Plain English summary: Houdininbox is built to collect as little data as possible. Your temporary inbox exists only in memory and is deleted after 10 minutes. We never write email content to disk, never create user profiles, and never sell your data. The only personal data we process relates to advertising cookies — and only with your consent.
1. Who we are
Houdininbox.com ("Houdininbox", "we", "us", "our") is a free disposable email service operated as an independent project based in Madrid, Spain.
For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD), we are the data controller for any personal data processed through this website.
2. What data we collect
2.1 Data we do NOT collect
- Your name, email address or any identity information
- Account credentials — there are no accounts
- The content of emails passing through your temporary inbox (stored in-memory only, never on disk)
- Your precise location
- Any data sold or shared with data brokers
2.2 Data collected automatically
| Data type | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address | Server logs, abuse prevention, Cloudflare infrastructure | Legitimate interest (Art. 6(1)(f) GDPR) | Up to 24 hours in Cloudflare logs |
| Temporary email content | Core service delivery — displaying inbound emails | Legitimate interest / service provision | Maximum 10 minutes — deleted automatically from RAM |
| Browser/device type | Analytics (if consented), service optimisation | Consent (Art. 6(1)(a) GDPR) | As per analytics provider policy |
| Consent preference | Remembering your cookie choice | Legal obligation / legitimate interest | 12 months, stored locally in your browser |
2.3 Data collected via cookies (with consent only)
If you accept cookies, Google AdSense may collect your IP address, browser information and browsing behaviour for the purpose of serving personalised advertisements. This data is processed by Google LLC under their own privacy policy. See Section 4 and 5 for full details.
3. Why we collect it (legal bases)
| Processing activity | Legal basis under GDPR |
|---|---|
| Delivering the temporary email service | Legitimate interest — Art. 6(1)(f) |
| Cloudflare infrastructure and DDoS protection | Legitimate interest — Art. 6(1)(f) |
| Serving personalised advertisements via Google AdSense | Consent — Art. 6(1)(a) |
| Serving non-personalised advertisements | Legitimate interest — Art. 6(1)(f) |
| Website analytics | Consent — Art. 6(1)(a) (if Google Analytics used); or Legitimate interest if privacy-first analytics (Plausible/Umami) |
| Preventing fraud and abuse | Legitimate interest — Art. 6(1)(f) |
4. Cookies
Strictly necessary cookies (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| houdininbox_gdpr_v1 | Stores your cookie consent preference (accepted / declined) | 12 months (localStorage) |
Optional cookies (require consent)
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| Google AdSense cookies (various) | Google LLC | Ad personalisation, frequency capping, conversion tracking | Up to 13 months |
| Google Analytics cookies (if used) | Google LLC | Website traffic analytics | Up to 24 months |
You can withdraw your cookie consent at any time by clicking "Cookie preferences" in the website footer. You can also manage or delete cookies directly in your browser settings. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
5. Advertising
Houdininbox is funded by advertising. We use Google AdSense to display ads. Google AdSense may use cookies and similar tracking technologies to serve ads based on your prior visits to our site and other sites across the internet.
If you accept cookies: Google may serve personalised ads based on your interests and browsing history.
If you decline cookies: We request that Google serves non-personalised ads only. These are based on contextual content rather than your personal browsing history. Non-personalised ads still generate revenue that supports the free service.
Google's use of advertising cookies is governed by Google's own privacy policy, available at policies.google.com/privacy. You can opt out of Google's personalised advertising at adssettings.google.com.
6. Data retention
- Temporary email content: Held exclusively in RAM (Redis in-memory database). Automatically deleted after 10 minutes. Never written to disk. Cannot be recovered after deletion.
- Temporary email addresses: Deleted from memory simultaneously with inbox content.
- IP addresses in Cloudflare logs: Retained for up to 24 hours for security purposes, then purged automatically by Cloudflare's systems.
- Cookie consent preference: Stored in your browser's localStorage for 12 months, then expires. Stored locally on your device — we do not transmit this data to our servers.
- Advertising and analytics data: Retained according to Google's own data retention policies (typically up to 26 months for analytics, up to 13 months for ad cookies).
7. Who we share data with
We do not sell, rent or trade your personal data. We share data only with the following service providers, solely to operate the service:
| Provider | Role | Location | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, DDoS protection, Email Routing | USA (EU data centres used) | Standard Contractual Clauses; Cloudflare DPA |
| Google LLC | AdSense advertising (consent-based only) | USA | Standard Contractual Clauses; Google's EU privacy framework |
| Railway / Fly.io | Backend hosting (in-memory processing only) | EU region preferred | Provider DPA; no persistent personal data stored |
All international transfers to the USA are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46 GDPR.
8. Your rights under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
To exercise any right, contact us at privacy@houdininbox.com. We will respond within 30 days as required by GDPR. Given the minimal data we hold, most requests will confirm there is little or no personal data to action.
If you are unsatisfied with our response, you have the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos) at www.aepd.es.
9. Children's privacy
Houdininbox is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data through our service, please contact us at privacy@houdininbox.com and we will take appropriate action.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
Continued use of Houdininbox after changes are posted constitutes acceptance of the updated policy, to the extent permitted by applicable law.
11. Contact us
For any privacy-related questions, requests to exercise your rights, or concerns about our data practices: