Privacy Policy

Last updated: April 2026

1. Data we collect

Account information (email, name), payment data (processed by Stripe — we do not store card numbers), usage data (renders, prompts, project metadata), and standard web server logs (IP, user agent, timestamps).

2. How we use it

To provide the service, authenticate users, process payments, prevent fraud, improve AI model quality, send service communications, and comply with legal obligations.

3. Data sharing

We share data only with: Stripe (payment processing), our cloud infrastructure provider (hosting), and our AI model provider (render generation — Stability AI or Replicate). We do not sell personal data.

4. Data retention

Account data is retained while your account is active. Render outputs are stored for 90 days after generation. Web server logs are retained for 30 days. You may request deletion at any time.

5. Your rights

You may access, correct, export, or delete your data by contacting privacy@boxnoza.com. EU/EEA and UK users have additional rights under GDPR. California residents have additional rights under CCPA.

6. Security

We use encryption in transit (TLS 1.2+), encrypted password storage (bcrypt), strict session cookies (SameSite=Strict, httpOnly), CSRF protection, and access controls. No system is perfectly secure; we will notify affected users of any breach within 72 hours.

7. Cookies

We use only essential cookies for authentication (session) and CSRF protection (csrf_token). We do not use tracking or advertising cookies.

8. Contact

Data protection inquiries: privacy@boxnoza.com