TL;DR
- We do not sell your data. Ever. If you find that line vague, we do not.
- We do not use customer data to train AI models, ours or anyone else's.
- We use Google Analytics 4 and Microsoft Clarity on the marketing site. Both are configured to mask PII. You can opt out below.
- Your install's database is dedicated to you. It is not shared with any other Boxpress customer.
- You have rights under GDPR and CCPA. Email [email protected] and we respond within 30 days.
This Privacy Policy explains how Boxpress LLC ("Boxpress," "we," "us") collects, uses, stores, shares, and protects information from visitors to boxpress.io and from subscribers to the Boxpress platform. It covers two distinct surfaces: the public marketing website, and the per-tenant Boxpress installs where our customers run their cigar businesses.
For the marketing site, Boxpress is the data controller. For per-tenant installs, our customer (the cigar business) is the data controller for their end-customer data; Boxpress acts as data processor on their behalf, governed by our standard Data Processing Agreement (available on request).
1. Information We Collect
1.1 Marketing site (boxpress.io)
- Form submissions: name, email, phone, company, and any free-text you provide via demo booking, contact forms, or trial signup.
- Usage telemetry: IP address, browser, device type, referring URL, pages viewed, time on page, and clicks. Collected via Google Analytics 4 (with IP anonymization on) and Microsoft Clarity (with PII masking on).
- Cookies: see Section 4.
1.2 Boxpress account and billing
- Account data: business name, contact name, business address, email, phone, EIN (encrypted), tobacco license numbers (encrypted), federal TTB permit details (encrypted).
- Payment data: collected and tokenized by Stripe; we store a Stripe customer ID and the last 4 digits of the card. We do not see or store full card numbers.
- Authentication data: password hashed with Argon2id, optional TOTP MFA secret encrypted, magic-link JTI tokens, session cookies.
- Support communications: email threads, Slack messages (Scale tier), call notes.
- Platform telemetry: error logs (PII scrubbed), performance metrics, feature usage counts. Used to operate the platform, not to profile customers.
1.3 Customer Data inside your install
The data you create or upload through your install (your customers, orders, products, sales rep activity, content, etc.) belongs to you. We process it on your behalf to deliver the Service. We do not access it for any other purpose without your written consent or a legal obligation.
2. How We Use Information
- Deliver the Service: authenticate you, run your install, send transactional email, fire workflows, render reports.
- Billing: charge your payment method, send receipts, send dunning emails on failed payments.
- Support: answer questions, debug issues, restore from backup if needed.
- Marketing (Boxpress's own): send product updates, ebook releases, and event invites. Every marketing email has a one-click unsubscribe.
- Security and compliance: detect abuse, prevent fraud, respond to legal process, satisfy our own tax and regulatory obligations.
- Product improvement: aggregated, de-identified usage trends inform what we build next. No customer-identifiable data is used.
We do not sell personal information. We do not share personal information with advertisers. We do not use Customer Data to train AI models, ours or any third party's.
3. Legal Bases for Processing (GDPR)
- Contract: processing necessary to deliver the Service you have subscribed to.
- Legitimate interests: platform security, fraud prevention, product analytics on aggregate data, our own marketing to existing customers.
- Consent: non-essential cookies (Microsoft Clarity, Google Analytics 4) on the marketing site for visitors in jurisdictions that require opt-in. You can withdraw consent at any time via the cookie banner.
- Legal obligation: tax records, PACT Act records, responses to lawful subpoenas.
4. Cookies and Similar Technologies
We use cookies and similar storage on the marketing site and the admin app. Below is the full list with purpose and retention.
4.1 Strictly necessary (always on)
boxpress_session- session cookie for sign-in. HttpOnly, Secure, SameSite=Lax. Expires on browser close or after 14 days of inactivity.boxpress_csrf- CSRF token for form submissions. HttpOnly, Secure. Expires with session.boxpress_consent- records your cookie consent choices. 12 months.
4.2 Analytics (Google Analytics 4) - opt-in
_ga- distinguishes unique users. 2 years (we have configured a 14-month retention window in GA4 for user-level data after which it is deleted)._ga_<container-id>- persists session state. 2 years.
IP anonymization is enabled. We do not enable Google Signals or Google Ads remarketing. Data retention in GA4 is set to 14 months.
4.3 Behavioral analytics (Microsoft Clarity) - opt-in
_clck- Clarity user ID. 1 year._clsk- Clarity session storage. 1 day.MUID- Microsoft user identifier (cross-Microsoft). 1 year.
Clarity records mouse movement, clicks, scrolls, and full session replays for the marketing site. PII masking is enabled at the script level: input fields, sensitive text content, and email addresses are masked in recordings. Microsoft retains session recordings for up to 30 days; we retain Clarity-derived heatmaps in aggregate for 90 days.
4.4 Search indexing (Google Search Console)
We use Google Search Console to monitor SEO performance. It does not set cookies on visitors and does not collect user data. Site ownership is verified via DNS TXT record or HTML meta tag.
