PRIVACY POLICY
Publication date: OCTOBER 2024
This Privacy Policy describes how Boxsy Inc., including its affiliates and subsidiaries (collectively, “Boxsy” and also referred to as “our”, “us” and “we”) collects, uses and discloses Personal Data, as well as any choices you have with respect to this Personal Data.
When we refer to “Boxsy”, we mean the Boxsy entity that acts as the controller or processor of your Personal Data, explained in more detail in the “Identifying the Data Controller and Processor” section below.
Applicability of this Privacy Policy
This Privacy Policy applies to Boxsy’s online collaboration tools and platform, including the associated Boxsy mobile and desktop applications (collectively, the “Services”), Boxsy.io and other Boxsy websites (collectively, the “Websites”) and other interactions (e.g. customer support, etc.) you may have with Boxsy, including the processing of any messages, files, video or audio recordings, prompts or other content submitted through our Services (collectively, “Customer Content”). This Privacy Policy does not apply to any third-party applications or software that integrate with our Services (“Third-Party Services”), or any other third-party products, services or businesses.
You, the organization (e.g., your employer or another entity or person) controlling the use of the Services (“Organization”) and any associated Customer Content, and any individuals who are granted access to the Services by an Organization (“Users” and, collectively with you and an Organization, “Customer”) are also bound by the the Terms of Service, as applicable, and any product-specific Terms (together, the “Customer Agreement”).
If you have any questions about specific Organization settings and privacy practices, please contact the Customer whose Organization you use. If you have received an invitation to join an Organization but have not yet created an account, you should request assistance from the Customer that sent the invitation.
Identifying the Data Controller and Processor
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of Personal Data. In general, Customer is the controller and Boxsy is the processor of Customer Content. As the controller for Customer Content, Customer may, for example, use the Services to grant and remove access to an Organization, assign roles and configure settings, access, modify, export, share and remove Customer Content and otherwise apply its policies to the Services.As the processor for Customer Content, Boxsy processes Customer Content only on Customer’s request and in accordance with Customer’s written instructions, including the applicable terms in the Customer Agreement, Customer’s use of the Services, and as required by applicable law. For more information about how Customer Content is processed (such as how your Personal Data is processed, the purpose and legal basis for processing, and your data subject rights), we refer you to the relevant Customer’s privacy notice.Boxsy is the controller for certain other categories of data (described below). If you have any questions or complaints, or would like to exercise your rights with regard to your Personal Data, please contact us at privacy@boxsy.io.
The types of Personal Data we collect
Your Personal Data is provided by you, obtained from third parties, and/or created by us when you use the Services.
Customer Content. Customers or Authorized Users routinely submit Customer Content to Boxsy when using the Services.
Services Data. Boxsy also collects, generates and/or receives the following types of Personal Data, other tan Customer Content, through and in connection with Boxsy’s provision of the Services (the “Services Data”):
Organization and account information. To create or update an Organization account, you or the relevant Customer (e.g. your employer) will supply Boxsy with an email address, phone number, password, domain and/or similar account details. We may also receive your email address and name from Quickbooks, HubSpot or other organizations with whom our platform has integrations through which you may sign up to use our Services.
Billing Information. Customers that purchase a paid version of the Services provide Boxsy (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
Service metadata. When an Authorized User interacts with the Services, metadata is generated to provide additional context about their use of the Services. For example, Boxsy logs the Organizations, dashboards, people, features, content and links that you view or interact with, as well the types of files shared and any Third-Party Services that you use.
Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.
Device data. Boxsy collects information about devices accessing the Services, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Services Data often depends on the type of device used and its settings.
Location data. We receive information from you, the relevant Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer or an IP address received from your browser or device to determine approximate location. Boxsy may also collect location information from devices in accordance with the consent provided by your device.
Third-party data. Boxsy may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters relevant to our business from parent corporations, affiliates and subsidiaries, our partners, or other third parties that we use to make our own information more useful. This data may be combined and may include aggregate-level data. For example, information about how well an online marketing or email campaign performed, or to create a business contacts directory.
Marketing and communications Data. Boxsy may obtain marketing information, including your preferences in receiving marketing from us and our third parties and your communication preferences.
Cookie data. Boxsy uses a variety of cookies and similar technologies in our Websites and Services to help us collect Services Data. For more details about how we use these technologies, as well as your opt-out opportunities and other options, please see our Cookie Notice.
Email performance data. Boxsy uses a ‘clear image’ (gif) in email communications in order to track engagement and performance metrics. Much of this data is aggregated and does not contain Personal Data. If you wish to turn off this tracking, you can do so by turning off images in the email itself.
Third-Party Services data. A Customer may choose to use Third-Party Services. If Customer enables Third-Party Services, Boxsy may access and exchange Customer Content and Services Data with the Third-Party on Customer’s behalf, in accordance with our agreement with the Third-Party Services and any permissions granted by the Customer (including its Authorized User(s)).
Contact data. In accordance with the consent provided by your device or other third-party API, we process any contact information that an Authorized User chooses to import when using the Services.
Community data. We also receive Services Data when submitted to our Websites or in other ways, such as if you participate in the Boxsy Community. This data is either submitted directly to the Services, or collected during Forums, Programs, contests, activities, events, or educational programs hosted by Boxsy (or a vendor).
Call data. Our Customer Success team may record video or telephone calls with Customers for the purposes of training and quality assurance. You will be notified of this when a recording is made, and can request that Boxsy does not record these calls.
Additional data provided to Boxsy. If you use Boxsy’s AI features pursuant to our Terms of Services, Services Data also includes data associated with your interaction with these technologies. We also receive Services Data when submitted to our Websites or in other ways, such as when you request support, interact with our social media accounts or otherwise communicate with Boxsy.
Business data. Boxsy may receive information about individuals from organizations, industries, Customers, (potential) partners, parent corporations, affiliates and subsidiaries, and our partners for cooperation and communication purposes.
Generally, no one is under a statutory or contractual obligation to provide any Customer Content or Services Data (collectively, “Personal Data”). However, certain Personal Data is collected automatically and, if some Personal Data, such as Organization setup details, is not provided, we may be unable to provide the Services.
How we use Personal Data
Customer Content will be used by Boxsy in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law.
Boxsy uses Services Data for the purposes of our legitimate interests in operating our Services, Websites and business. More specifically, Boxsy uses Services Data:
To provide, update, maintain and protect our Services, Websites and business. This includes the use of Services Data to support delivery of the Services under a Customer Agreement, including to create or update an Organization, to prevent or address service errors, security or technical issues, and to analyze and monitor usage of the product and its features, trends and other activities.
To provide, update, maintain and otherwise operate the Boxsy Community. This includes, but not limited to, facilitating collaboration and interaction between Users when engaging with the Boxsy Community.
To develop and improve products and Services, including AI features, provided you have not opted out.
As required by applicable law, legal process or regulation.
To support and communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Services Data to respond.
To develop, test and provide search, learning and productivity tools and additional features. Boxsy tries to make the Services as useful as possible. For example, we make Services suggestions based on historical use and predictive models, identify organizational trends and insights, customize your experience of the Services, or to create and develop new features and products.
To conduct market and user research. To improve our Services and troubleshoot new products and features, we may carry out research. For example, we may survey Customers (including Admins, Users and other contacts) or third parties about customer satisfaction, user experience, the effectiveness of our marketing campaigns, and their broader interests.
To send emails and other communications. Transactional: As part of our services, we provide users with certain communications and updates, We may send you service, transactional, technical and other administrative communications, such as communications about your account, our Service offerings, changes to the Services, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you.
Soft opt-in / Legitimate Interests: In addition, we sometimes send emails about new product features, recommendations and promotional communications, or other news about Boxsy. You can opt-out of these messages at any time by using the unsubscribe link included in all of these communications.
For billing, account management and other administrative matters. Boxsy may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.
To investigate and help prevent security issues and abuse.
To manage and to contact you with regard to involvement. We may need to manage and contact you with regard to your involvement and participation in the Boxsy Community (such as the Forums, Programs, contests, activities, events or educational programs hosted by Boxsy or a vendor).
If information is aggregated or de-identified so that it can no longer reasonably be associated with an identified or identifiable natural person, Boxsy may use it for any business purpose. To the extent information is associated with an identified or identifiable natural person and is protected as Personal Data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”
Boxsy Sherpa
In order to improve efficiency, take care of routine tasks and work with teams as part of your journey, Boxsy offers certain AI-supported functionalities within the product, Boxsy Sherpa.
If you choose to use these features, Customer Content (including user-generated prompts) will be processed by AI and machine learning models in order to generate content or make changes to your tasks, documents, etc. Some of these models sit internally within our product, and some are provided by a third party. We will not use your data to train the models.
In order to provide Boxsy Sherpa, Boxsy uses the following types of Personal Data:
User-generated prompts submitted by Users, which the models will use to generate content or make changes to your tasks, documents, etc. This is Customer Content, and we process it as a data processor on your instructions in order to provide the Services. Please be aware that any Personal Data you submit as a prompt will be processed by Boxsy Sherpa.
Usage metadata about how Users engage with Boxsy Sherpa, which Boxsy processes as a data controller in order to prevent or address service errors, security or technical issues, and to analyze and monitor usage of Boxsy Sherpa. Usage metadata does not contain Customer Content.Boxsy Sherpa might share limited data with Google for the above purposes and to monitor compliance with codes of conduct.
Data Retention
Boxsy will retain Customer Content in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law. The deletion of Customer’s Personal Data may result in the deletion and/or de-identification of an account and certain associated Services Data. Boxsy may retain Services Data for as long as necessary for the purposes described in this Privacy Policy.
Further, note that we may keep certain types of Services Data after the deactivation of an account for the period needed for Boxsy to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.
How we share and disclose Personal Data
This section describes how Boxsy may share and disclose Personal Data, as described in paragraph 3 above. Customers determine their own policies and practices for the sharing and disclosure of Personal Data. Boxsy does not control how they or any other third party chooses to share or disclose Personal Data.Boxsy may share and disclose Personal Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and the Customer’s use of the Services and in compliance with applicable law. Where necessary, may only share Personal Data with third parties where we have obtained consent to do so.We may share Personal Data as follows:
Displaying the Services. When an Authorized User submits Customer Content (including Personal Data), it may be displayed to other Authorized Users that have access to the same Boxsy Control Center. For example, an Authorized User’s name and Boxsy profile may be displayed. Please consult the Help Center for more information on this functionality.
Customer access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to Personal Data. This may include, for example, your employer using Service features to export logs of your activity or accessing or modifying your profile details.
Subcontractors. We may engage third-party companies or individuals as sub-processors to process Personal Data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our Customers. Please see more information on our subcontractors here.
Third-Party Services. Customers may enable Third-Party Services. When enabled, Boxsy may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. Third-Party Services are not owned or controlled by Boxsy and third parties that have been granted access to Personal Data may have their own policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.
Partners. We may share Personal Data with developers, partners and others we engage to create Boxsy applications and/or integrating Boxsy features.
Forums. The information you choose to provide in a community forum, including Personal Data, will be publicly available.
Corporate Affiliates. Boxsy may share Personal Data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.
During a change to Boxsy’s business. If Boxsy engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Boxsy’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all Personal Data may be shared or transferred, subject to standard confidentiality arrangements.
To comply with laws. If we receive a request for Personal Data, we may disclose Personal Data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Boxsy, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.
Security
Boxsy takes security of Personal Data very seriously. Boxsy strives to protect all Personal Data from loss, misuse, and unauthorized access or disclosure. Boxsy cannot guarantee that Personal Data stored or sent to Boxsy will be completely safe and encourages you to use caution. To the maximum extent allowed by applicable law, you agree and acknowledge that Boxsy will not be liable or responsible if any information about you is intercepted, accessed, and/or used by an unintended recipient.
Our responsibility for third party links
Our Services may contain links to websites and services operated by third parties. If you follow a link to any of these websites, please note that these websites have their own privacy notices and terms and conditions. Further, we have no responsibility for, or control over, the information collected by any third-party website and we cannot be responsible for the protection and privacy of any information which you may provide to these websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.
Age Restriction
Boxsy does not allow use of our Services and Websites by anyone younger than 16 years old (“Minor”). If you learn that a Minor has unlawfully provided us with Personal Data, please contact us and we will take steps to delete this information.
