Privacy Policy
Effective Date: April 12, 2026
CELVIRO TECHNOLOGY LIMITED ("CELVIRO", "we", "us", or "our"), a company incorporated in Hong Kong, operates the ZibPost email hosting platform and related services (the "Services"). This Privacy Policy explains how we collect, use, store, and share your personal information when you use our Services. Please read this policy carefully.
If you have any questions, please contact us at [email protected].
1. Data Controller
CELVIRO is the data controller for personal information collected through the Services. When a Tenant (as defined in our Terms of Service) creates mailbox accounts for End Users, the Tenant acts as a data controller (or joint controller) for End User data, and CELVIRO acts as a data processor on behalf of the Tenant.
2. Personal Information We Collect
2.1 Registration Information
When you sign up for the Services, we collect:
- Email address (used as login credential);
- Company or organization name (optional);
- Password (stored in hashed, encrypted form — we cannot read your password).
2.2 Payment Information
Payments are processed by third-party providers (Stripe and PayPal). We do not directly store credit card numbers or bank account details. We receive transaction identifiers and billing status from these providers to manage your subscription.
2.3 Email Content
When you use the Services, we store and process the emails you send and receive, including message bodies, attachments, headers, metadata (sender, recipient, timestamps), contacts, and calendar entries.
2.4 Technical Data
We automatically collect:
- IP addresses;
- Browser type and version;
- Device information;
- Login timestamps;
- Access logs.
2.5 Usage Data
We collect aggregated usage statistics, including:
- Email sending and receiving volumes;
- Bounce and rejection rates;
- Storage usage;
- Feature usage patterns (anonymized).
3. How We Use Your Information
We use your personal information to:
- Provide, maintain, and improve the Services;
- Process and deliver your emails;
- Manage your account and subscriptions;
- Process payments;
- Detect and prevent spam, fraud, and abuse;
- Provide customer support;
- Send service-related notifications (e.g., quota warnings, security alerts);
- Comply with legal obligations;
- Analyze anonymized usage data to improve the platform.
4. How We Handle Email Content
Your email privacy is fundamental to our service. We commit to the following principles:
- We do not read your emails. No CELVIRO employee accesses the content of your emails unless required by law or explicitly requested by you for technical support purposes.
- AI Anti-Spam scanning is automated. Our AI anti-spam system performs automated, machine-based analysis of outbound emails to detect spam and policy violations. This is a fully automated process — no human reviews the content.
- We do not use email content for advertising or profiling. Your emails are never analyzed for the purpose of serving advertisements, building user profiles, or targeting marketing campaigns.
- We do not use email content for AI model training. Content processed by our AI features is used solely for real-time filtering and is not retained for training purposes.
5. Data Storage and Location
Your data is stored in the following locations:
| Data Type | Storage Location |
|---|---|
| Account data, metadata, logs | Tokyo, Japan (PostgreSQL) |
| Email messages and attachments | Cloudflare R2 (globally distributed) |
| Full-text search indexes | Tokyo, Japan |
| Transient data (rate limits, sessions) | Tokyo, Japan (Redis) |
By using the Services, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence, including Japan and the locations where Cloudflare operates its infrastructure.
6. Data Sharing
We do not sell your personal information.
We share personal information only in the following circumstances:
- Service providers: We share data with trusted third-party providers who help us deliver the Services, including Cloudflare (infrastructure and storage), Stripe (payment processing), and PayPal (payment processing). These providers are contractually obligated to protect your data.
- Tenant administrators: If your mailbox account was created by a Tenant, the Tenant's administrator can manage your account, reset your password, and view account metadata. The Tenant is responsible for their use of your data under their own privacy policies.
- Resellers: If a Tenant's account is managed by a Reseller, the Reseller may access limited management data (e.g., account status, storage usage) but does not have access to email content.
- Law enforcement: We may disclose personal information when required by law, regulation, legal process, or enforceable governmental request. We will endeavor to notify you before doing so, unless prohibited by law.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Retained for the duration of the account |
| Deleted account data | Permanently removed within 30 days of deletion |
| Audit logs | 90 days |
| IP login records | Up to 1 year |
| Payment records | As required by applicable tax and financial regulations |
8. Cookies and Local Storage
The Services use the following browser storage mechanisms:
- Authentication tokens: JWT tokens stored in localStorage to maintain your login session.
- Language preference: Your selected language is saved in localStorage.