5. Third-Party Service Providers (Sub-Processors)
We use carefully selected sub-processors to deliver the Service. Each is contractually bound to confidentiality, data security, and processing limitations. The full list is maintained in our Data Protection Policy and updated as it changes; material additions trigger a 30-day notice (see Section 11). Headline list:
- Railway - hosting for the application runtime and per-tenant Postgres databases (US-East primary; EU-West for customers with EU residency requirements).
- Cloudflare - CDN, DDoS protection, DNS, and R2 object storage for media uploads and generated PDFs.
- Stripe- payment processor for Boxpress's SaaS subscription billing only. Stripe tokenizes cards; we never see full PANs.
- FluidPay- payment processor for transactions on our customers' tenant installs (their cigar sales). Boxpress does not process or store card data for tenant transactions.
- Resend - transactional and marketing email delivery on behalf of the platform.
- Proof Points - marketing automation engine used by tenants for their own customer communications. Proof Points stores customer email, phone, and contact data to fire workflows triggered by Boxpress events. Proof Points is a sub-processor for tenants who enable it.
- Google Analytics 4 - analytics on the boxpress.io marketing site. Configured with IP anonymization. Data retention set to 14 months.
- Google Search Console - SEO indexing tool for the marketing site. No user data collected.
- Microsoft Clarity - heatmap and session-replay analytics on the marketing site. PII masking enabled (input fields, sensitive text, emails).
- Sentry - error monitoring. PII is scrubbed from error reports before they leave the application.
- Anthropic - AI services for our internal translation pipeline (English to Spanish content translation). Customer Data is not sent to Anthropic.
- Mapbox- public lounge map rendering. Visitors' map interactions are processed by Mapbox under their own privacy policy.
- Persona, Veriff, AgeChecker.net- age verification providers. Tenants bring their own account; PII (driver's license images, etc.) stays with the verification provider, not with Boxpress.
Privacy policies for each sub-processor are linked in the Data Protection Policy at boxpress.io/legal/data-protection.
6. Data Retention
- Account data: for the life of the subscription, plus 7 years after cancellation for tax and audit obligations.
- Customer Data inside an install: for the life of the subscription, plus 30 days post-cancellation for export, then deleted (subject to legally required retention such as PACT Act).
- Platform telemetry: 13 months.
- Microsoft Clarity session recordings: 30 days at Microsoft; 90 days for Clarity-derived aggregate heatmaps.
- Google Analytics 4 user data: 14 months.
- Marketing email lists: until you unsubscribe or 3 years from your last engagement, whichever comes first.
- Support communications: 5 years.
- Backups: 30 days (longer for Scale-tier customers with cross-region replication).
7. Your Rights
7.1 GDPR rights (EU/UK residents)
- Access - request a copy of the personal data we hold about you.
- Rectification - correct inaccurate data.
- Erasure - request deletion (subject to lawful retention obligations).
- Portability - receive your data in a structured, machine-readable format.
- Objection - object to processing based on legitimate interests, including direct marketing.
- Restriction - require us to limit processing while a dispute is resolved.
- Lodge a complaint with your local supervisory authority.
7.2 CCPA / CPRA rights (California residents)
- Right to know - what personal information we collect, how we use it, and who we share it with.
- Right to delete - request deletion of your personal information.
- Right to correct - correct inaccurate personal information.
- Right to opt out of sale or sharing - we do not sell personal information, and we honor Global Privacy Control signals where they apply.
- Right to limit use of sensitive PI - we do not use sensitive personal information for purposes that trigger this right.
- Right to non-discrimination - we will not discriminate against you for exercising a privacy right.
7.3 How to exercise your rights
Email [email protected] with your request. We respond within 30 days (extendable by 60 days for complex cases under GDPR, with notice to you). We may need to verify your identity before fulfilling a request.
8. International Data Transfers
Boxpress is a US company; the marketing site and US-tenant installs are hosted in Railway US-East. EU residents can request EU-West regional hosting at signup. For transfers from the EU/UK to the US, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission and adequacy mechanisms where applicable. We complete a transfer impact assessment for any sub-processor we add.
9. Security
Security overview: TLS 1.3 in transit, AES-256-GCM at rest for sensitive fields, Argon2id password hashing, MFA available, per-tenant Postgres isolation, per-tenant rotating magic-link secrets, daily backups, error monitoring with PII scrubbing, regular adversarial security audits. Full technical detail is in the Data Protection Policy.
10. Children's Privacy
Boxpress does not knowingly collect personal information from anyone under 18. The platform serves the cigar industry, which is restricted to 21+ at point of sale on tenant installs (enforced via the BYO age-verification provider integration). We do not market the service to minors. If you believe a minor has provided personal information to us, email [email protected] and we will delete it.
11. Changes to This Policy
For any material change, we will email every active customer at least 30 days before the change takes effect, post the new version at boxpress.io/legal/privacy, and archive the prior version. The "Effective" date at the top of this page reflects the current version.
12. Contact
Privacy inquiries: [email protected]
Security disclosure: [email protected]
General: [email protected]
Mailing: Boxpress LLC, [STREET], [CITY], [STATE] [ZIP], United States
All four addresses currently route to [email protected]. We will split them as the team grows.
Last updated: 2026-05-04