Terms of Service

1. Acceptable Use Policy

You agree to use this Service only for lawful purposes. Specifically:

1. You must be the authorised recipient or owner of the emails you analyse.
2. You must not upload personally identifiable information (PII) of third parties without consent, except for security investigation purposes permitted by law.
3. You must not use this Service to reverse-engineer our detection logic or to test your own spam or phishing campaigns against our filters (adversarial testing).
4. You must not use automated scripts or bots to abuse rate limits or overload our systems.
5. You must not use the Service to programmatically scan bulk email data to build competing databases, train AI models, or create derivative intelligence products. Violation of this clause constitutes grounds for immediate termination without refund.

2. Data Privacy & AI Processing

Unlike free tools that monetise your data, EmailsThreatScan pays for Commercial Enterprise APIs for every analysis — Free or Paid. This guarantees that your email headers and metadata are never used to train public AI models. We treat your data as confidential forensic evidence.

Third-Party AI Subprocessors. Analysis is performed using third-party AI models (e.g., Google Gemini, OpenAI GPT). We enforce enterprise-grade data processing agreements with all providers. In the event a subprocessor materially changes its data handling policies, we will notify you within 30 days and provide the option to terminate your subscription.

Aggregate & Anonymised Data. We may collect and use fully anonymised, aggregate analytics (e.g., total analyses processed, threat category trends, system performance metrics) for research, product improvement, and public reporting. This data cannot be linked to any individual or organisation.

3. Data Retention & GDPR Compliance

Analysis Logs. Analysis records are retained for a minimum of 30 days. We reserve the right to adjust retention periods at any time as part of service improvements or compliance requirements. You may manually delete individual records at any time from your Dashboard.

Account Data. Account information is retained until you request deletion via your Dashboard or by emailing [email protected].

Your Rights (UK GDPR). You have the right to access, rectify, erase, or export your personal data at any time. Contact us to exercise these rights.

Data Breach Notification. In the unlikely event of a data breach affecting your personal data, we will notify affected users within 72 hours in accordance with UK GDPR Article 33, and provide information on recommended mitigation steps.

4. Credits & Usage

Individual Analysis. Each email you manually analyse or submit via drag-and-drop consumes 1 credit from your monthly allocation.

Intelligent Batch Analysis. To maximise the value of your credits, emails received via connected mailboxes are processed using our intelligent batch triage system. This system screens multiple emails simultaneously at a fraction of the cost of individual analysis — currently less than 1 credit per email. Emails flagged during triage are escalated for full individual analysis automatically. The batch credit rate is set by the Company and may be adjusted to reflect improvements in efficiency or changes in third-party processing costs.

Credit Reset & Visibility. Your credit usage is visible in real-time on your Dashboard. Credits reset on your billing cycle date. Unused credits do not carry over to the following period.

5. Connected Mailbox Monitoring

Paid plans allow you to connect email accounts for continuous automated monitoring. By connecting a mailbox, you acknowledge and agree to the following:

Permissions Granted. The Service connects via OAuth2 and requests the minimum permissions required to monitor, flag, and take action on emails. For Microsoft 365, this includes read and write access to your mailbox (Mail.ReadWrite). For Google Workspace (when available), this includes permission to read, label, and move emails (gmail.modify). These permissions are necessary for threat detection, quarantine, and revert capabilities.

What We Access. Email headers, metadata, sender details, authentication results, and body snippets for AI-powered threat analysis. We process email body content for analysis purposes only — no email content is stored permanently beyond what is necessary for your analysis history.

Disconnection. You may disconnect any mailbox at any time from your Dashboard. Disconnection immediately stops monitoring and revokes our access token. Currently supports Microsoft 365. Google Workspace support is coming soon.

Processing Timing. Mailbox monitoring operates on a periodic sync schedule rather than in real-time. The time between an email arriving in your inbox and our analysis completing depends on your sync frequency and current queue position. While we optimise for speed, this is not an instant protection layer — it is a continuous background audit designed to catch threats that may have bypassed your existing filters.

Plan Limits. The number of mailboxes you may connect depends on your subscription plan. Exceeding your limit may result in monitoring being paused for the excess mailboxes until you upgrade or disconnect.

6. Safe Link Protection

How It Works. URLs found in flagged emails are rewritten to pass through our security gateway. When you click a rewritten link, the gateway performs real-time scanning of the destination URL before redirecting you.

Link Expiry. Rewritten links are valid for a limited period from creation. After this period, an informational page is shown instead of the redirect. The Company reserves the right to adjust the validity period.

Fail-Closed Design. If our security gateway is unreachable for any reason, the original URL is not accessible via the safe link. This is a deliberate security decision to protect you from unscanned destinations.

Business Branding. Business plan subscribers may customise the safe link interstitial page with their own branding.

7. Revert & Undo Actions

The Revert feature allows you to reverse automatic actions taken on false positives — for example, moving a quarantined email back to your inbox.

How It Works. To revert an action, forward the notification email to the unique revert address provided. Our system processes the request and uses your email provider's API to move the email back.

No Guarantee. Revert depends on the email still existing and the provider accepting the request. The Company is not liable for any consequences arising from reverting an email that is subsequently determined to be genuinely malicious.

Controls. Revert can be disabled per-mailbox or globally in your settings. All revert actions are logged for audit purposes.

8. Organisation & Team Features

Business plans may enable organisation-wide monitoring across a Microsoft 365 tenant.

Consent Requirement. The person connecting the organisation must have explicit consent from an authorised representative of that organisation (e.g., IT Administrator, Data Protection Officer, or Company Director). You warrant that you have obtained the necessary authority to connect the organisation's email environment to this Service.

Data Visibility. Organisation data — including member lists, connected mailboxes, and analysis results — is visible to the organisation administrator.

