Any message sent to Flashbox can be read by any user.
Every inbox on Flashbox is available to the public.
There are no passwords.
This is by design. The non-security of Flashbox is its main feature. Therefore:
Do not send any information to Flashbox that you would consider personal or private. Even if you are constantly monitoring the Flashbox inbox you gave to the third party website/app, it is extremely likely that someone else could be watching that inbox as well. Treat Flashbox as if someone else were watching over your shoulder at all times.
While inbox aliases are meant to be a layer of obfuscation to the real e-mail address in flashbox.5july.org, you should be aware that the algorithm which converts from real addresses to inbox aliases, and vice versa, is public (because we're open source), and can be easily reverse engineered by a determined individual.
Inbox aliases are fine for sending random website/app e-mails to, but again, please do not send any private, personal, confidential messages to an inbox alias; it is extremely likely that someone can and will figure out the true inbox that the message is delivered to.
Except for the emails sent to the inboxes, we have tweaked Flashbox to not log anything about our visitors or their behaviour. We therefore can't answer any questions about "what happened to my email" and similar.
We have turned off all calls to third party service providers such as Google and Adobe. Flashbox does not contact any other domain than flashbox.5july.org. However, when you open an HTML email in a Flashbox inbox, that email may contact several third party domains. We have no control over how the sender has designed the email.
Flashbox is run by the 5th of July Foundation in Sweden. We run the service on our own physical server, which is hosted by Bahnhof, the Swedish network operator notorious for standing up for free speech.