We do not use:
- Third-party tracking cookies;
- Advertising cookies or pixels;
- Analytics cookies from third-party services (e.g., Google Analytics).
9. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis |
|---|---|
| Providing the Services (sending, receiving, storing emails) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| AI anti-spam filtering of outbound emails | Legitimate interest (Art. 6(1)(f)) — preventing abuse and protecting platform reputation |
| Security logging and fraud detection | Legitimate interest (Art. 6(1)(f)) — ensuring service security |
| Sending service-related notifications | Legitimate interest (Art. 6(1)(f)) — informing users of important account events |
| Responding to law enforcement requests | Legal obligation (Art. 6(1)(c)) |
| Analyzing anonymized usage data for platform improvement | Legitimate interest (Art. 6(1)(f)) — improving service quality |
Where we rely on legitimate interest, we have conducted a balancing test to ensure that your rights and freedoms are not overridden. You have the right to object to processing based on legitimate interest at any time by contacting [email protected].
10. Automated Decision-Making
The Services use automated processing in the following ways:
- AI Anti-Spam Filtering: Outbound emails are automatically analyzed by our AI system to detect spam and policy violations. Emails identified as spam may be blocked from delivery without human review. This automated processing is necessary for the performance of our contract with you and to protect the legitimate interests of all users on the platform.
- Rate Limiting: Automated systems monitor sending volumes and may temporarily throttle or suspend email delivery when Plan quotas are exceeded.
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe your email was incorrectly blocked by our automated systems, you may request a human review by contacting [email protected].
11. Sub-processors
We engage the following third-party sub-processors to help deliver the Services. Each sub-processor is contractually required to protect your data to standards consistent with this Privacy Policy:
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, R2 object storage (email & attachments) | Global |
| Stripe, Inc. | Payment processing | United States / EEA |
| PayPal Holdings, Inc. | Payment processing | United States / EEA |
We will notify Tenants of any changes to our sub-processor list. If you object to a new sub-processor, you may terminate your subscription by contacting [email protected].
12. Your Privacy Rights
Depending on your jurisdiction, you may have the right to:
- Access — Request a copy of the personal information we hold about you;
- Correction — Request correction of inaccurate personal information;
- Deletion — Request deletion of your account and all associated data;
- Data portability — Request a machine-readable export of your data;
- Withdraw consent — Where processing is based on consent, withdraw it at any time;
- Object — Object to processing of your data for specific purposes;
- Restrict processing — Request that we limit how we process your data;
- Lodge a complaint — If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days (or within the time frame required by applicable law). We may require identity verification before processing your request.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:
Categories of Personal Information Collected
- Identifiers: Email address, name, IP address, account credentials;
- Commercial information: Subscription and payment history;
- Internet or network activity: Login logs, browser type, access patterns;
- Electronic communications: Email content and metadata processed through the Services.
Your California Rights
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, or provide a different level of service because you exercise your rights.
We Do Not Sell or Share Personal Information
CELVIRO does not sell your personal information as defined by the CCPA/CPRA. We also do not share your personal information for cross-context behavioral advertising purposes.
To exercise your California privacy rights, contact us at [email protected]. You may also designate an authorized agent to make a request on your behalf.
14. Children's Privacy
The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
15. International Data Transfers
As our servers are located in Japan and our infrastructure spans multiple regions, your data may be transferred to and processed in countries with different data protection laws than your own. We take appropriate measures to ensure that your data is protected in accordance with this Privacy Policy, regardless of where it is processed.
For users in the European Economic Area (EEA) or the United Kingdom, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection of your data when transferred outside the EEA/UK.
16. Data Security
We implement industry-standard security measures to protect your data, including:
- TLS encryption for all data in transit;
- Encrypted storage for passwords (bcrypt hashing);
- Access controls limiting data access to authorized personnel only;
- Firewall protection and intrusion detection;
- Regular security reviews and updates.
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
17. Changes to This Policy
We may update this Privacy Policy from time to time. Updated versions will be posted on this page with a revised effective date. If we make material changes, we will make reasonable efforts to notify you (e.g., via email or a notice on our website).
Continued use of the Services after changes are posted constitutes your acceptance of the revised policy.
18. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:
- Email: [email protected]
- General support: [email protected]
- Company: CELVIRO TECHNOLOGY LIMITED, Hong Kong
© 2026 CELVIRO TECHNOLOGY LIMITED. All rights reserved.