1. Who We Are

Peerborough, Inc. provides the following services:

• SigninID: A secure email address service for sign-ups, featuring WebAuthn/Passkey authentication, email aliases (3 free, 100 Pro), email receiving/sending, and sensitive information masking.
• SigninID Sandbox: An email testing sandbox for developers and QA teams, offering SMTP server (STARTTLS/Implicit TLS), REST API v1, Webhook support, automatic OTP detection, and spam/security analysis.

For inquiries, please contact us at support@peerborough.com.

2. Scope

This Privacy Policy applies to the following services:

• SigninID: https://signinid.com
• SigninID Sandbox: https://app.signinid.com

3. Information We Collect

3.1 Information You Provide

• Account information: email address, password (PBKDF2 hashed), display name
• Email content: incoming/outgoing emails for SigninID service
• Test email content: test emails for SigninID Sandbox
• Payment information: processed by Paddle
• Support communications

3.2 Information Collected Automatically

• Device and browser information: device type, model, vendor, OS name/version, browser name/version
• IP address and geolocation: IP address, country, region, city, latitude/longitude, timezone
• Usage data and logs
• Cookies: for authentication and preferences

3.3 SigninID-Specific Data

• WebAuthn/Passkey credentials: credential ID, device type, counter, transport methods
• Email alias configurations
• Incoming email metadata and content: headers (From, To, Cc, Bcc, Reply-To, etc.), subject, body (HTML/text), attachments
• Authentication logs (14 days for free tier)
• Session tokens: access token, refresh token, privilege token
• Device ID (nanoid generated)
• Sender domain analysis

3.4 SigninID Sandbox-Specific Data

• SMTP credentials (AES-256-GCM encrypted)
• API keys (bcrypt hashed)
• Test email content: inbox and sent emails (from, to, cc, bcc, subject, body, attachments)
• Webhook configurations and delivery logs (request/response)
• OTP detection results
• Spam analysis results: spam score and verdict (via rspamd), SPF/DKIM/DMARC verdicts, virus verdict
• Message ID, reply headers, read status, timestamps

4. How We Use Information

We use the collected information for the following purposes:

• Service provision and account management
• Membership maintenance and fraud prevention
• Authentication and security
• Email processing and delivery
• SigninID Sandbox: email testing environment, SMTP sandbox operation, OTP detection, spam analysis
• Analytics and service improvement (SigninID: Google Analytics)
• Legal compliance
• Customer support
• Contract and invoice delivery

5. Third-Party Services

5.1 Data Processing Delegation

• Supabase: Database and authentication (SigninID Sandbox)
• AWS: Email storage and delivery
• Paddle: Payment processing (Merchant of Record)
• Google Analytics: Website analytics (SigninID only)

5.2 Payment Provider (Paddle)

Paddle acts as our Merchant of Record (authorized reseller) for payment processing. Paddle collects personal data for:

• Transaction processing
• Product delivery
• Invoice submission

Payment card data is processed and stored by Paddle, not by us. Users consent to receiving electronic receipts and invoices. For details on how Paddle handles payment data, see Paddle's Privacy Policy.

6. Data Sharing and Disclosure

We may share Your information in the following situations:

• With service providers: for hosting, payment processing, and analytics
• Legal requirements: when required by law
• Business transfers: in connection with mergers, acquisitions, or asset sales

We do not sell Your personal data.

7. Data Retention

The Company retains collected personal data for the period necessary to fulfill the purposes of service provision, and where retention is required by applicable laws, for the period specified by such laws. The display period shown to users may differ from the actual retention period.

SigninID (User Display Period)

• Account data: until account termination
• Email data: during the service period
• Auth logs: 14 days (Free), extended (Pro)
• Free accounts: automatic deletion after 4 weeks of inactivity

SigninID Sandbox (User Display Period)

• Account data: until account termination
• Email data: 1 day (Free), 7 days (Pro), 30 days (Team), 90 days (Enterprise)
• Webhook logs: until account termination
• API keys: until revocation request

Notwithstanding the above, the Company may retain relevant information permanently as necessary for service operation, dispute resolution, and compliance with legal obligations.

8. Security

We implement the following security measures to protect Your data:

• Encryption in transit (TLS)
• Encryption at rest: passwords (PBKDF2), SMTP credentials (AES-256-GCM), API keys (bcrypt)
• Database access controls
• Intrusion prevention systems for external access control

Users are responsible for maintaining the security of their own devices.

9. International Data Transfers

Your information may be processed on AWS servers located internationally. Data protection laws in those locations may differ from Your jurisdiction. We apply appropriate safeguards, such as standard contractual clauses, where applicable.

By consenting to this Privacy Policy and submitting Your information, You agree to such transfers.

10. Your Rights

You have the following rights regarding Your personal data:

• Right to access
• Right to correction
• Right to deletion
• Right to restrict processing
• Right to data portability
• Right to withdraw consent

To exercise Your rights, please contact us at support@peerborough.com. We will respond to Your request without undue delay.

11. Cookies

We use cookies to provide personalized services to You.

• Essential cookies: Required for authentication and service provision
• Functionality cookies: For language and preference storage
• Analytics cookies: Google Analytics on SigninID (SigninID Sandbox does not use external analytics)

Cookie management: You can refuse cookies through Your browser settings (Tools - Internet Options - Privacy). However, refusing cookies may limit Your ability to use certain features of our Service.

12. Your Responsibilities

Users must comply with the following:

• Lawful use of email services
• No spam, phishing, or illegal content
• SigninID Sandbox: test data only (users are responsible if real personal data is used)

13. Children

Our Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from anyone under 16. If You are a parent or guardian and become aware that Your child has provided Us with personal data, please contact Us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify You of material changes via email or through a notice on Our Service. The updated Privacy Policy will be posted on this page.

Your continued use of the Service after any changes constitutes Your acceptance of the updated Privacy Policy.

This Privacy Policy is effective as of January 17, 2026.

15. Contact Us

If you have any questions about this Privacy Policy, You can contact us: