Privacy Policy

1. Overview

BoxOwl is a Personal Data Platform. You are the controller of your personal data. BoxOwl LLC operates the vault as a service to you. Apps you connect are processors of your data under per-field scoped consent that you grant and can revoke at any time. This Privacy Policy describes the personal data you may place in the vault, how BoxOwl as operator handles it on your behalf, and the controls you retain. If you have questions, contact us at support@boxowl.me.

1a. Who controls your data

You do. You decide what goes into the vault, what stays out, which connected apps may read which fields, and when those grants end. BoxOwl LLC (Colorado, US) operates the vault as a service to you — we are the operator, not the controller, of the personal data you place in it. We are not a data broker, not an identity provider, and not your representative to third parties. Connected apps that read your vault under per-field consent act as processors of your data for the limited purpose you authorized at connect time. The legal basis for any read by a connected app is the scoped consent you granted in the BoxOwl consent UI; you may revoke that consent in one click in the BoxOwl app or extension.

2. Categories of personal information the vault may hold

BoxOwl is a personal data vault — by design, the vault holds whatever you, as controller, choose to add. Every category below is optional, user-supplied, and editable or deletable at any time from your vault. BoxOwl as operator holds these categories on your behalf; they are yours, not BoxOwl's.

• Identifiers — email address, display name/handle, user ID, BoxOwl UID
• Contact information — addresses, phone numbers (only what you add)
• Identity & demographics — full legal name, preferred name, pronouns, gender, birth date, nationality, citizenship, ethnicity, household composition, marital status, language
• Government and platform IDs — passport, visa, residence-permit, driver's license, or other external identity documents that you choose to store. These live in the External identities and Travel documents vault categories.
• Health and dietary information — blood type, allergies, medications, physician contact, emergency contacts, dietary restrictions and preferences. These live in the Medical basics, Emergency contacts, and Dietary categories. Optional; stored only if you add them.
• Geolocation data — location stored in your vault at a user-selected accuracy tier (precise GPS, neighborhood, city, or country). You control the accuracy level and may disable location storage entirely at any time.
• Financial information — payment-method details (card number, expiry, cardholder name) and loyalty-program account numbers. Stored end-to-end encrypted; BoxOwl cannot read these fields. CVC is never stored. Subscription billing itself is processed by Stripe — see §6.
• Online identifiers — social-profile URLs, platform usernames, custom links
• Work and education history — employers, titles, dates, institutions, degrees, certifications
• Anthropometrics and preferences — body measurements, clothing/shoe sizes, fit preferences, style preferences, budget bands. Optional.
• Pets and vehicles — if you choose to add them
• Secure notes — free-form notes you encrypt end-to-end before storage; BoxOwl cannot read these.
• Device information — device type, app version, IP address (used for audit logs and troubleshooting)

The full list of vault categories is documented in the Vault reference. We never collect any of these categories unless you add them yourself, and you can export or erase your full vault at any time.

3. How personal information enters the vault

As operator, BoxOwl does not source personal data about you on its own. The vault holds what you place in it, plus the minimal operational signals BoxOwl needs to run the service on your behalf.

• Directly from you — when you register, create vault items, or update your profile, you are the source and the controller of those entries.
• Operational signals — device type, app version, and basic error/usage metrics that BoxOwl as operator records to keep the service running, debug failures, and detect abuse.

BoxOwl does not buy personal information from data brokers.

4. How BoxOwl processes personal information on your behalf

As operator of the vault, BoxOwl processes the personal data you place in it only for the purposes below, all of which serve operating the service you asked BoxOwl to run for you:

• To provide, maintain, and secure the BoxOwl vault and autofill services, including location storage at your chosen accuracy tier
• To sync your vault across devices you authenticate
• To detect fraud, abuse, and security incidents
• To troubleshoot and improve app stability and performance
• To send essential service notifications (security alerts, policy changes)
• To comply with legal obligations that bind BoxOwl as operator

Reads of your vault by connected apps are not BoxOwl uses of your data — those reads are performed by the apps you have connected, acting as processors under the scoped consent you granted. BoxOwl projects the consented fields to those apps on your instruction. You can see, audit, and revoke each connection in the BoxOwl app or extension.

5. Categories of third parties that touch your data

BoxOwl does not sell your personal information. Two distinct categories of third party may touch the data in your vault:

• BoxOwl operational subprocessors — vendors BoxOwl uses to run the service on your behalf. They process vault data on BoxOwl's instructions, under contracts with BoxOwl, never on their own account:
  • Hosting / infrastructure providers — to operate our Kubernetes cluster and databases
  • Email service provider — to send transactional emails (e.g., password reset)
• Apps you connect — third-party apps you, as the controller, have authorized to read specific vault fields under per-field scoped consent. These apps act as processors of your data for the purpose you authorized at connect time. BoxOwl projects the consented fields to them on your instruction; they are not BoxOwl subprocessors. You can list, audit, and revoke connections from the BoxOwl app or extension at any time. The terms of any onward use by a connected app are governed by that app's own privacy policy, plus the resharing prohibition in our Terms of Service §5a.

Any future ad-targeting or demographic-sharing features will require your explicit opt-in consent before any data is shared.

6. Retention

• Vault data — retained until you delete your account
• Audit logs — retained for 90 days after account deletion, then purged
• Device and error metrics — retained for 30 days

7. Your California privacy rights (CCPA/CPRA)

California residents have the following rights:

• Right to know — Request the categories and specific pieces of personal information we have collected about you.
• Right to delete — Request deletion of your account and associated personal information.
• Right to correct — Request correction of inaccurate personal information.
• Right to portability — Receive your personal information in a structured, machine-readable format (JSON).
• Right to opt-out of sale/sharing — We do not sell personal information. No action is needed.
• Right to limit use of sensitive personal information — Location data at the “precise” GPS tier is treated as sensitive personal information under California law. You choose the accuracy tier for your stored location and may disable it at any time. Precise GPS data is never shared by default; it requires your explicit opt-in consent per partner organization.
• Right to non-discrimination — We will not deny you service, charge different prices, or provide a different level of service for exercising your privacy rights.

8. How to exercise your rights

You can exercise your rights in two ways:

• In the app or extension — go to Account → Export Data or Account → Delete Account
• By email — send your request to support@boxowl.me. We will verify your identity before acting on the request.

We aim to respond to verifiable consumer requests within 45 days.

9. Do Not Sell or Share My Personal Information

BoxOwl does not sell your personal information. The data in your vault is yours; BoxOwl as operator has no authority to monetize it through sale or sharing. Because no sale occurs, BoxOwl does not offer an opt-out of sale mechanism at this time. If this changes, we will update this policy and provide a clear opt-out mechanism before any sale occurs.

10. Security

As operator of the vault, BoxOwl protects the data you place in it using industry-standard measures:

• TLS 1.3 for all API and web traffic
• Passwords hashed with bcrypt
• JWT authentication with secrets stored in Kubernetes Secrets
• Rate limiting to prevent brute-force attacks
• Biometric authentication (Android) is local-only and never transmitted to our servers

11. Children’s privacy

BoxOwl is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with an updated “Last updated” date. For material changes, we will notify you via email or an in-app notice.

13. The BoxOwl community (community.boxowl.me)

BoxOwl runs a community chat — Element at community.boxowl.me, backed by a self-hosted Matrix homeserver at matrix.boxowl.me. This is a separate processing surface from the vault, with its own account, its own storage, and its own rules. Your community account is an independent Matrix account; it is not linked to your BoxOwl product account, and signing in to one does not sign you in to the other. Participation is entirely optional. The Community Guidelines cover conduct, moderation, and appeals.

What the community service stores:

• Your Matrix account — your community handle (Matrix ID), display name, and login credentials, held by the homeserver.
• Room membership — which rooms you have joined.
• Messages in public rooms — stored unencrypted. Public rooms are deliberately world-readable so they work as a searchable archive; treat anything you post there as a permanent, public forum post.
• Messages in private rooms — stored end-to-end encrypted (Matrix Megolm). The homeserver holds only ciphertext it cannot read.
• Optional media — images or files you upload, stored on encrypted-at-rest volumes (Longhorn over LUKS).

Residency. The homeserver and its storage run in our Hetzner region (Nuremberg, nbg1), Germany.

Federation is off. The homeserver does not federate with the wider Matrix network. Your community messages and identity stay on BoxOwl's homeserver and are not relayed to other servers.

Retention. Community messages persist indefinitely while the room exists. Matrix deletion works by redaction, not retraction — deactivating your account redacts your messages (strips their content) but the event shells remain in room history, and copies others quoted or reacted to may persist. See the Matrix specification on redactions for exactly what redaction removes.

Right to erasure. To deactivate your community account or request erasure of your community data, email community@boxowl.me. An administrator processes the request via the Synapse admin API with erasure enabled, subject to the redaction limits above.

The community service is operated separately from your vault — community data is never mixed with vault data, and connecting apps cannot read it.

14. Contact us

Privacy questions or rights requests? Reach us at support@boxowl.me. For community-account matters, email community@boxowl.me.