Data Processor Role. When operating in organisation mode, Purple Box (UK) Ltd acts as a Data Processor on behalf of the organisation (the Data Controller), in accordance with UK GDPR Article 28. It is the organisation's responsibility to ensure compliance with data protection obligations toward its members.

9. Custom Security Rules

Business plan subscribers may define custom rules that automate email classification based on conditions they configure (e.g., domain allow/block lists, keyword patterns).

1. Rules execute automatically before AI analysis and do not consume credits.
2. The Company is not liable for unintended consequences of misconfigured rules, including false clearances of malicious emails or incorrect quarantine of legitimate emails.
3. You are responsible for testing and maintaining your custom rules.

10. API Usage Terms

If you subscribe to the Business Plan with API access, you agree to:

1. Rate Limits. API requests are limited to your plan's monthly allocation. Exceeding limits may result in throttling or temporary suspension.
2. Authentication. You are responsible for keeping your API keys secure. Do not share them publicly or embed them in client-side code.
3. Commercial Use. You may use the API for commercial purposes within your own applications, but you may not resell raw API access to third parties.
4. Attribution. If you integrate our API into a public-facing product, you must provide attribution (e.g., “Powered by EmailsThreatScan”).

11. Account Termination

We reserve the right to suspend or terminate your account immediately if:

1. You violate the Acceptable Use Policy (Section 1);
2. You engage in fraudulent activity or payment disputes;
3. You abuse API rate limits or attempt to overload our systems;
4. You connect an organisation without proper authorisation (Section 8);
5. We are required to do so by law or court order.

Upon termination, your access will be revoked immediately. No refunds will be issued for violations.

12. Disclaimer of Warranties & Limitation of Liability

The Service is provided “as is” and “as available”. The Company makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties, including without limitation, implied warranties or conditions of merchantability or fitness for a particular purpose.

Forensic Limitation. False positives and false negatives are possible in any detection system. You should never rely solely on this tool for critical security decisions. Always verify results manually.

Automated Decision Disclaimer. Where the Service makes automated classifications (e.g., “Dangerous”, “Suspicious”, “Safe”), these are machine-generated opinions, not definitive security determinations. You retain full responsibility for the final action taken on any email.

Consequential Damages. In no event shall the Company be liable for any consequential, incidental, indirect, special, or punitive damages including, but not limited to, loss of data, business interruption, or loss of profits arising out of or related to a failure to detect a threat (false negative) or a false identification of a legitimate email (false positive).

Maximum Liability. The Company's total aggregate liability arising out of or related to these Terms shall not exceed the total fees paid by you during the twelve (12) months preceding the claim. This is standard practice across the software industry to ensure fair and sustainable service.

13. Indemnification

You agree to indemnify, defend, and hold harmless Purple Box (UK) Ltd, its officers, directors, employees, and agents from and against any and all claims, damages, obligations, losses, liabilities, costs, or debt arising from:

1. Your use or misuse of the Service;
2. Your violation of these Terms;
3. Your violation of any third-party rights, including privacy or intellectual property rights;
4. Actions taken (or not taken) based on the Service's automated classifications.

14. Free Tier & AI Model Availability

Access to the AI Analysis engine on the Free Tier is provided on a “best-effort” basis. During periods of high system load, priority is given to Pro and Business subscribers. Free users may experience temporary unavailability, queueing, or slower processing speeds.

We guarantee AI resource allocation only for paid subscriptions. The AI model used for analysis may vary by subscription tier. AI model selection is at the Company's sole discretion and may change without notice.

15. Subscriptions, Payments & Refunds

Services are billed in advance on a monthly or yearly basis.

Cancellation. You may cancel at any time via your Dashboard or Stripe Billing Portal. Your access will continue until the end of your current billing period.

Fair Refund Guarantee. We offer a fair, usage-based refund policy for all paid plans with no time limit. Upon cancellation, a refund is automatically calculated as: Refund = Subscription Price × (100% − Credits Used%). Credits consumed by batch mailbox analysis (Section 4) are counted toward usage. If you have not used any credits, you receive a full refund.

Price Changes. We reserve the right to change pricing with 30 days' notice. Existing subscribers will be grandfathered at their current rate for the remainder of their billing cycle.

16. Changes to These Terms

We may update these Terms from time to time. If we make material changes, we will notify you via email and/or a prominent notice on our website. Your continued use of the Service after changes take effect constitutes acceptance of the revised Terms.

17. Force Majeure

Neither party shall be liable for failure or delay in performance due to causes beyond reasonable control including, but not limited to: acts of God, pandemic, government action, cyberattack against the Company's infrastructure, power failure, natural disaster, or failure of third-party service providers (including AI and cloud infrastructure providers).

18. Intellectual Property

All algorithms, detection logic, signature databases, AI prompts, security rules templates, and proprietary scanning methods remain the exclusive intellectual property of Purple Box (UK) Ltd. Use of the Service grants no licence to the underlying technology. You may not decompile, reverse-engineer, or otherwise attempt to derive the source code of any part of the Service.

19. Export Control

The Service may incorporate encryption and security technologies subject to export control regulations. You agree not to use, export, or re-export the Service in violation of applicable export laws of the United Kingdom, European Union, or any other jurisdiction.

20. General Provisions

Severability. If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will remain in full force and effect.

Entire Agreement. These Terms, together with our Privacy Policy, constitute the entire agreement between you and the Company regarding the use of the Service. No oral or written statement not set forth herein shall be binding.

No Waiver. The Company's failure to enforce any right or provision of these Terms will not be considered a waiver of those rights. Any waiver will be effective only if in writing and signed by the Company.

21. Governing Law

These Terms are governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.