Privacy Policy

BOXPLA — boxpla.app

Effective date: May 29, 2026

This Privacy Policy explains how BOXPLA Inc. ("BOXPLA", "we", "us", or "our"), a company based in Canada, collects, uses, and protects your personal information when you use BOXPLA, our model-kit search and shipping-box calculator at boxpla.app (the "Service").

We are committed to protecting your privacy and collecting only the information we need to run the Service. If you have any questions, contact us at info@boxpla.app.

1. Who We Are (Data Controller)

BOXPLA Inc., based in Canada, is the controller responsible for your personal information. You can reach our privacy contact at info@boxpla.app.

2. Information We Collect

2.1 Information you provide

When you create an account or use the Service, we collect:

• Account information: your display name, email address, username, and avatar. Your avatar may be an image you upload (which we store), a colour you choose, or, if you sign in with Google, the profile picture provided by Google. When you sign in with Google we receive your name, email address, and profile picture to create your account.
• Collection data: the model kits you add to your collection and their status (such as wishlist, backlog, building, or built), along with any notes you add.
• Packing data: the shipping boxes you define (dimensions and notes), the kits you assign to them, and the box-fit ("pack") calculation results you save.

2.2 Information collected automatically

We aim to keep automatic collection to a minimum. The Service does not use advertising trackers, and we do not build advertising profiles about you. We do use a privacy-friendly, cookieless analytics tool (Cloudflare Web Analytics) that measures aggregate page visits without using cookies or fingerprinting individual visitors. In addition:

• Local storage: we store small pieces of information in your browser's local storage to make the app work — specifically your theme preference (dark or light), a cached copy of your profile for faster display, and your authentication session so you stay signed in. This is essential storage, not advertising tracking, and is not shared with third parties.
• Technical data: our hosting, security, and analytics provider (Cloudflare) automatically processes technical information such as your IP address and browser type to deliver the Service securely, protect against abuse, and produce aggregate visitor statistics. Loading your Google profile picture if you sign in with Google may also expose your IP address to Google, as described in Section 4.

2.3 Information we do not collect

We do not collect payment or financial information — the Service is free. We do not collect government identifiers, and we do not knowingly collect special categories of sensitive personal data.

3. How We Use Your Information

We use your personal information to:

• create and manage your account and authenticate your sign-in;
• provide the Service, including saving and displaying your collection, notes, and box calculations;
• send you essential service emails, such as account confirmation and password-reset messages;
• maintain the security, integrity, and proper functioning of the Service; and
• comply with our legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use it for third-party advertising.

4. How We Share Your Information

We do not sell or rent your personal information. We share it only with service providers who help us operate the Service, and only as needed for them to perform their functions:

• Supabase — provides our authentication and database services, where your account, collection, box, and pack-calculation data are securely stored, and sends our transactional emails (account confirmation and password reset).
• Cloudflare — provides hosting, content delivery, security and DDoS protection, and cookieless, aggregate visitor analytics (Cloudflare Web Analytics) for the Service.
• Google — if you choose to sign in with Google, Google authenticates you and provides your basic profile information and profile picture; your Google profile picture is loaded from Google's servers.
• Third-party reference links — kits may include links that point to external retailers, manufacturers, or review sites. We do not send your personal data to them, but if you click a link your browser will visit that third-party site under its own privacy policy.

Box-fit calculations performed by the BOXPLA Engine, and avatar images you upload, are processed on our own backend services operated under the boxpla.app domain. This is first-party processing and does not involve sharing your personal data with outside companies.

We may also disclose information if required by law, to respond to lawful requests, or to protect the rights, safety, and property of BOXPLA, our users, or others.

5. International Data Transfers

Our service providers may store and process your information on servers located outside your country, including outside Canada and the European Economic Area. Where we transfer personal data internationally, we rely on our providers' safeguards and applicable legal mechanisms to protect your information consistent with this Policy.

6. Data Retention

We keep your personal information for as long as your account is active or as needed to provide the Service. When you delete your account from your settings, your account and associated data — including your collection, wishlist, boxes, and saved calculations — are deleted immediately and permanently and cannot be recovered. We may retain limited information only where required to comply with legal obligations, resolve disputes, or enforce our agreements, and routine backups may persist for a short period before being overwritten.

7. Security

We take reasonable technical and organizational measures to protect your personal information. These include encrypted connections enforced site-wide (HTTPS/HSTS), a strict Content-Security-Policy, clickjacking and MIME-type protections, and a restrictive permissions policy that disables access to your camera, microphone, location, and payment APIs and opts out of interest-based tracking cohorts. Access to user data by our administrators is limited to what is necessary to operate and maintain the Service. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your Rights (Including GDPR)

Depending on where you live, you have rights over your personal information. For users in the European Economic Area and the United Kingdom, the General Data Protection Regulation (GDPR) gives you the following rights:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or incomplete data; you can update much of your profile directly in the app.
• Right to erasure — to delete your personal data ("the right to be forgotten"). You can delete your account at any time from your account settings; this immediately and permanently removes your account and all associated data, with no way to recover it. You may also contact us at info@boxpla.app.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to restriction and objection — to limit or object to certain processing of your data.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time.

Our legal bases for processing under the GDPR are: performance of our contract with you (to provide the Service), your consent (for example when signing in with Google), and our legitimate interests (to keep the Service secure and functioning). To exercise any of these rights, contact us at info@boxpla.app. We will respond within the timeframes required by law. You also have the right to lodge a complaint with your local data-protection authority.

If you are in Canada, you have similar rights under applicable privacy laws, including the right to access and correct your personal information; you may contact us using the details above, and you may also contact the Office of the Privacy Commissioner of Canada.

9. Children's Privacy

The Service is not intended for children under 15 years of age, and you must be at least 15 to use it. We do not knowingly collect personal information from anyone under that age. If you believe a child under 15 has provided us with personal information, please contact us and we will take steps to delete it.

10. Cookies and Tracking

BOXPLA does not use advertising cookies, and our analytics (Cloudflare Web Analytics) is cookieless and does not track you across sites. We use only essential browser local storage to keep you signed in and to remember your profile and theme preference, as described in Section 2.2. Because we do not set non-essential or tracking cookies, you will not see a cookie-consent banner. Through our permissions policy we also opt out of interest-based advertising cohorts such as FLoC and Topics.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at info@boxpla.app.

BOXPLA Inc. — Canada