By using our Services and Websites, you represent and warrant that you are not a Minor as of the date of first access to our Services and Websites.
If you are a Minor, you represent and warrant that you are accessing the Services and Websites with the consent of a competent guardian over the age of 16 years old who takes responsibility for your use of the Services and Websites.
Changes to this Privacy Policy
Boxsy may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our services or business. We will post the changes to this page and we encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, Boxsy will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Notice, you should deactivate your account. Contact the relevant Customer if you wish to request the removal of your Personal Data under their control.
Local Provisions
European Union
If you are based in the European Union, the following provisions also apply:
GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Member State means a member state of the European Union.
If we share your Personal Data with our group company(ies) or third parties located outside the European Economic Area, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your Personal Data, such as by entering into the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR), which are available here.
Where we are the controller of your Personal Data, the GDPR data protection rights set out below apply to you. Most of these rights are not absolute and are subject to exemptions under applicable law. We will respond to any request to exercise your rights within one month, but have the right to extend this period in certain circumstances. If we extend the response period, we will let you know within one month from your request. If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply with it. To exercise these rights, please submit a request to us by sending an email to privacy@boxsy.io.
Access your Personal Data. You are entitled to ask us if we are processing your Personal Data and, if we are, you can request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you.
Request the transfer of your Personal Data. We will provide your Personal Data to you or a third party you have chosen in a structured, commonly used, machine-readable format. Please note that this right applies only to Personal Data you have provided to us, and only if we process your Personal Data on the basis of consent, or where we process your Personal Data in order to perform a contract with you.
Request erasure (deletion) of your Personal Data. You are entitled to ask us to delete or remove Personal Data in certain circumstances. There are certain exemptions where we may refuse a request for erasure. For example, where the Personal Data is required for compliance with law or in connection with legal claims. Where we rely on an exemption, we will inform you about this.
Request the correction or updating of your Personal Data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
Request the restriction of our processing of your Personal Data in some situations. If you request this, we can continue to store your Personal Data but are restricted from processing it while the restriction is in place.
Object to our processing of your Personal Data where we are relying on legitimate interests. You also have a right to object where we are processing your Personal Data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
Withdraw your consent. Where you have provided your consent to our processing of your Personal Data, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your Personal Data before you withdrew consent.
Lodge a complaint at a supervisory authority. We will do our best to resolve any complaints you may have. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work, or where an alleged infringement of the applicable data protection law took place. A list of EU supervisory authorities and their contact details is available here.
If you exercise the rights above and there is any question about who you are, we may require you to provide information in order to satisfy ourselves as to your identity.
United Kingdom
If you are based in the United Kingdom, the following provisions apply:
UK GDPR means the Retained Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
If we share your Personal Data with our group company(ies) or third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your Personal Data, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018.
In relation to your data subject rights, paragraph 11(d) above applies, except that references to the "GDPR" will be read as references to the "UK GDPR", and in case wish to lodge a complaint with a supervisory authority, you may direct your complaint to the UK supervisory authority, the Information Commissioner’s Office.
United States
If you are based in California, the following provisions apply:
California Data Protection Laws means the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, as each may be amended or replaced from time to time, and any regulations implementing the foregoing.
Under the California Data Protection Laws you have the following rights:
Right to Know about Personal Information Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information. You have the right to request any or all of the following:
The categories of personal information we collected about you.
The categories of sources from which the personal information is collected.
The categories of third parties with whom we share that personal information.
The specific pieces of personal information we collected about you (also called a data portability request).
Notice of Sale. We do not sell the personal information of California residents. We also do not have any actual knowledge of selling the personal information of any California resident who is 16 years or younger.
Right to Request Deletion. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under the California Data Protection Laws, such as detecting security incidents and protecting against fraudulent or illegal activity.
Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by sending an email to privacy@boxsy.io. Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information (including information that enables us to verify the identifying information we possibly maintain about you).
We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing. In order to protect the security of your personal information, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the personal information that we already have.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply.
Non-Discrimination. We will not discriminate against you for exercising any of your CCPA based on the California Data Protection Laws, including, but not limited to, by:
Denying you goods or services.
Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Providing you a different level or quality of goods or services.
Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services..
