# Boxa Privacy Policy *Short version: we don't want your data.* Last updated: March 2026 ## 1. Introduction *We collect as little as possible.* This Privacy Policy outlines how Boxa, hereinafter referred to as the Company, collects, uses, discloses, and manages personal data in compliance with the European Union's General Data Protection Regulation (GDPR). We take the protection of your privacy seriously. We only collect the minimum amount of data needed to provide you with the best possible experience. ## 2. Data Collection *We only know who you are if you buy Plus. Everything else stays on your device.* **Information We Collect:** The Company collects and processes user email addresses, payment IDs (anonymous unique Stripe Payment Intent ID, Apple App Store transaction ID, or Google Play Order ID) and client IDs (an ID identifying user devices). Email addresses are collected to allow users to use their purchase on multiple devices and for the Company to communicate with its users. Payment IDs are collected solely for the purpose of validating, managing and restoring purchases of Boxa Plus. Client IDs are collected to manage user network requests and allow users to log out of devices. This personal data is only collected from users who have made a purchase. No payment method data (such as credit card numbers) is collected by the Company. **Data Retention:** We retain this data to enable the use and restoration of purchases across multiple devices. We do not store payment method data or any other personal information. **Data Deletion:** If users wish to have their email address and associated data deleted, they may contact the Company at support@boxa.app, and their request will be promptly addressed. **Workout Data:** All workout data, including Sets, Sessions, custom combos, and custom moves, is stored locally on your device. This data is not uploaded to any server. ## 3. Data Security *Standard security practices. Nothing unusual here.* We employ industry-standard security measures to safeguard user personal data from unauthorized access, alteration, disclosure, and destruction. ## 4. Third-Party Services *Apple, Google, and Stripe handle payments. We don't touch your card.* The Company uses three third-party services for payment processing: Apple App Store (iOS), Google Play (Android), and Stripe (web). These third parties have their own privacy policies and data protection measures. Users are encouraged to review their policies to understand how data is handled when using their services. ## 5. Analytics and Tracking *Anonymous usage analytics. No ads. No third-party trackers.* The Company uses Firebase Analytics (provided by Google) to analyse traffic and user behaviour in order to provide users with the best possible experience. Firebase Analytics may collect information about your country, your device, the duration of your session and your behaviour in the app, among other things. This data is anonymous and helps the Company improve the service. For more information, please refer to [Google's Privacy Policy](https://policies.google.com/privacy) and [Firebase Privacy Information](https://firebase.google.com/support/privacy). The Company does not use any advertising networks or third-party tracking services. There are no ads in Boxa. ## 6. Crash Reporting *If the app crashes, we see what went wrong. Not who you are.* The Company uses Firebase Crashlytics (provided by Google) to collect crash reports and error logs. This data includes device information (operating system, app version), error context, and diagnostic logs. It is used solely for identifying and fixing bugs. No personal information is included in crash reports. ## 7. Server Logs *Basic server logs, deleted after 14 days.* The Company maintains server logs as an industry-standard practice for enhancing the security and integrity of user data. These logs are essential for protecting user data, preventing unauthorized access, and ensuring the overall security of our services. Server logs include basic information (IP address, device type, user ID and elements of the request body if applicable) and are retained for a period of 14 days maximum. They are also used for diagnostic and troubleshooting purposes. ## 8. Data Transfer *Your data stays in Europe.* The Company does not transfer user data to countries outside the European Economic Area (EEA). All data remains securely stored within the EEA, and no data is transferred to other companies. ## 9. User Rights *You can see, fix, or delete anything we have on you.* Under the GDPR, users have the following rights: - **Access:** Users have the right to request access to the personal data we hold about them. - **Correction:** Users can rectify inaccuracies in their personal data. - **Deletion:** Users have the right to request the deletion of their personal data. - **Restriction:** Users can request the restriction of the processing of their personal data. - **Portability:** Users have the right to receive their personal data in a structured, commonly used, and machine-readable format. - **Objection:** Users can object to the processing of their personal data. ## 10. Contact Information *Questions? support@boxa.app* If you have any questions, concerns, or requests related to your personal data and this Privacy Policy, please contact the Company at support@boxa.app. ## 11. Changes to Privacy Policy *If this changes, we'll let you know.* The Company reserves the right to modify or update this Privacy Policy. Users will be notified of any significant changes, and it is their responsibility to review the updated Privacy Policy. Continued use of the Company's services after the modification constitutes acceptance of the revised Privacy Policy. ## 12. Supervisory Authority *If we're not handling your data right, you can report us.* If you believe that the Company has not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority in your EU Member State.