Legal
Privacy Policy
This notice explains how Boxes may collect, use, store, protect and disclose personal data in connection with the Boxes locker service.
1. Controller and contact
The controller or operator for this service is Boxes. For privacy requests, security issues, access requests, deletion requests, rectification requests or objections, contact [email protected].
2. Data we collect
- Account and authentication data: locker number, email address, password hash, reset tokens, session data and related timestamps.
- Locker content: notes, uploaded files, filenames, metadata, MIME type, storage usage and update timestamps. Depending on the selected storage mode, some content may be stored in encrypted form.
- Technical and security data: IP address, request metadata, browser or device information, logs needed for authentication, abuse prevention, troubleshooting, rate limiting, diagnostics or security investigations.
- Contact data: information you submit through the contact form or by email, including your name, email address, subject and message.
3. Purposes and legal bases
Personal data may be processed to create and manage lockers, authenticate users, deliver stored content, provide password recovery, enforce limits and policies, protect the service, communicate with users, investigate abuse, comply with legal obligations, and maintain records needed for security or dispute handling.
- Contract / service delivery: creating lockers, authenticating users, storing or retrieving locker content, and sending operational messages.
- Legitimate interests: protecting the service, preventing fraud or misuse, securing infrastructure, maintaining logs, and improving stability and support.
- Legal obligation: complying with lawful requests, court orders, tax, accounting, record-keeping or regulatory duties where applicable.
- Consent, where required: handling optional communications, optional recovery steps or optional non-essential technologies where the operator chooses to use them.
4. Cookies and similar technologies
This service uses essential session and security mechanisms needed to keep users signed in, protect forms, preserve state and maintain the locker service. If the operator later enables non-essential analytics, marketing or third-party tools, additional notices or consent mechanisms may be required under applicable privacy and e-privacy rules.
5. Retention
Personal data is kept only for as long as reasonably necessary for the purposes described above, including account maintenance, security, support, legal compliance and dispute resolution. In practice, retention may differ by data type:
- account and locker records: while the locker remains active and for a limited period afterwards as needed for security, audit, legal or recovery purposes;
- content stored by the user: until deleted by the user, the operator, or by an applicable retention rule;
- security and technical logs: for a limited period proportionate to fraud prevention, troubleshooting and legal needs;
- contact enquiries: for as long as needed to answer the request and keep an internal record of the interaction.
6. Recipients and disclosures
Personal data may be accessed by the operator, authorised administrators, hosting or infrastructure providers, email service components and technical processors acting on behalf of the operator where needed to run the service. Data may also be disclosed where required by law, court order, regulator request, incident response or enforcement of rights and safety. The operator does not sell personal data.
7. International transfers
Where infrastructure, email, support or hosting providers are located outside your country, personal data may be transferred internationally. Where required by law, the operator should use an appropriate transfer mechanism or safeguard for those transfers.
8. Security
The operator may use technical and organisational measures appropriate to the risks involved, such as password hashing, access controls, rate limits, restricted admin access, session protection and optional encrypted note or file modes. Keep your locker password safe. If recovery is disabled, lost passwords cannot be recovered.
No system can guarantee absolute security, and you remain responsible for protecting your devices, passwords, recovery details and local backups.
9. Your rights
Where applicable law grants them, you may have rights to be informed, access your personal data, rectify inaccurate data, erase data, restrict processing, object to certain processing, request portability, and ask not to be subject solely to automated decision-making with significant effects. You may also have the right to withdraw consent where processing is based on consent.
To exercise a right, contact [email protected] with enough information to identify your locker or request. The operator may ask for reasonable proof of identity before acting on a request.
10. Complaints
If you believe your data-protection rights have been violated, you may contact the operator first so the issue can be reviewed. You may also lodge a complaint with your local supervisory authority or data-protection regulator where applicable.
11. Children
This service is not intended for unlawful collection of children's data. If the operator becomes aware that personal data has been provided in breach of applicable law, the operator may delete it and take appropriate protective steps.