Privacy Policy

Last updated: April 30, 2026

1. Information We Collect

Account Information

When you create an account, we collect your email address, password (stored as a bcrypt hash, never in plaintext), and optionally your company name.

Assessment Data

When you complete a compliance readiness assessment, we collect your responses to the questionnaire. These responses are used solely to generate your risk screening report.

Pricing Data

When you upload a CSV file for statistical analysis, we store the file and process it to run the requested analysis. Pricing data may contain commercially sensitive information. We treat all uploaded pricing data as confidential.

Analysis Results

We store the results of statistical analyses, including risk scores, test results, and generated narrative reports. These results are accessible only to the authenticated user who created them.

Lead Information

When you provide your email to download a PDF report, we store your email address and link it to the assessment. We may use this email to follow up about Boxless services.

2. How We Use Your Information

We use your information to:

• Provide the compliance readiness assessment and statistical analysis services
• Generate PDF reports
• Authenticate your account and protect your data
• Send service-related communications (assessment results, account notifications)
• Follow up about Boxless services if you provided your email for a report download

We do NOT:

• Use customer pricing data to train machine learning models
• Aggregate or benchmark pricing data across customers
• Share customer data with competitors or any third party for marketing purposes
• Access customer data or analysis results without explicit authorization
• Sell personal information to any third party

3. Third-Party Data Processing

We use the following third-party services to provide Boxless. Each processes data only as necessary to provide the service:

• Anthropic (Claude API) — We send assessment data and statistical results to the Claude API to generate narrative report sections. Anthropic processes this data under their API terms and does not use API input data for model training.
• Render — Backend hosting and database.
• Vercel — Frontend hosting.

4. Data Security

We implement the following security measures:

• Encryption in transit (TLS/HTTPS) and at rest
• JWT-based authentication with token expiry
• Per-tenant data isolation — your data is separated from other customers
• Audit logging of all data access, uploads, and report downloads
• Bcrypt password hashing
• Rate limiting on all API endpoints

5. Data Retention and Deletion

We retain your data for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting hello@boxless.com. Upon account deletion:

• Your account information is deleted
• Your uploaded pricing data files are permanently deleted
• Your analysis results and reports are deleted
• Your assessment responses are deleted
• Audit logs are retained for 90 days after deletion for security purposes, then permanently deleted

6. Your Rights

California Residents (CCPA)

California residents have the right to: know what personal information is collected, request deletion of personal information, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising these rights. To exercise these rights, contact hello@boxless.com.

EU/EEA Residents (GDPR)

If you are an EU/EEA resident, you have the right to: access your personal data, rectify inaccurate data, request erasure, restrict processing, data portability, and object to processing. Our lawful basis for processing is contract performance (providing the service you signed up for) and legitimate interest (improving the service). To exercise these rights, contact hello@boxless.com.

7. Cookies

Boxless uses essential cookies only (authentication tokens stored in localStorage). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Children's Privacy

Boxless is a B2B service not directed at individuals under 18. We do not knowingly collect information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the most recent revision.

10. Contact

Questions about this Privacy Policy should be directed to hello@boxless.com.

Boxless is operated by Code Boys LLC, Birmingham, Alabama.