2. When required by law (including lawful requests from investigative authorities)
  3. When necessary to protect life, body, or property and obtaining consent is difficult
  4. When providing the minimum information needed to address abuse that violates the Terms of Service to relevant service operators

Article 5 (External services / processors)

The Service relies on the following external services. Collected information is handled on their infrastructure:

  1. Cloudflare, Inc.: Infrastructure (servers, database, email receiving) and bot protection (Turnstile). Seehttps://www.cloudflare.com/privacypolicy/.
  2. GitHub, Inc.: OAuth for registration. Information we receive is as in Article 1(1). Seehttps://docs.github.com/site-policy/privacy-policies.

Article 6 (Retention)

  1. Account and API key information is retained until registration is cancelled.
  2. Received data retention is as in Article 3(1).
  3. Usage logs and metadata are retained up to 14 days for abuse investigation and stable operation, then deleted, unless extended for an ongoing investigation or legal obligation.

Article 7 (Cookies)

  1. The dashboard uses a session cookie (7-day lifetime, HttpOnly and Secure) to keep you signed in.
  2. We use a language cookie (1-year lifetime, HttpOnly and Secure) to remember your UI language preference.
  3. During GitHub authentication we use short-lived cookies to verify request legitimacy.
  4. Cloudflare may set technically necessary cookies for Turnstile when issuing API keys.
  5. We do not use advertising, behavioral tracking, or third-party analytics cookies.
  6. If cookies are disabled, some features including dashboard login will not work.

Article 8 (Security measures)

To prevent leakage, loss, or damage of collected information, we:

  1. Store API keys hashed, never in plaintext
  2. Do not log message bodies or authentication codes
  3. Isolate received data per user so others cannot access it
  4. Encrypt traffic with TLS

Article 9 (Access, correction, deletion)

  1. Under Japan’s Act on the Protection of Personal Information, you may request disclosure, correction, suspension of use, or deletion of your personal data we hold. Contact the address at the end of this Policy.
  2. We may ask you to verify identity via your GitHub account.
  3. Received data may already be gone when you request it, because it is auto-deleted under Article 3.
  4. To delete your account, contact the same address; we will delete account and API key information.

Article 10 (Changes to this Policy)

  1. We may change this Policy for legal updates or service changes.
  2. The updated Policy applies when posted on the Service. For material changes we will give reasonable advance notice on the Service.

Article 11 (Contact)

For questions about this Policy or personal information handling, and for requests under Article 9, contact:

Effective date: July 18, 2026